{ "total": 1468, "controls": [ { "control_id": "GOV-01", "title": "Security, Compliance & Resilience Program (SCRP)", "family": "GOV", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "scf_question": "Does the organization facilitate the implementation of security, compliance and resilience governance controls?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-01", "E-GOV-02" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Basic procedures are established for important tasks, but are ad hoc and not formally documented.\n▪ The responsibility for developing and operating cybersecurity and data privacy procedures are up to the business process owner(s) to determine, including the definition and enforcement of roles and responsibilities.\n▪ Governance documentation is made available to internal personnel (e.g., policies, standards, procedures, etc.).\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel ensure cybersecurity policies and standards are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, NIST 800-171, ISO 27002 or NIST Cybersecurity Framework).\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to implement and manage the organization's internal control system.\n▪ Legal representation is consulted on an as-needed basis.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to facilitate the implementation of security, compliance and resilience governance controls.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)\n∙ SCFConnect (https://scfconnect.com)\n∙ NIST Cybersecurity Framework (CSF) 2.0 (https://www.nist.gov/cyberframework)", "small": "∙ ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)\n∙ SCFConnect (https://scfconnect.com)\n∙ NIST Cybersecurity Framework (CSF) 2.0 (https://www.nist.gov/cyberframework)", "medium": "∙ Steering committee\n∙ ComplianceForge - Security, Compliance & Resilience Program (SCRP) (https://complianceforge.com)\n∙ ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)\n∙ GRC platform (e.g., OneTrust, ServiceNow GRC, LogicGate)\n∙ Secure Controls Framework (SCF), NIST SP 800-53 Rev 5 and/or ISO 27001:2022 alignment", "large": "∙ Steering committee\n∙ ComplianceForge - Security, Compliance & Resilience Program (SCRP) (https://complianceforge.com)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Secure Controls Framework (SCF), NIST SP 800-53 Rev 5 and/or ISO 27001:2022 alignment", "enterprise": "∙ Steering committee\n∙ ComplianceForge - Security, Compliance & Resilience Program (SCRP) (https://complianceforge.com)\n∙ Enterprise GRC platform (e.g., Cyturus, Archer, MetricStream, ServiceNow IRM)\n∙ Secure Controls Framework (SCF), NIST SP 800-53 Rev 5 and/or ISO 27001:2022 alignment" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF6" ], "general-aicpa-tsc-2017": [ "CC1.1", "CC1.1-POF1", "CC1.2", "CC2.3-POF5" ], "general-bsi-200-1-1-0": [ "4.1.2", "4.1.3", "7.1", "8.1", "8.2", "8.3" ], "general-cobit-2019": [ "EDM01.02", "APO01.09", "APO04.01", "APO13.01", "APO13.03" ], "general-coso-2013": [ "2", "12" ], "general-csa-cmm-4-1-0": [ "GRC-01", "GRC-05" ], "general-csa-iot-2": [ "GVN-01", "GVN-02" ], "general-iec-62443-2-1-2024": [ "ORG 1.1" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5", "3.5.3" ], "general-iso-27001-2022": [ "4.4", "5.1", "5.1(a)", "5.1(b)", "5.1(c)", "5.1(d)", "5.1(e)", "5.1(f)", "5.1(g)", "5.1(h)", "6.1.1", "6.1.1(a)", "6.1.1(b)", "6.1.1(c)", "6.1.1(d)", "6.1.1(e)(1)", "6.1.1(e)(2)", "8.1", "10.1" ], "general-iso-27002-2022": [ "5.1", "5.4", "5.37" ], "general-iso-27017-2015": [ "5.1", "5.1.1", "7.2.1", "12.1.1" ], "general-iso-27018-2025": [ "5.1", "5.4", "5.37" ], "general-iso-27701-2025": [ "5.1", "6.1.3(c)", "7.5.1" ], "general-iso-31000-2018": [ "5.1", "5.3" ], "general-iso-42001-2023": [ "7.5.1", "7.5.1(a)", "7.5.1(b)", "7.5.2", "7.5.3", "7.5.3(a)", "7.5.3(b)" ], "general-mpa-csbp-5-3-1": [ "OR-1.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.A", "4.B", "4.B(1)", "4.B(2)", "4.B(3)", "4.B(4)", "4.D(1)" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 1.1", "GOVERN 1.2", "GV-1.2-002", "GV-1.4-001", "GV-1.4-002", "GOVERN 4.1" ], "general-nist-privacy-framework-1-0": [ "ID-P", "ID.BE-P", "GV-P", "GV.PO-P1", "GV.PO-P6", "CM-P", "CM.PO-P", "PR-P", "PR.PT-P" ], "general-nist-800-53-r4": [ "PM-1" ], "general-nist-800-53-r5-2": [ "PM-01" ], "general-nist-800-53-r5-2-privacy": [ "PM-01" ], "general-nist-800-66-r2": [ "164.316(a)" ], "general-nist-800-82-r3": [ "PM-01" ], "general-nist-800-82-r3-low": [ "PM-01" ], "general-nist-800-82-r3-mod": [ "PM-01" ], "general-nist-800-82-r3-high": [ "PM-01" ], "general-nist-800-171-r3": [ "03.15.01.a" ], "general-nist-csf-2-0": [ "GV", "GV.RM-01", "GV.RM-03", "GV.RR-01", "GV.SC", "GV.SC-01", "GV.SC-03", "GV.SC-09", "ID.RA", "PR", "PR.IR" ], "general-pci-dss-4-0-1": [ "12.4", "A3.1.2" ], "general-scf-dpmp-2025": [ "1.0" ], "general-sparta": [ "CM0005" ], "general-tisax-6-0-3": [ "1.2.1" ], "general-un-155-2021": [ "7.2.2.2(a)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(a)" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:GG1", "ADM:GG2.GP1", "ADM:GG3", "AM:GG1", "AM:GG2.GP1", "AM:GG3", "COMM:GG1", "COMM:GG2.GP1", "COMM:GG3", "COMP:GG2.GP1", "COMP:GG3", "CTRL:GG1", "CTRL:GG1.GP1", "CTRL:GG2", "CTRL:GG2.GP1", "CTRL:GG2.GP2", "CTRL:GG3", "EC:GG1", "EC:GG2.GP1", "EC:GG3", "EF:GG1", "EF:GG2.GP1", "EF:GG3", "EXD:GG1", "EXD:GG2.GP1", "EXD:GG3", "FRM:GG1", "FRM:GG2.GP1", "FRM:GG3", "HRM:GG1", "HRM:GG2.GP1", "HRM:GG3", "ID:GG1", "ID:GG2.GP1", "ID:GG3", "IMC:GG1", "IMC:GG2.GP1", "IMC:GG3", "KIM:GG1", "KIM:GG2.GP1", "KIM:GG3", "MA:GG1", "MA:GG2.GP1", "MA:GG3", "MON:GG1", "MON:GG2.GP1", "MON:GG3", "OPD:GG1", "OPD:GG2.GP1", "OPD:GG3", "OPF:GG1", "OPF:GG2.GP1", "OPF:GG3", "OTA:GG1", "OTA:GG2.GP1", "OTA:GG3", "PM:GG1", "PM:GG2.GP1", "PM:GG3", "RISK:GG1", "RISK:GG2.GP1", "RISK:GG3", "RRD:GG1", "RRD:GG2.GP1", "RRD:GG3", "RRM:GG1", "RRM:GG2.GP1", "RRM:GG3", "RTSE:GG1", "RTSE:GG2.GP1", "RTSE:GG3", "SC:GG1", "SC:GG2.GP1", "SC:GG3", "TM:GG1", "TM:GG2", "TM:GG2.GP1", "TM:GG3", "VAR:GG1", "VAR:GG2.GP1", "VAR:GG3", "GG1", "GG1.GP1", "GG2", "GG2.GP1", "GG2.GP2", "GG3", "GG3.GP1" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.f" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.PEPAR" ], "usa-federal-fbi-cjis-6-0": [ "5.1", "5.1.1" ], "usa-federal-doe-c2m2-2-1": [ "PROGRAM-1f", "PROGRAM-1g", "PROGRAM-2b", "PROGRAM-2i" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-eo-14028": [ "4e(i)(F)" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)", "609.930(d)" ], "usa-federal-gsa-fedramp-5-low": [ "PM-01" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-01" ], "usa-federal-gsa-fedramp-5-high": [ "PM-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-01" ], "usa-federal-sro-finra": [ "248.30(a)(2)(ii)", "248.201(e)" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.3(a)", "314.3(b)(1)", "314.3(b)(2)", "314.3(b)(3)", "314.4(a)", "314.4(b)", "314.4(c)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)", "164.306(a)(2)", "164.306(a)(3)", "164.316(a)", "164.530(c)(1)", "164.530(i)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)", "164.306(a)(2)", "164.306(a)(3)", "164.316(a)" ], "usa-federal-irs-1075-2021": [ "PM-1" ], "usa-federal-cms-marse-2-0": [ "PM-1", "PM-1.a", "PM-1.a.1", "PM-1.a.2", "PM-1.a.3", "PM-1.a.4", "PM-1.b", "PM-1.c", "PM-1.d" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.4" ], "usa-federal-nispom-2020": [ "§117.18(b)" ], "usa-federal-law-sox-2002": [ "404(a)(1)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(b)(1)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(1)", "17.03(1)(a)", "17.03(1)(b)", "17.03(1)(c)", "17.03(1)(d)", "17.03(2)" ], "usa-state-nv-regulation-5-2024": [ "5.260.1" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(a)", "500.2(b)", "500.2(b)(1)", "500.2(b)(2)", "500.2(b)(3)", "500.2(b)(4)", "500.2(b)(5)", "500.2(b)(6)", "500.2(d)", "500.2(e)", "500.3(a)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)", "899-bb.2(c)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-01" ], "usa-state-tx-sb2610-2025": [ "542.004(a)(1)" ], "usa-state-vt-act-171-2018": [ "2447(a)(1)", "2447(a)(1)(A)", "2447(a)(1)(B)", "2447(a)(1)(C)", "2447(a)(1)(D)", "2447(b)", "2447(c)" ], "emea-eu-ai-act-2024": [ "Article 17.2" ], "emea-eu-dora-2023": [ "Article 5.1", "Article 9.4", "Article 16.1(a)", "Article 16.1(b)", "Article 16.1(c)", "Article 16.1(d)", "Article 16.1(e)", "Article 16.1(f)", "Article 16.1(g)", "Article 16.1(h)", "Article 16.2" ], "emea-eu-nis2-2022": [ "Article 21.1", "Article 21.2", "Article 21.2(a)", "Article 21.2(b)", "Article 21.2(c)", "Article 21.2(d)", "Article 21.2(e)", "Article 21.2(f)", "Article 21.2(g)", "Article 21.2(h)", "Article 21.2(i)", "Article 21.2(j)" ], "emea-eu-nis2-annex-2024": [ "1.1.1(a)", "1.1.1(b)", "6.7.1" ], "emea-us-psd2-2015": [ "3" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-fdpa-2017": [ "Sec 9", "Sec 9a", "Annex" ], "emea-deu-bsrit-2017": [ "4.1" ], "emea-deu-c5-2020": [ "OIS-01" ], "emea-grc-pirppd-1997": [ "10" ], "emea-hun-isdfi-2011": [ "7" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-cmo-1-0": [ "3.2", "4.25" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "31", "33", "34", "35" ], "emea-nor-pda-2018": [ "13", "14" ], "emea-pol-act-29-1997": [ "1", "36" ], "emea-rus-federal-law-27-2006": [ "7", "19" ], "emea-sau-cgiot-2024": [ "1-1-2" ], "emea-sau-ecc-1-2018": [ "1-2-1", "1-3-2" ], "emea-sau-otcc-1-2022": [ "1-1" ], "emea-sau-sacs-002-2022": [ "TPC-25" ], "emea-sau-sama-csf-1-2017": [ "3.1.1" ], "emea-zaf-popia-2013": [ "19", "21" ], "emea-esp-boe-a-2022-7191": [ "Article 5", "Article 6.1", "Article 6.2", "Article 13.1", "Article 35.1" ], "emea-esp-decree-311-2022": [ "13.1", "35.1", "5", "6.1", "6.2" ], "emea-esp-ccn-stic-825-2023": [ "6.1 [ORG.1]" ], "emea-che-fadp-2025": [ "7" ], "emea-tur-lppd-2016": [ "12" ], "emea-gbr-cap-1850-2020": [ "A1" ], "apac-aus-privacy-act-1998": [ "APP Part 1", "APP Part 11" ], "apac-aus-ism-2024-june": [ "ISM-0888" ], "apac-aus-ps-cps-234-2019": [ "13", "18", "19" ], "apac-chn-csnip-2012": [ "4" ], "apac-chn-pipl-2021": [ "58", "58(1)", "58(2)", "58(3)", "58(4)" ], "apac-hkg-pdo-2022": [ "Principle 4" ], "apac-ind-privacy-rules-2011": [ "8" ], "apac-ind-sebi-2024": [ "GV.OC.S1", "GV.OC.S2", "PR.IP.S17" ], "apac-jpn-ppi-2020": [ "20" ], "apac-jpn-ismap": [ "4.4.1.1", "4.4.1.2", "4.4.2.1", "4.5.4.1", "4.5.4.2", "4.8.1.1", "4.8.2.2", "5.1", "5.1.1", "6.1" ], "apac-mys-pdpa-2010": [ "9" ], "apac-nzl-ism-3-9": [ "5.1.14.C.01" ], "apac-phl-dpa-2012": [ "25", "27", "28" ], "apac-sgp-pdpa-2012": [ "12", "24" ], "apac-kor-pipa-2011": [ "3", "29", "30" ], "apac-twn-pdpa-2025": [ "27" ], "americas-bhs-dpa-2003": [ "6" ], "americas-bmu-mba-coc-2020": [ "4", "5.4" ], "amaericas-can-osfi-self-assessment": [ "6.5", "6.6", "6.7", "6.23" ], "americas-can-osfi-b13-2022": [ "1", "1.1.2", "1.3.1", "2.1.1", "3" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A" ], "americas-can-pipeda-2000": [ "Principle 7" ], "americas-chl-act-19628-1999": [ "7" ], "americas-col-law-1581-2012": [ "4" ], "americas-mex-fdpa-2010": [ "19" ] } }, { "control_id": "GOV-01.1", "title": "Steering Committee & Program Oversight", "family": "GOV", "description": "Mechanisms exist to align security, compliance and resilience capabilities with business requirements through a steering committee or advisory board, comprised of key cybersecurity, data protection and business executives, which meets formally and on a regular basis.", "scf_question": "Does the organization align security, compliance and resilience capabilities with business requirements through a steering committee or advisory board, comprised of key cybersecurity, data protection and business executives, which meets formally and on a regular basis?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-03", "E-PRM-06" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ Organizational leadership maintains an informal process to review and respond to trends.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to align security, compliance and resilience capabilities with business requirements through a steering committee or advisory board, comprised of key cybersecurity, data protection and business executives, which meets formally and on a regular basis.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Third-party advisors (subject matter experts)\n∙ Virtual CISO (vCISO) service\n∙ Fractional security advisor", "small": "∙ Third-party advisors (subject matter experts)\n∙ Virtual CISO (vCISO) service\n∙ Informal security advisory committee", "medium": "∙ Steering committee / advisory board\n∙ Quarterly security committee meetings with documented minutes\n∙ Cross-functional representation (IT, Legal, HR, Operations)", "large": "∙ Formal steering committee / advisory board\n∙ Documented charter with defined roles and meeting cadence\n∙ Board-level cybersecurity reporting", "enterprise": "∙ Formal steering committee / advisory board\n∙ Board-level Cybersecurity Committee or subcommittee\n∙ Chief Information Security Officer (CISO) with board-level access\n∙ Independent security advisor / external audit committee" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.2", "CC1.2-POF1", "CC1.2-POF2", "CC1.2-POF3", "CC1.2-POF4", "CC1.3-POF1", "CC1.3-POF3", "CC1.5-POF3", "CC1.5-POF4", "CC1.5-POF5", "CC2.2-POF4", "CC2.2-POF12", "CC2.3-POF3", "CC3.1-POF11", "CC3.4-POF3", "CC4.2", "CC4.2-POF1", "CC4.2-POF2" ], "general-bsi-200-1-1-0": [ "4.1.1", "4.1.2", "4.3", "4.4", "7.4", "7.5", "8.4" ], "general-cobit-2019": [ "APO14.01", "DSS06.01", "MEA01.04", "MEA03.02", "MEA04.03" ], "general-coso-2013": [ "1", "2" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.3" ], "general-iso-22301-2019": [ "5.1", "5.1(a)", "5.1(b)", "5.1(c)", "5.1(d)", "5.1(e)", "5.1(f)", "5.1(g)", "5.1(h)", "9.3.1", "9.3.2", "9.3.2(a)", "9.3.2(b)", "9.3.2(c)", "9.3.2(c)(1)", "9.3.2(c)(2)", "9.3.2(c)(3)", "9.3.2(d)", "9.3.2(e)", "9.3.2(f)", "9.3.2(g)", "9.3.2(h)", "9.3.2(i)", "9.3.2(j)", "9.3.2(k)", "9.3.3.1", "9.3.3.1(a)", "9.3.3.1(b)", "9.3.3.1(c)", "9.3.3.1(d)", "9.3.3.2", "9.3.3.2(a)", "9.3.3.2(b)" ], "general-iso-27001-2022": [ "4.4", "5.1", "5.3", "5.3(a)", "5.3(b)", "9.3.1", "9.3.2(a)", "9.3.2(b)", "9.3.2(c)", "9.3.2(d)", "9.3.2(d)(1)", "9.3.2(d)(2)", "9.3.2(d)(3)", "9.3.2(d)(4)", "9.3.2(e)", "9.3.2(f)", "9.3.2(g)", "9.3.3", "10.1" ], "general-iso-27017-2015": [ "5.1", "7.2.1" ], "general-iso-27018-2025": [ "5.4" ], "general-iso-27701-2025": [ "5.1", "9.3.1", "9.3.2", "9.3.2(a)", "9.3.2(b)", "9.3.2(c)", "9.3.2(d)", "9.3.2(e)", "9.3.3" ], "general-iso-31000-2018": [ "5.2", "5.4.2", "5.4.3" ], "general-iso-42001-2023": [ "9.2.2(c)", "9.3.1", "9.3.2", "9.3.2(a)", "9.3.2(b)", "9.3.2(c)", "9.3.2(d)", "9.3.2(d)(1)", "9.3.2(d)(2)", "9.3.2(d)(3)", "9.3.2(e)" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.E(1)", "4.E(2)", "4.E(2)(a)", "4.E(2)(b)", "4.E(3)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.3", "MAP 3.5", "MAP 5.2" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.3-004" ], "general-nist-800-171-r3": [ "03.12.03" ], "general-nist-csf-2-0": [ "GV.RM-01", "GV.RM-03", "GV.RR-01", "GV.OV", "GV.OV-01", "GV.OV-02", "GV.OV-03", "GV.SC", "GV.SC-01", "GV.SC-03", "GV.SC-09", "ID", "ID.RA", "PR", "PR.IR" ], "general-tisax-6-0-3": [ "1.2.1" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:GG2.GP10", "AM:GG2.GP10", "COMM:GG2.GP10", "COMP:GG2.GP10", "CTRL:GG2.GP10", "EC:GG2.GP10", "EF:SG3", "EF:SG4", "EF:SG4.SP1", "EF:SG4.SP2", "EF:GG1.GP1", "EF:GG2", "EF:GG2.GP2", "EF:GG2.GP10", "EXD:GG2.GP10", "FRM:GG2.GP10", "HRM:GG2.GP10", "ID:GG2.GP10", "IMC:GG2.GP10", "KIM:GG2.GP10", "MA:GG2.GP10", "MON:GG2.GP10", "OPD:GG2.GP10", "OPF:GG2.GP10", "OTA:GG2.GP10", "PM:GG2.GP10", "RISK:GG2.GP10", "RRD:GG2.GP10", "RRM:GG2.GP10", "RTSE:GG2.GP10", "SC:GG2.GP10", "TM:GG2.GP10", "VAR:GG2.GP10", "GG2.GP10" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.PEPAR" ], "usa-federal-doe-c2m2-2-1": [ "RISK-1f", "PROGRAM-2a", "PROGRAM-2c", "PROGRAM-2d" ], "usa-federal-sro-fca-crm-2023": [ "609.930(b)(1)", "609.930(b)(2)" ], "usa-federal-sro-finra": [ "248.201(e)(1)", "248.201(e)(2)" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(a)(2)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(iii)", "17 CFR 229.106(c)(1)", "17 CFR 229.106(c)(2)", "17 CFR 229.106(c)(2)(i)", "17 CFR 229.106(c)(2)(iii)", "Form 8-K Item 1.05(a)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)", "500.4(b)(1)", "500.4(b)(2)", "500.4(b)(3)", "500.4(b)(4)", "500.4(b)(5)", "500.4(b)(6)", "500.4(d)", "500.4(d)(1)", "500.4(d)(2)", "500.4(d)(3)", "500.4(d)(4)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.1(2)", "3.2.1(3)", "3.2.1(4)" ], "emea-eu-dora-2023": [ "Article 5.2", "Article 5.2(a)", "Article 5.2(b)", "Article 5.2(c)", "Article 5.2(d)", "Article 5.2(e)", "Article 5.2(f)", "Article 5.2(g)", "Article 5.2(h)", "Article 5.2(i)(i)", "Article 5.2(i)(ii)", "Article 5.2(i)(iii)" ], "emea-eu-nis2-2022": [ "Article 21.2(f)" ], "emea-eu-nis2-annex-2024": [ "1.1.1(k)" ], "emea-deu-bsrit-2017": [ "1.1", "1.2", "1.2(a)", "1.2(b)", "1.2(c)", "1.2(d)", "1.2(e)", "1.2(f)", "2.1", "2.2", "2.3", "2.4", "2.5" ], "emea-sau-cgiot-2024": [ "1-1-4" ], "emea-sau-sama-csf-1-2017": [ "3.1.1" ], "emea-esp-boe-a-2022-7191": [ "Article 5", "Article 27" ], "emea-esp-decree-311-2022": [ "27", "5" ], "emea-gbr-caf-4-0": [ "A1.a", "A1.c" ], "emea-gbr-def-stan-05-138-2024": [ "1101", "1103", "1202" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1202" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1101", "1103", "1202" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1101", "1103", "1202" ], "apac-aus-ism-2024-june": [ "ISM-0725" ], "apac-aus-ps-cps-230-2023": [ "20", "21", "22(a)", "22(b)", "22(c)", "23", "24", "25" ], "apac-aus-ps-cps-234-2019": [ "13", "19" ], "apac-ind-dpdpa-2023": [ "8(6)", "18(2)", "23(1)", "26(a)", "26(b)", "26(c)", "27(1)(a)", "27(1)(b)", "27(1)(c)", "27(1)(d)", "27(1)(e)", "27(2)", "27(3)", "28(1)", "28(2)", "28(3)", "28(4)", "28(5)", "28(6)" ], "apac-ind-sebi-2024": [ "GV.OV.S2", "GV.RR.S1", "GV.RR.S3", "GV.RR.S4" ], "apac-jpn-ismap": [ "4.4.1.1", "4.4.1.3", "4.4.5.3", "4.5.3.1", "4.6.3.1", "4.6.3.2", "4.6.3.3" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP12", "HML12", "HML21" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP10", "HSUP19" ], "apac-nzl-ism-3-9": [ "3.2.9.C.01" ], "apac-sgp-mas-trm-2021": [ "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6", "3.1.7(a)", "3.1.7(b)", "3.1.7(c)", "3.1.7(d)", "3.1.7(e)", "3.1.7(f)", "3.1.7(g)", "3.1.8(a)", "3.1.8(b)", "3.1.8(c)", "3.1.8(d)", "3.1.8(e)" ], "americas-bmu-mba-coc-2020": [ "5.1", "5.6" ], "amaericas-can-osfi-self-assessment": [ "6.5", "6.6", "6.7", "6.21", "6.22", "6.23", "6.24" ], "americas-can-osfi-b13-2022": [ "1", "1.1.2", "1.3.1" ], "americas-can-itsp-10-171-2025": [ "03.12.03" ] } }, { "control_id": "GOV-01.2", "title": "Status Reporting To Governing Body", "family": "GOV", "description": "Mechanisms exist to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization's Security, Compliance & Resilience Program (SCRP).", "scf_question": "Does the organization provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization's Security, Compliance & Resilience Program (SCRP)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-05", "E-CPL-09", "E-GOV-03", "E-GOV-04", "E-GOV-05", "E-GOV-06", "E-GOV-07", "E-GOV-13" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ Organizational leadership maintains an informal process to review and respond to trends.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization's Security, Compliance & Resilience Program (SCRP).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Quarterly Business Review (QBR)\n∙ Simple security status dashboard (spreadsheet or slide deck)\n∙ Email status updates to owner/manager", "small": "∙ Quarterly Business Review (QBR)\n∙ Structured security metrics report (incidents, patching status, training completion)\n∙ Documented reporting cadence", "medium": "∙ Quarterly Business Review (QBR)\n∙ Formal security status reports to leadership\n∙ KPI/KRI dashboard (e.g., Power BI, Tableau, or GRC tool reporting)", "large": "∙ Quarterly Business Review (QBR)\n∙ Executive security dashboard with KPIs/KRIs\n∙ Board-level reporting on material risk indicators\n∙ Automated reporting via GRC platform", "enterprise": "∙ Quarterly Business Review (QBR)\n∙ Board and audit committee cybersecurity briefings\n∙ Integrated GRC dashboard with real-time metrics\n∙ SEC cybersecurity disclosure-ready reporting processes (if applicable)" }, "risks": [ "R-AC-1", "R-EX-3", "R-EX-4", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF2", "CC2.3-POF3", "CC2.3-POF5", "CC3.1-POF10", "CC3.1-POF11", "CC4.2", "CC4.2-POF1", "CC4.2-POF2" ], "general-bsi-200-1-1-0": [ "4.3", "7.5", "8.4" ], "general-cobit-2019": [ "BAI01.06" ], "general-coso-2013": [ "2" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.3" ], "general-iso-27001-2022": [ "7.4", "7.4(a)", "7.4(b)", "7.4(c)", "7.4(d)", "9.1", "9.1(a)", "9.1(b)", "9.1(c)", "9.1(d)", "9.1(e)", "9.1(f)", "9.3.1", "9.3.2(a)", "9.3.2(b)", "9.3.2(c)", "9.3.2(d)", "9.3.2(d)(1)", "9.3.2(d)(2)", "9.3.2(d)(3)", "9.3.2(d)(4)", "9.3.2(e)", "9.3.2(f)", "9.3.2(g)", "9.3.3" ], "general-iso-27701-2025": [ "5.1", "5.3(b)", "9.3.1" ], "general-iso-31000-2018": [ "5.2", "6.6" ], "general-iso-42001-2023": [ "5.1", "9.3.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.3", "MAP 3.5" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P6" ], "general-nist-800-171-r3": [ "03.12.03" ], "general-nist-csf-2-0": [ "GV.OV", "GV.OV-01", "GV.OV-03", "GV.SC", "GV.SC-09", "ID" ], "general-scf-dpmp-2025": [ "11.5", "11.8" ], "usa-federal-doe-c2m2-2-1": [ "PROGRAM-2g" ], "usa-federal-sro-fca-crm-2023": [ "609.930(e)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(i)", "314.4(i)(1)", "314.4(i)(2)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(iii)", "17 CFR 229.106(c)(1)", "17 CFR 229.106(c)(2)(ii)", "17 CFR 229.106(c)(2)(iii)" ], "usa-state-nv-regulation-5-2024": [ "5.260.4(b)", "5.260.4(c)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)", "500.4(c)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(13)(e)", "3.3.5(24)" ], "emea-eu-dora-2023": [ "Article 5.2(i)", "Article 13.5" ], "emea-eu-nis2-annex-2024": [ "1.2.3", "2.1.1", "2.2.1", "2.2.2", "2.3.3", "13.2.2(c)" ], "emea-deu-bsrit-2017": [ "3.9", "3.11", "4.10", "7.5" ], "apac-aus-ism-2024-june": [ "ISM-0718" ], "apac-aus-ps-cps-230-2023": [ "30", "58(a)", "58(b)", "58(c)" ], "apac-ind-dpdpa-2023": [ "10(2)(c)(ii)" ], "apac-ind-sebi-2024": [ "GV.OV.S1" ], "apac-jpn-ismap": [ "4.6.1.1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP46", "HHSP75", "HML12", "HML46", "HML75" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP10", "HSUP38", "HSUP65" ], "americas-can-osfi-b13-2022": [ "1", "1.1.2" ], "americas-can-itsp-10-171-2025": [ "03.12.03" ] } }, { "control_id": "GOV-01.3", "title": "Commitment To Continual Improvements", "family": "GOV", "description": "Mechanisms exist to commit appropriate resources needed for continual improvement of the organization's Security, Compliance & Resilience Program (SCRP), including:\n(1) Staffing;\n(2) Budget;\n(3) Processes; and\n(4) Technologies.", "scf_question": "Does the organization commit appropriate resources needed for continual improvement of the organization's Security, Compliance & Resilience Program (SCRP), including:\n(1) Staffing;\n(2) Budget;\n(3) Processes; and\n(4) Technologies?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Organizational leadership maintains an informal process to review and respond to observed trends.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ Appropriate resources needed for continual improvement of the organization's Security, Compliance & Resilience Program (SCRP), including:\n(1) Staffing;\n(2) Budget;\n(3) Processes; and\n(4) Technologies.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS" ], "possible_solutions": { "micro_small": "∙ Document budget/staffing commitments in a written plan", "small": "∙ Annual review of security budget and staffing needs\n∙ Written improvement roadmap", "medium": "∙ Formal SCRP improvement plan with defined budget\n∙ Annual steering committee review of progress", "large": "∙ Formal Security Program roadmap with dedicated budget\n∙ Quarterly steering committee reviews\n∙ KPIs and metrics tracking", "enterprise": "∙ Enterprise security program roadmap\n∙ Board-approved cybersecurity budget\n∙ Dedicated GRC team for continual improvement tracking\n∙ Metrics dashboard for program maturity" }, "risks": [ "R-AC-1", "R-EX-3", "R-EX-4", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.3-POF4" ], "general-bsi-200-1-1-0": [ "4.4", "7.4", "7.5", "8.4" ], "general-cobit-2019": [ "APO14.01" ], "general-coso-2013": [ "2" ], "general-iso-21434-2021": [ "RQ-05-08" ], "general-iso-27017-2015": [ "5.1", "7.2.1" ], "general-iso-27018-2025": [ "5.4" ], "general-iso-27701-2025": [ "5.1", "9.3.3", "10.1" ], "general-iso-31000-2018": [ "5.2" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P5" ], "usa-federal-dow-cert-rmm-1-2": [ "EF:SG3.SP1", "EF:SG3.SP3", "EF:SG4.SP3" ], "emea-eu-nis2-annex-2024": [ "1.1.1(d)", "1.1.1(e)" ], "apac-jpn-ismap": [ "4.6.1.1", "4.6.1.2", "4.6.3.3" ] } }, { "control_id": "GOV-02", "title": "Publishing Security, Compliance & Resilience Documentation", "family": "GOV", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "scf_question": "Does the organization establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-08", "E-GOV-09", "E-GOV-11" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Basic procedures are established for important tasks, but are ad hoc and not formally documented.\n▪ No formal cybersecurity and/or data protection principles are identified for the organization.\n▪ Informal recommendations are leveraged to update existing policies and standards.\n▪ The responsibility for developing and operating cybersecurity and data privacy procedures are up to the business process owner(s) to determine, including the definition and enforcement of roles and responsibilities.\n▪ Governance documentation is made available to internal personnel (e.g., policies, standards, procedures, etc.).\n▪ People affected by documentation changes are provided notification of the policy and standard changes.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel ensure cybersecurity policies and standards are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, NIST 800-171, ISO 27002 or NIST Cybersecurity Framework).\n▪ The organization's cybersecurity policies and standards are made available to internal personnel.\n▪ Documented procedures exist for requesting a deviation from approved standards.\n▪ The responsibility for enforcing cybersecurity and data protection control implementation is assigned to business / process owners and asset custodians.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)\n∙ SCFConnect (https://scfconnect.com)\n∙ Shared drive or intranet for policy distribution (e.g., Google Drive, SharePoint Online)", "small": "∙ ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)\n∙ SCFConnect (https://scfconnect.com)\n∙ Document management system (e.g., SharePoint, Confluence, Notion)", "medium": "∙ ComplianceForge - Security, Compliance & Resilience Program (SCRP) (https://complianceforge.com)\n∙ ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)\n∙ Document management / intranet portal (e.g., SharePoint, Confluence)\n∙ Policy acknowledgement tracking (e.g., KnowBe4, Absorb LMS)", "large": "∙ ComplianceForge - Security, Compliance & Resilience Program (SCRP) (https://complianceforge.com)\n∙ Policy management platform\n∙ Version-controlled policy repository with access controls\n∙ Automated policy attestation and acknowledgement tracking", "enterprise": "∙ ComplianceForge - Security, Compliance & Resilience Program (SCRP) (https://complianceforge.com)\n∙ Enterprise policy management platform\n∙ Integrated GRC policy module with automated review workflows\n∙ Enterprise-wide policy acknowledgement and training integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0", "M1.2", "M1.2-POF8", "D6.1-POF1" ], "general-aicpa-tsc-2017": [ "CC1.2-POF1", "CC1.4-POF1", "CC2.2-POF1", "CC2.2-POF7", "CC5.3", "CC5.3-POF1", "CC7.2-POF1", "P1.1-POF5" ], "general-bsi-200-1-1-0": [ "7.3" ], "general-cobit-2019": [ "APO01.09" ], "general-coso-2013": [ "12" ], "general-csa-cmm-4-1-0": [ "A&A-01", "AIS-01", "BCR-01", "CCC-01", "CEK-01", "DCS-01", "DSP-01", "GRC-01", "IAM-01", "IAM-02", "IPY-01", "I&S-01", "LOG-01", "SEF-01", "SEF-02", "STA-01", "TVM-01", "TVM-02", "TVM-04", "UEM-01" ], "general-csa-iot-2": [ "GVN-01", "GVN-02", "POL-03" ], "general-govramp": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-low-plus": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-mod": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-high": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.1", "3.5.3.8", "3.5.3.9" ], "general-iso-21434-2021": [ "RQ-05-01", "RQ-05-01(a)", "RQ-05-01(b)", "RQ-05-02", "RQ-05-02(a)", "RQ-05-02(b)", "RQ-05-03", "RQ-05-04", "RQ-05-05", "RQ-05-05(a)", "RQ-05-05(b)" ], "general-iso-22301-2019": [ "5.2.1", "5.2.1(a)", "5.2.1(b)", "5.2.1(c)", "5.2.1(d)", "5.2.2", "5.2.2(a)", "5.2.2(b)", "5.2.2(c)" ], "general-iso-27001-2022": [ "5.1(a)", "5.2", "5.2(a)", "5.2(b)", "5.2(c)", "5.2(d)", "5.2(e)", "5.2(f)", "5.2(g)", "7.5.1", "7.5.1(a)", "7.5.1(b)", "7.5.2", "7.5.2(a)", "7.5.2(b)", "7.5.2(c)", "7.5.3", "7.5.3(a)", "7.5.3(b)", "7.5.3(c)", "7.5.3(d)", "7.5.3(e)", "7.5.3(f)" ], "general-iso-27002-2022": [ "5.1", "5.37" ], "general-iso-27017-2015": [ "5.1.1", "12.1.1" ], "general-iso-27018-2025": [ "5.1", "5.37" ], "general-iso-27701-2025": [ "5.1", "5.2", "5.2(a)", "5.2(b)", "5.2(c)", "5.2(d)", "6.1.3(c)", "7.5.1(b)", "7.5.2", "7.5.3" ], "general-iso-31000-2018": [ "5.4.5", "6.2" ], "general-iso-31010-2009": [ "4.3.2" ], "general-iso-42001-2023": [ "5.1", "5.2", "5.2(a)", "5.2(b)", "5.2(c)", "5.2(d)", "7.5.1", "7.5.1(a)", "7.5.1(b)", "7.5.2", "7.5.3", "7.5.3(a)", "7.5.3(b)", "A.2", "A.2.2", "A.2.3" ], "general-mpa-csbp-5-3-1": [ "OR-1.0" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.0", "GOVERN 1.2", "GOVERN 1.3", "GOVERN 1.4", "GOVERN 3.2", "GOVERN 4.1", "GOVERN 5.1", "GOVERN 6.0", "GOVERN 6.1", "MAP 3.5" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.5-002" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P1", "GV.PO-P", "GV.PO-P1", "GV.PO-P6", "GV.MT-P", "GV.MT-P4", "GV.MT-P5", "GV.MT-P6", "GV.MT-P7", "CT.PO-P", "CT.PO-P1", "CT.PO-P2", "CT.PO-P3", "CM.PO-P1", "PR.PO-P", "PR.PO-P4" ], "general-nist-800-37-r2": [ "TASK P-5" ], "general-nist-800-53-r4": [ "PM-1" ], "general-nist-800-53-r5-2": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-53-r5-2-privacy": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-53-r5-2-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-66-r2": [ "164.308(a)(1)", "164.308(a)(3)", "164.308(a)(4)", "164.308(a)(6)", "164.308(a)(7)", "164.310(a)", "164.310(b)", "164.310(d)", "164.312(a)", "164.312(c)", "164.316(a)", "164.316(b)" ], "general-nist-800-82-r3": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-82-r3-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-82-r3-mod": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-82-r3-high": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-161-r1": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-cscrm": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-flowdown": [ "AC-1", "IR-1", "MA-1", "PS-1" ], "general-nist-800-161-r1-level-1": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PS-1", "RA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-level-2": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-level-3": [ "AC-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "PE-1", "PS-1", "RA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-171-r3": [ "03.15.01.a" ], "general-nist-800-171a": [ "3.4.9[a]", "3.9.2[a]" ], "general-nist-800-171a-r3": [ "A.03.15.01.a[01]", "A.03.15.01.a[02]", "A.03.15.01.a[03]", "A.03.15.01.a[04]" ], "general-nist-csf-2-0": [ "GV.PO", "GV.PO-01", "GV.SC-01", "GV.SC-03", "ID.RA" ], "general-pci-dss-4-0-1": [ "1.1.1", "2.1.1", "3.1.1", "3.7.1", "3.7.2", "3.7.3", "3.7.5", "3.7.6", "3.7.7", "3.7.8", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "8.3.8", "9.1.1", "10.1.1", "11.1.1", "12.1", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-a": [ "3.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "8.1.1", "8.3.8", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-b": [ "3.1.1", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "3.1.1", "8.1.1", "9.1.1", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-c": [ "2.1.1", "3.1.1", "5.1.1", "8.1.1", "8.3.8", "9.1.1", "10.1.1", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.1.1", "3.1.1", "8.1.1", "9.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.1.1", "2.1.1", "3.1.1", "3.7.1", "3.7.2", "3.7.3", "3.7.5", "3.7.6", "3.7.7", "3.7.8", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "8.3.8", "9.1.1", "10.1.1", "11.1.1", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.1.1", "2.1.1", "3.1.1", "3.7.1", "3.7.2", "3.7.3", "3.7.5", "3.7.6", "3.7.7", "3.7.8", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "8.3.8", "9.1.1", "10.1.1", "11.1.1", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-p2pe": [ "3.1.1", "9.1.1", "12.1.1", "12.1.2", "12.1.3" ], "general-scf-dpmp-2025": [ "11.2" ], "general-sparta": [ "CM0088" ], "general-tisax-6-0-3": [ "1.1.1", "1.5.1", "7.1.1", "9.1.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.WE.ACONT", "3.UNI.IDMRP", "3.UNI.PEPAR", "3.UNL.GPAUD" ], "usa-federal-fbi-cjis-6-0": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-5c", "THREAT-3c", "RISK-5c", "ACCESS-4c", "SITUATION-4c", "RESPONSE-5c", "THIRD-PARTIES-3c", "WORKFORCE-5c", "ARCHITECTURE-6c", "PROGRAM-3c" ], "usa-federal-dow-zt-roadmap-1-1": [ "6.1.1" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(5)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-gsa-fedramp-5-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-gsa-fedramp-5-high": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-sro-finra": [ "248.30(a)(1)", "248.30(a)(2)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)", "314.4(c)(8)", "314.4(e)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(d)", "155.260(d)(1)", "155.260(d)(2)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(1)(i)", "164.308(a)(3)(i)", "164.308(a)(4)(i)", "164.308(a)(4)(ii)(A)", "164.308(a)(6)(i)", "164.308(a)(7)(i)", "164.310(a)(1)", "164.310(a)(2)(ii)", "164.310(a)(2)(iv)", "164.310(b)", "164.310(d)(1)", "164.310(d)(2)(i)", "164.312(a)(1)", "164.312(c)(1)", "164.316(a)", "164.316(b)(1)(i)", "164.530(j)(1)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(1)(i)", "164.308(a)(3)(i)", "164.308(a)(4)(i)", "164.308(a)(4)(ii)(A)", "164.308(a)(6)(i)", "164.308(a)(7)(i)", "164.310(a)(1)", "164.310(a)(2)(ii)", "164.310(a)(2)(iv)", "164.310(b)", "164.310(d)(1)", "164.310(d)(2)(i)", "164.312(a)(1)", "164.312(c)(1)", "164.316(a)", "164.316(b)(1)(i)" ], "usa-federal-irs-1075-2021": [ "2.C.2", "2.C.2-1", "2.C.2-2", "2.C.2-3", "2.C.2-4", "2.C.2-5", "2.C.2-6", "2.C.2-7", "2.C.2-8", "2.C.2-9", "2.C.2-10", "2.C.2-11", "2.C.2-12", "2.C.2-13", "2.C.2-14", "2.C.2-15", "2.C.2-16", "2.C.2-17", "2.C.2-18", "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PM-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "usa-federal-cms-marse-2-0": [ "AC-1", "AC-1.a", "AT-1", "AT-1.a", "AT-1.c", "AT-1.d", "AU-1", "AU-1.a", "CA-1", "CA-1.a", "CA-1.c", "CM-1", "CM-1.a", "CP-1", "CP-1.a", "IA-1", "IA-1.a", "IR-1", "IR-1.a", "MA-1", "MA-1.a", "MP-1", "MP-1.a", "MP-1-IS.1", "PE-1", "PE-1.a", "PL-1", "PL-1.a", "PS-1", "PS-1.a", "RA-1", "SA-1", "SA-1.a", "SC-1", "SC-1.a", "SI-1", "SI-1.a", "PM-1" ], "usa-federal-nispom-2020": [ "§117.18(b)(1)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "13-2.b(2)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B", "III.B.1.d", "III.C.1", "III.C.1.a", "III.C.1.b", "III.C.3", "III.D" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(b)(1)" ], "usa-state-il-ipa-2009": [ "35(a)", "37(a)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(1)", "17.03(2)(c)", "17.04" ], "usa-state-nv-regulation-5-2024": [ "5.260.6" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(b)(2)", "500.3", "500.3(a)", "500.3(b)", "500.3(c)", "500.3(d)", "500.3(e)", "500.3(f)", "500.3(g)", "500.3(h)", "500.3(i)", "500.3(j)", "500.3(k)", "500.3(l)", "500.3(m)", "500.3(n)", "500.3(o)", "500.5", "500.7(b)", "500.8(a)", "500.11(a)", "500.13(a)", "500.14(a)(1)", "500.15(a)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-01", "AC-18-SID", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-state-tx-sb820-2019": [ "11.175(b)", "11.175(b)(1)", "11.175(b)(2)" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "emea-eu-eba-ict-srm-2025": [ "3.4.1(28)", "3.4.1(29)", "3.4.5(38)" ], "emea-eu-dora-2023": [ "Article 6.2", "Article 9.4(a)", "Article 9.4(d)", "Article 9.4(e)", "Article 9.4(f)" ], "emea-eu-gdpr-2016": [ "Article 24.2" ], "emea-eu-nis2-2022": [ "Article 21.1", "Article 21.2(a)", "Article 21.2(b)", "Article 21.2(c)", "Article 21.2(d)", "Article 21.2(e)", "Article 21.2(f)", "Article 21.2(g)", "Article 21.2(h)", "Article 21.2(i)", "Article 21.2(j)" ], "emea-eu-nis2-annex-2024": [ "1.1.1(f)", "1.1.1(i)", "1.1.1(k)", "5.1.6", "7.1", "9.1", "11.1.1" ], "emea-us-psd2-2015": [ "3" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "4.2", "4.3", "4.8" ], "emea-deu-c5-2020": [ "OIS-01", "OIS-02", "SP-01" ], "emea-isr-cmo-1-0": [ "1.1", "4.1", "4.25", "5.2", "5.3", "9.1", "10.1", "11.2", "12.1", "13.1", "14.1", "15.1", "17.1", "18.1", "20.1", "21.1", "22.1", "24.1", "25.1" ], "emea-nga-dpr-2019": [ "4.1(1)" ], "emea-qat-pdppl-2020": [ "8.4" ], "emea-sau-cgiot-2024": [ "1-2-1" ], "emea-sau-ecc-1-2018": [ "1-3-1", "1-3-3" ], "emea-sau-otcc-1-2022": [ "1-1", "1-1-1" ], "emea-sau-sacs-002-2022": [ "TPC-25" ], "emea-sau-sama-csf-1-2017": [ "3.1.3" ], "emea-esp-boe-a-2022-7191": [ "Article 12.1", "Article 12.1(a)", "Article 12.1(b)", "Article 12.1(c)", "Article 12.1(d)", "Article 12.1(e)", "Article 12.1(f)", "Article 12.2", "Article 12.6", "Article 12.6(a)", "Article 12.6(b)", "Article 12.6(c)", "Article 12.6(d)", "Article 12.6(e)", "Article 12.6(f)", "Article 12.6(g)", "Article 12.6(h)", "Article 12.6(i)", "Article 12.6(j)", "Article 12.6(k)", "Article 12.6(l)", "Article 12.6(m)", "Article 12.6(n)", "Article 12.6(ñ)", "Article 12.7" ], "emea-esp-decree-311-2022": [ "12.1", "12.1(a)", "12.1(b)", "12.1(c)", "12.1(d)", "12.1(e)", "12.1(f)", "12.2", "12.6", "12.6(a)", "12.6(b)", "12.6(c)", "12.6(d)", "12.6(e)", "12.6(f)", "12.6(g)", "12.6(h)", "12.6(i)", "12.6(j)", "12.6(k)", "12.6(l)", "12.6(m)", "12.6(n)", "12.6(ñ)", "12.7" ], "emea-esp-ccn-stic-825-2023": [ "6.1 [ORG.1]", "6.2 [ORG.2]" ], "emea-gbr-caf-4-0": [ "A1", "B1", "B1.b" ], "emea-gbr-cap-1850-2020": [ "A1", "A5" ], "emea-gbr-def-stan-05-138-2024": [ "1100", "1101", "2100", "2101" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1100", "2100" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1100", "1101", "2100", "2101" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1100", "1101", "2100", "2101" ], "apac-aus-privacy-principles-2026": [ "APP 1" ], "apac-aus-ism-2024-june": [ "ISM-0047", "ISM-0888", "ISM-1478", "ISM-1551", "ISM-1602", "ISM-1784", "ISM-1785" ], "apac-aus-ps-cps-234-2019": [ "18", "19" ], "apac-ind-sebi-2024": [ "GV.PO.S1" ], "apac-jpn-ismap": [ "4.4.5.1", "4.4.5.3", "4.5.2.1", "4.8.2.1", "5", "5.1.1", "5.1.1.1", "5.1.1.8", "5.1.1.21", "6", "6.2.1" ], "apac-nzl-hisf-mlhsp-2023": [ "HML01", "HHSP01" ], "apac-nzl-hisf-microsmall-2023": [ "HMS02" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP01" ], "apac-nzl-ism-3-9": [ "5.1.7.C.01", "5.1.14.C.01", "5.1.16.C.01", "5.1.16.C.02", "5.1.17.C.01", "5.1.18.C.01", "5.1.19.C.01", "5.1.20.C.01", "5.1.20.C.02", "5.2.3.C.01", "5.2.3.C.02" ], "apac-sgp-mas-trm-2021": [ "3.2.1" ], "amaericas-can-osfi-self-assessment": [ "6.1", "6.3" ], "americas-can-osfi-b13-2022": [ "1", "3" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A" ] } }, { "control_id": "GOV-02.1", "title": "Exception Management", "family": "GOV", "description": "Mechanisms exist to prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded.", "scf_question": "Does the organization prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-18" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data privacy governance practices are informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Manual exception management process\n∙ Documented exception request form (Word/PDF template)\n∙ SCFConnect (https://scfconnect.com)", "small": "∙ Manual exception management process\n∙ Formalized exception request and approval workflow\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "medium": "∙ Documented exception management process with approval authority matrix\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Risk acceptance tracking with time-bound exceptions", "large": "∙ Formal exception management program with defined risk acceptance criteria\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Time-limited exceptions with mandatory compensating controls\n∙ Periodic exception review and recertification process", "enterprise": "∙ Enterprise exception management program integrated with GRC platform\n∙ Automated exception workflows with defined approval chains\n∙ Exception-to-risk register linkage with ongoing monitoring\n∙ Audit-ready exception documentation and closure tracking" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-cobit-2019": [ "DSS06.04" ], "general-csa-cmm-4-1-0": [ "CCC-08", "GRC-04" ], "general-nist-csf-2-0": [ "ID.RA-07" ], "general-tisax-6-0-3": [ "1.5.1" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.3.7", "2.7.3" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(d)(3)(ii)(B)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(d)(3)(ii)(B)(1)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.C.1", "III.C.1.b", "III.C.3" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(3)", "500.12(b)", "500.15(b)" ], "apac-ind-sebi-2024": [ "GV.PO.S3" ], "apac-jpn-ismap": [ "5.1.1.7" ] } }, { "control_id": "GOV-03", "title": "Periodic Review & Update of Security, Compliance & Resilience Program", "family": "GOV", "description": "Mechanisms exist to review the Security, Compliance & Resilience Program (SCRP), including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.", "scf_question": "Does the organization review the Security, Compliance & Resilience Program (SCRP), including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-12" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel perform an annual documentation review process that includes the scope of applicable statutory, regulatory and/or contractual obligations.\n▪ Recommendations for documentation edits are submitted for review and are handled in accordance with documentation change control processes.\n▪ Updated documentation versions are published, based on no less than an annual review cycle.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to review the Security, Compliance & Resilience Program (SCRP), including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Annual human reviews of policies and procedures\n∙ Documentation change control (version history in document)\n∙ Calendar reminders for review cycles", "small": "∙ Annual human reviews with documented review log\n∙ Documentation change control with version history\n∙ Defined policy review and approval process", "medium": "∙ Documented review cycle (minimum annual) with ownership assignment\n∙ Change control process with approval workflows\n∙ Document management system with review reminders (e.g., SharePoint, PolicyTech)", "large": "∙ Formalized policy lifecycle management (create, review, retire)\n∙ Automated review reminders via policy management platform\n∙ GRC-integrated documentation change control\n∙ Triggered reviews for significant regulatory or organizational changes", "enterprise": "∙ Enterprise policy lifecycle management integrated with GRC platform\n∙ Automated review workflows with escalation paths\n∙ Regulatory change monitoring integrated with policy review triggers\n∙ Audit-ready documentation of all policy changes and approvals" }, "risks": [ "R-AC-1", "R-BC-4", "R-BC-5", "R-EX-2", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-3", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF5", "M1.3-POF4" ], "general-aicpa-tsc-2017": [ "CC2.2-POF7", "CC5.3", "CC5.3-POF6" ], "general-bsi-200-1-1-0": [ "7.3" ], "general-cobit-2019": [ "EDM01.01", "EDM01.03", "EDM05.01", "APO02.02", "APO14.01", "MEA03.02" ], "general-coso-2013": [ "12" ], "general-csa-cmm-4-1-0": [ "A&A-01", "AIS-01", "BCR-01", "CCC-01", "CEK-01", "DCS-01", "GRC-03", "IAM-01", "IAM-02", "IPY-01", "I&S-01", "LOG-01", "SEF-01", "SEF-02", "STA-01", "TVM-01", "TVM-02", "TVM-04", "UEM-01" ], "general-govramp": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-low-plus": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-mod": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-high": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-iso-27001-2022": [ "7.5.2", "7.5.2(a)", "7.5.2(b)", "7.5.2(c)" ], "general-iso-27002-2022": [ "5.1", "5.37" ], "general-iso-27017-2015": [ "5.1.1", "5.1.2", "12.1.1" ], "general-iso-27018-2025": [ "5.1", "5.37" ], "general-iso-42001-2023": [ "7.5.2", "A.2.4" ], "general-mpa-csbp-5-3-1": [ "OR-1.0" ], "general-nist-privacy-framework-1-0": [ "GV.MT-P2" ], "general-nist-800-53-r4": [ "PM-1" ], "general-nist-800-53-r5-2": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-53-r5-2-privacy": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-53-r5-2-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-66-r2": [ "164.316(b)" ], "general-nist-800-82-r3": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-82-r3-low": [ "AC-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-82-r3-mod": [ "AC-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-82-r3-high": [ "AC-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-161-r1": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-cscrm": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-flowdown": [ "AC-1", "IR-1", "MA-1", "PS-1", "PT-1" ], "general-nist-800-161-r1-level-1": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-level-2": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-level-3": [ "AC-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "PE-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-171-r3": [ "03.15.01.b", "03.15.03.d" ], "general-nist-800-171a-r3": [ "A.03.15.01.ODP[01]", "A.03.15.01.b[01]", "A.03.15.01.b[02]" ], "general-nist-csf-2-0": [ "GV.PO-02", "GV.OV", "GV.OV-01", "GV.OV-02" ], "general-pci-dss-4-0-1": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "9.1.1", "10.1.1", "11.1.1", "12.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-a": [ "3.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "8.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-b": [ "3.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "3.1.1", "8.1.1", "9.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-c": [ "2.1.1", "3.1.1", "5.1.1", "8.1.1", "9.1.1", "10.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.1.1", "3.1.1", "8.1.1", "9.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "9.1.1", "10.1.1", "11.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "9.1.1", "10.1.1", "11.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "3.1.1", "9.1.1", "12.1.1", "12.1.2" ], "general-scf-dpmp-2025": [ "11.3" ], "general-tisax-6-0-3": [ "1.5.1" ], "usa-federal-fbi-cjis-6-0": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "usa-federal-doe-c2m2-2-1": [ "PROGRAM-1h" ], "usa-federal-gsa-fedramp-5-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-gsa-fedramp-5-high": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(b)", "314.4(g)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(5)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.316(b)(1)(ii)", "164.316(b)(2)(iii)", "164.530(i)(2)(i)", "164.530(i)(2)(ii)", "164.530(i)(2)(iii)", "164.530(i)(3)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.316(b)(1)(ii)", "164.316(b)(2)(iii)" ], "usa-federal-irs-1075-2021": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PM-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "usa-federal-cms-marse-2-0": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SA-1", "SC-1", "SI-1", "PM-1" ], "usa-federal-nerc-cip-2024": [ "CIP-002-5.1a 2.1", "CIP-002-5.1a 2.2", "CIP-003-8 R1" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.8(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(A)(6)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "usa-state-vt-act-171-2018": [ "2447(b)(8)(B)", "2447(b)(9)", "2447(b)(9)(A)", "2447(b)(9)(B)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(14)" ], "emea-eu-nis2-annex-2024": [ "1.1.2", "2.3.1", "5.1.6", "6.7.3" ], "emea-us-psd2-2015": [ "3" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "4.2", "4.8" ], "emea-deu-c5-2020": [ "OIS-01", "SP-02" ], "emea-isr-cmo-1-0": [ "1.1", "5.2", "9.1", "10.1", "11.2", "13.1", "14.1", "15.1", "17.1", "18.1", "21.1", "22.1", "24.1", "25.1" ], "emea-sau-cgiot-2024": [ "1-1-4", "1-2-3", "1-4-6", "1-8-3" ], "emea-sau-ecc-1-2018": [ "1-1-3", "1-3-4", "1-6-4", "1-9-6", "1-10-5", "2-2-4", "2-3-4", "2-4-4", "2-5-4", "2-6-4", "2-7-4", "2-8-4", "2-9-4", "2-10-4", "2-11-4", "2-12-4", "2-13-4", "2-14-4", "2-15-4", "3-1-4", "4-1-4", "4-2-4", "5-1-4" ], "emea-sau-otcc-1-2022": [ "1-1-3" ], "emea-esp-boe-a-2022-7191": [ "Article 27" ], "emea-esp-decree-311-2022": [ "27" ], "emea-gbr-caf-4-0": [ "B1.a" ], "emea-gbr-def-stan-05-138-2024": [ "2100", "2101" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2100" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2100", "2101" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2100", "2101" ], "apac-aus-ism-2024-june": [ "ISM-1617" ], "apac-aus-ps-cps-234-2019": [ "19" ], "apac-ind-sebi-2024": [ "GV.PO.S2", "GV.PO.S3", "GV.PO.S4" ], "apac-jpn-ismap": [ "4.5.3.1", "4.7.1.5", "4.8.2.1", "5.1.1", "5.1.2", "5.1.2.2", "5.1.2.3", "5.1.2.4" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP67", "HML66" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP58" ], "apac-nzl-ism-3-9": [ "5.1.14.C.01", "5.1.21.C.01", "5.1.21.C.02" ], "apac-sgp-mas-trm-2021": [ "3.2.2" ], "americas-can-osfi-b13-2022": [ "1", "1.3.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.B", "03.15.03.D" ] } }, { "control_id": "GOV-04", "title": "Assigned Security, Compliance & Resilience Responsibilities", "family": "GOV", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "scf_question": "Does the organization assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-01", "E-HRS-05", "E-HRS-06", "E-HRS-07", "E-HRS-08", "E-HRS-09", "E-HRS-10", "E-HRS-13", "E-HRS-15" ], "pptdf": "People", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data protection program (e.g., cybersecurity director or Chief Information Security Officer (CISO)).\n▪ The individual assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data protection program develops plans to implement the organization's security, compliance and resiliency-related objectives.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ A qualified individual is assigned the role and responsibilities to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP) (e.g., cybersecurity director or Chief Information Security Officer (CISO)).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Third-party advisors (e.g., virtual CISO (vCISO), Managed Security Services Provider (MSSP))\n∙ Designated internal security point of contact\n∙ vCISO services (e.g., Truvantis, private vCISO firms)", "small": "∙ Third-party advisors (e.g., virtual CISO (vCISO), Managed Security Services Provider (MSSP))\n∙ Part-time or shared security manager\n∙ vCISO services with defined scope and deliverables", "medium": "∙ Dedicated Information Security Manager (ISM) or fractional CISO\n∙ Chief Information Security Officer (CISO) or equivalent role\n∙ Defined Information Security Management System (ISMS) ownership", "large": "∙ Chief Information Security Officer (CISO) with defined authority and budget\n∙ Security leadership team (CISO, DPO, IAM lead, etc.)\n∙ Security organizational structure with clear reporting lines", "enterprise": "∙ Chief Information Security Officer (CISO) with C-suite authority and board access\n∙ Security leadership organization (CISO, Deputy CISO, DPO, domain leads)\n∙ Security Center of Excellence (CoE)\n∙ Defined succession planning for key security roles" }, "risks": [ "R-AC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF1" ], "general-aicpa-tsc-2017": [ "CC1.1", "CC1.3", "CC5.3-POF2" ], "general-bsi-200-1-1-0": [ "4.1.1", "4.1.6", "7.2" ], "general-cobit-2019": [ "APO01.05" ], "general-coso-2013": [ "1", "3", "5" ], "general-csa-cmm-4-1-0": [ "GRC-06" ], "general-csa-iot-2": [ "GVN-01" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.3", "3.5.1.1", "3.5.1.2" ], "general-iso-22301-2019": [ "5.3" ], "general-iso-27001-2022": [ "5.1(f)", "5.1(h)", "5.3", "5.3(a)", "5.3(b)" ], "general-iso-27002-2022": [ "5.2" ], "general-iso-27017-2015": [ "5.1", "6.1", "6.1.1", "7.2.1" ], "general-iso-27018-2025": [ "5.2", "5.4" ], "general-iso-27701-2025": [ "5.1", "5.3", "5.3(a)" ], "general-iso-31000-2018": [ "5.2", "5.4.3" ], "general-iso-42001-2023": [ "5.3", "5.3(a)", "5.3(b)", "A.3.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(1)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.3", "GOVERN 2.1", "GOVERN 2.3", "GOVERN 5.0" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P3", "CM.PO-P2" ], "general-nist-800-37-r2": [ "TASK P-1" ], "general-nist-800-53-r4": [ "PL-9", "PM-2", "PM-6" ], "general-nist-800-53-r5-2": [ "PL-09", "PM-02", "PM-06", "PM-29" ], "general-nist-800-53-r5-2-privacy": [ "PL-09", "PM-06", "PM-29" ], "general-nist-800-66-r2": [ "164.308(a)(2)" ], "general-nist-800-82-r3": [ "PL-09", "PM-02", "PM-06", "PM-29" ], "general-nist-800-82-r3-low": [ "PM-02", "PM-06", "PM-29" ], "general-nist-800-82-r3-mod": [ "PM-02", "PM-06", "PM-29" ], "general-nist-800-82-r3-high": [ "PM-02", "PM-06", "PM-29" ], "general-nist-800-161-r1": [ "PL-9", "PM-2", "PM-6", "PM-29" ], "general-nist-800-161-r1-level-1": [ "PL-9", "PM-2", "PM-6", "PM-29" ], "general-nist-800-161-r1-level-2": [ "PL-9", "PM-2", "PM-6" ], "general-nist-800-218": [ "PO.2.3" ], "general-nist-csf-2-0": [ "GV.RM", "GV.RM-05", "GV.RR-01", "GV.RR-02" ], "general-pci-dss-4-0-1": [ "1.1.2", "2.1.2", "3.1.2", "4.1.2", "5.1.2", "6.1.2", "7.1.2", "8.1.2", "9.1.2", "10.1.2", "11.1.2", "12.1.3", "12.1.4", "12.4", "A3.1.1", "A3.1.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.1.3", "12.1.4" ], "general-pci-dss-4-0-1-saq-b": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-c": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.1.2", "2.1.2", "3.1.2", "4.1.2", "5.1.2", "6.1.2", "7.1.2", "8.1.2", "9.1.2", "10.1.2", "11.1.2", "12.1.3", "12.1.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.1.2", "2.1.2", "3.1.2", "5.1.2", "6.1.2", "7.1.2", "8.1.2", "9.1.2", "10.1.2", "11.1.2", "12.1.3", "12.1.4" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.1.3" ], "general-tisax-6-0-3": [ "1.2.1", "1.2.2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.B", "1.C" ], "usa-federal-fbi-cjis-6-0": [ "PL-9" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-5d", "THREAT-3d", "RISK-5d", "ACCESS-4d", "SITUATION-4d", "RESPONSE-5d", "THIRD-PARTIES-3d", "WORKFORCE-5d", "ARCHITECTURE-6d", "PROGRAM-2e", "PROGRAM-3d" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(b)(3)" ], "usa-federal-gsa-fedramp-5-low": [ "PL-09", "PM-06", "PM-29" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-09", "PM-06", "PM-29" ], "usa-federal-gsa-fedramp-5-high": [ "PL-09", "PM-06", "PM-29" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-09", "PM-06", "PM-29" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(a)", "314.4(a)(1)", "314.4(a)(2)", "314.4(a)(3)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(2)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(2)" ], "usa-federal-irs-1075-2021": [ "PM-2", "PM-29" ], "usa-federal-cms-marse-2-0": [ "PM-2", "PM-6" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 R4" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(ii)", "17 CFR 229.106(c)(1)", "17 CFR 229.106(c)(2)(i)", "Form 8-K Item 1.05(a)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(b)(3)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(a)" ], "usa-state-nv-regulation-5-2024": [ "5.260.5(a)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(a)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(A)(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-02", "PM-02-SID", "PM-06" ], "usa-state-tx-sb820-2019": [ "11.175(d)" ], "usa-state-vt-act-171-2018": [ "2447(b)(1)" ], "emea-eu-ai-act-2024": [ "Article 17.1(m)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(11)", "3.3.1(12)", "3.7.5(91)" ], "emea-eu-dora-2023": [ "Article 5.2", "Article 5.2(a)", "Article 5.2(b)", "Article 5.2(c)", "Article 5.2(d)", "Article 5.2(e)", "Article 5.2(f)", "Article 5.2(g)", "Article 5.2(h)", "Article 5.2(i)(i)", "Article 5.2(i)(ii)", "Article 5.2(i)(iii)", "Article 5.3" ], "emea-eu-nis2-annex-2024": [ "1.1.1(g)", "1.2.1", "1.2.4" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "4.4", "4.5", "4.6" ], "emea-deu-c5-2020": [ "OIS-03" ], "emea-sau-ecc-1-2018": [ "1-2-2", "1-4-1", "1-4-2", "1-5-2" ], "emea-sau-otcc-1-2022": [ "1-2", "1-2-1-2" ], "emea-sau-sama-csf-1-2017": [ "3.1.4" ], "emea-gbr-caf-4-0": [ "A1.b", "A1.c" ], "emea-gbr-def-stan-05-138-2024": [ "1102", "1103" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1102" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1102", "1103" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1102", "1103" ], "apac-aus-ism-2024-june": [ "ISM-0714", "ISM-0717", "ISM-0720", "ISM-0724", "ISM-0725", "ISM-0726", "ISM-0731", "ISM-0732", "ISM-0733", "ISM-0734", "ISM-0735" ], "apac-aus-ps-cps-230-2023": [ "21", "24" ], "apac-aus-ps-cps-234-2019": [ "14", "19" ], "apac-chn-data-security-law-2021": [ "45", "46" ], "apac-chn-pipl-2021": [ "52" ], "apac-ind-dpdpa-2023": [ "19(3)" ], "apac-ind-sebi-2024": [ "GV.RR.S1", "GV.RR.S2", "GV.RR.S3" ], "apac-jpn-ismap": [ "4.4.1.2", "5.1.1.6", "5.1.2.1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP21", "HHSP27", "HML21", "HML27" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP19", "HSUP23" ], "apac-nzl-ism-3-9": [ "3.1.8.C.01", "3.1.8.C.02", "3.1.8.C.03", "3.1.9.C.01", "3.2.8.C.01", "3.2.8.C.02", "3.2.8.C.03", "3.2.8.C.04", "3.2.8.C.05", "3.2.9.C.01", "3.2.10.C.01", "3.2.10.C.02", "3.2.10.C.03", "3.2.10.C.04", "3.2.11.C.01", "3.2.11.C.02", "3.2.11.C.03", "3.2.12.C.01", "3.2.12.C.02", "3.2.12.C.03", "3.2.13.C.01", "3.2.13.C.02", "3.2.14.C.01", "3.2.15.C.01", "3.2.16.C.01", "3.2.17.C.01", "3.2.18.C.01", "3.2.19.C.01" ], "apac-sgp-mas-trm-2021": [ "3.1.7(a)", "3.1.7(b)", "3.1.7(c)", "3.1.7(d)", "3.1.7(e)", "3.1.7(f)", "3.1.7(g)", "3.1.8(a)", "3.1.8(b)", "3.1.8(c)", "3.1.8(d)", "3.1.8(e)" ], "americas-bmu-mba-coc-2020": [ "5.2" ], "amaericas-can-osfi-self-assessment": [ "1.1", "1.2", "6.2" ], "americas-can-osfi-b13-2022": [ "1", "1.1", "1.1.1", "1.1.2" ] } }, { "control_id": "GOV-04.1", "title": "Stakeholder Accountability Structure", "family": "GOV", "description": "Mechanisms exist to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing Technology Assets, Applications, Services and/or Data (TAASD)-related risks.", "scf_question": "Does the organization enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing Technology Assets, Applications, Services and/or Data (TAASD)-related risks?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-15" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing Technology Assets, Applications, Services and/or Data (TAASD)-related risks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Documented roles and responsibilities (RACI matrix or equivalent)\n∙ Job descriptions with security duties clearly defined", "small": "∙ Documented RACI matrix for cybersecurity responsibilities\n∙ Formal security role assignments in job descriptions\n∙ Access control aligned to defined roles", "medium": "∙ Documented RACI matrix for cybersecurity responsibilities\n∙ Role-based accountability framework\n∙ Performance metrics tied to security responsibilities", "large": "∙ Formal accountability framework (RACI/RASCI) maintained in GRC platform\n∙ Security role definitions with measurable performance criteria\n∙ Control ownership assigned and tracked in GRC platform", "enterprise": "∙ Enterprise accountability framework integrated with GRC and HR systems\n∙ Control ownership model with documented accountability for each control domain\n∙ Security KPIs tied to role-based performance management\n∙ Third-party accountability structures for key vendors" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-6", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF1", "M1.2-POF2" ], "general-aicpa-tsc-2017": [ "CC1.2-POF1", "CC1.3", "CC1.3-POF1", "CC1.3-POF2", "CC1.3-POF3", "CC1.3-POF4", "CC1.3-POF5", "CC1.3-POF6", "CC1.5-POF1", "CC5.3-POF2" ], "general-bsi-200-1-1-0": [ "4.1.6", "7.2" ], "general-cobit-2019": [ "BAI01.03" ], "general-coso-2013": [ "3", "5" ], "general-csa-cmm-4-1-0": [ "GRC-06" ], "general-csa-iot-2": [ "GVN-01" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.3", "3.5.1.2" ], "general-iso-22301-2019": [ "5.3", "5.3(a)", "5.3(b)", "8.4.2.1" ], "general-iso-27017-2015": [ "5.1", "7.2.1" ], "general-iso-27018-2025": [ "5.4" ], "general-iso-27701-2025": [ "5.1", "5.3(a)" ], "general-iso-31000-2018": [ "5.2", "5.4.2", "5.4.3" ], "general-iso-42001-2023": [ "5.1", "A.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.3", "GOVERN 2.0", "GOVERN 2.1", "GOVERN 5.0", "MANAGE 2.4" ], "general-nist-800-37-r2": [ "TASK P-9" ], "general-nist-800-218": [ "PO.2.3" ], "general-nist-csf-2-0": [ "GV.RM-05", "GV.RR-01" ], "general-shared-assessments-sig-2025": [ "R.6" ], "general-tisax-6-0-3": [ "1.2.1", "1.2.2", "1.2.4" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG1.SP3" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.B", "1.C" ], "usa-federal-doe-c2m2-2-1": [ "RISK-1e", "PROGRAM-2f" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(c)(1)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)", "500.4(b)(6)" ], "emea-eu-ai-act-2024": [ "Article 17.1(m)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(11)", "3.7.5(91)" ], "emea-deu-bsrit-2017": [ "4.5", "4.6", "4.10" ], "emea-gbr-caf-4-0": [ "A1.b" ], "emea-gbr-def-stan-05-138-2024": [ "1101", "1103" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1101", "1103" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1101", "1103" ], "apac-aus-ps-cps-230-2023": [ "21" ], "apac-ind-sebi-2024": [ "GV.RR.S1", "GV.RR.S2" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP21", "HHSP27", "HML21", "HML27" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP19", "HSUP23" ], "americas-can-osfi-b13-2022": [ "1", "1.1", "1.1.1", "1.1.2" ] } }, { "control_id": "GOV-04.2", "title": "Authoritative Chain of Command", "family": "GOV", "description": "Mechanisms exist to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing Technology Assets, Applications, Services and/or Data (TAASD)-related risks.", "scf_question": "Does the organization establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing Technology Assets, Applications, Services and/or Data (TAASD)-related risks?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-15" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data privacy governance practices are informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing Technology Assets, Applications, Services and/or Data (TAASD)-related risks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Organization chart with security escalation paths\n∙ Documented incident escalation contact list", "small": "∙ Organization chart with defined security escalation paths\n∙ Documented escalation procedures for security decisions\n∙ Clear IT/security reporting relationships", "medium": "∙ Organization chart with cybersecurity reporting lines\n∙ Formal escalation matrix for security decisions and incidents\n∙ Defined authority levels for security-related approvals", "large": "∙ Formal organizational structure with clear cybersecurity authority chain\n∙ Documented delegation of authority for security decisions\n∙ Defined escalation procedures published in the SCRP", "enterprise": "∙ Enterprise organizational structure with defined CISO authority and reporting chain\n∙ Board-level visibility into security command structure\n∙ Integrated HR/org management system reflecting security authority\n∙ Formalized delegation of authority matrix for security decisions" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-6", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF1" ], "general-aicpa-tsc-2017": [ "CC1.2-POF1", "CC1.3", "CC1.3-POF1", "CC1.3-POF2", "CC1.3-POF3", "CC1.3-POF4", "CC1.3-POF5", "CC1.3-POF6", "CC1.5-POF1" ], "general-bsi-200-1-1-0": [ "4.1.6", "7.2" ], "general-coso-2013": [ "3", "5" ], "general-csa-cmm-4-1-0": [ "GRC-06" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.3", "3.5.1.2" ], "general-iso-22301-2019": [ "5.3" ], "general-iso-27017-2015": [ "5.1", "7.2.1" ], "general-iso-27018-2025": [ "5.4" ], "general-iso-31000-2018": [ "5.2", "5.4.2", "5.4.3" ], "general-iso-42001-2023": [ "5.1", "A.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.3", "GOVERN 2.1" ], "general-tisax-6-0-3": [ "1.2.1", "1.2.2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.B", "1.C" ], "usa-federal-doe-c2m2-2-1": [ "RISK-1e", "PROGRAM-2f" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(c)(1)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)" ], "emea-eu-eba-ict-srm-2025": [ "3.7.5(91)" ], "emea-deu-bsrit-2017": [ "4.5", "4.6", "4.10" ], "emea-gbr-caf-4-0": [ "A1.b" ], "emea-gbr-def-stan-05-138-2024": [ "1103" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1103" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1103" ], "apac-aus-ps-cps-230-2023": [ "21" ], "apac-ind-sebi-2024": [ "GV.OC.S1", "GV.PO.S5" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP21" ], "americas-can-osfi-b13-2022": [ "1", "1.1.2" ] } }, { "control_id": "GOV-05", "title": "Measures of Performance", "family": "GOV", "description": "Mechanisms exist to develop, report and monitor Security, Compliance & Resilience Program (SCRP) measures of performance.", "scf_question": "Does the organization develop, report and monitor Security, Compliance & Resilience Program (SCRP) measures of performance?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-13" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ Basic metrics are developed to provide operational oversight of a limited scope of cybersecurity and data protection controls.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to develop, report and monitor Security, Compliance & Resilience Program (SCRP) measures of performance.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Manually-generated metrics (spreadsheet-based dashboard)\n∙ Basic security scorecard (patch %, training completion %, incident count)", "small": "∙ Manually-generated metrics with structured reporting template\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Simple security dashboard (e.g., Power BI free tier, Google Looker Studio)", "medium": "∙ Automated metrics via GRC or security tool integrations\n∙ Security dashboard with defined KPIs/KRIs (e.g., Power BI, GRC platform reporting)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "large": "∙ GRC platform with integrated metrics and dashboards\n∙ Automated data collection from security tools (SIEM, vulnerability scanner, etc.)\n∙ Defined measurement cadence aligned with board reporting schedule", "enterprise": "∙ Enterprise GRC platform with automated metrics collection and reporting\n∙ Security metrics integrated with business intelligence platform (e.g., Tableau, Power BI)\n∙ Automated benchmarking against industry standards (e.g., CIS Benchmarks, CISA metrics)\n∙ Real-time security posture dashboards for executive and board reporting" }, "risks": [ "R-AC-1", "R-GV-1", "R-GV-2", "R-GV-6", "R-GV-7", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1-POF3", "CC1.2", "CC1.5", "CC1.5-POF2", "CC1.5-POF5", "CC2.1-POF4", "CC2.2", "CC4.1", "CC4.1-POF2", "CC4.2-POF1", "CC5.3-POF6" ], "general-bsi-200-1-1-0": [ "4.3" ], "general-cobit-2019": [ "EDM01.03", "EDM05.01", "EDM05.03", "APO02.02", "DSS06.01", "MEA01.02", "MEA01.03" ], "general-coso-2013": [ "2", "5", "14", "16" ], "general-csa-cmm-4-1-0": [ "AIS-03", "DCS-17", "SEF-05", "TVM-12" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.3" ], "general-iso-22301-2019": [ "9.1", "9.1(a)", "9.1(b)", "9.1(c)", "9.1(d)" ], "general-iso-27001-2022": [ "9.1", "9.1(a)", "9.1(b)", "9.1(c)", "9.1(d)", "9.1(e)", "9.1(f)" ], "general-iso-27701-2025": [ "9.1" ], "general-iso-31000-2018": [ "5.2", "5.4.2", "6.6" ], "general-iso-42001-2023": [ "5.1", "9.3.2(d)", "9.3.2(d)(1)", "9.3.2(d)(2)", "9.3.2(d)(3)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.5", "MAP 5.2", "MEASURE 1.0", "MEASURE 1.1", "MEASURE 1.2", "MEASURE 4.0", "MEASURE 4.3" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.3-002", "MS-2.7-004" ], "general-nist-privacy-framework-1-0": [ "GV.MT-P4", "PR.PO-P5", "PR.PO-P6" ], "general-nist-800-53-r4": [ "PM-6" ], "general-nist-800-53-r5-2": [ "PM-06" ], "general-nist-800-53-r5-2-privacy": [ "PM-06" ], "general-nist-800-82-r3": [ "PM-06" ], "general-nist-800-82-r3-low": [ "PM-06" ], "general-nist-800-82-r3-mod": [ "PM-06" ], "general-nist-800-82-r3-high": [ "PM-06" ], "general-nist-800-161-r1": [ "PM-6" ], "general-nist-800-161-r1-level-1": [ "PM-6" ], "general-nist-800-161-r1-level-2": [ "PM-6" ], "general-nist-800-171-r3": [ "03.12.03" ], "general-nist-800-207": [ "NIST Tenet 7" ], "general-nist-csf-2-0": [ "GV", "GV.OV", "GV.OV-01", "GV.OV-03", "GV.SC", "GV.SC-09", "ID.IM-03" ], "general-scf-dpmp-2025": [ "11.5" ], "general-tisax-6-0-3": [ "1.2.1" ], "usa-federal-dow-cert-rmm-1-2": [ "MA:SG1", "MA:SG1.SP1", "MA:SG1.SP2", "MA:SG1.SP3", "MA:SG1.SP4", "MA:SG2", "MA:SG2.SP1", "MA:SG2.SP2", "MA:SG2.SP3", "MA:SG2.SP4", "MA:GG1.GP1", "MA:GG2", "MA:GG2.GP2" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-5f", "THREAT-3f", "RISK-5f", "ACCESS-4f", "SITUATION-3d", "SITUATION-4f", "RESPONSE-5f", "THIRD-PARTIES-3f", "WORKFORCE-5f", "ARCHITECTURE-6f", "PROGRAM-2g", "PROGRAM-3f" ], "usa-federal-gsa-fedramp-5-low": [ "PM-06" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-06" ], "usa-federal-gsa-fedramp-5-high": [ "PM-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-06" ], "usa-federal-cms-marse-2-0": [ "PM-6" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-06" ], "emea-eu-dora-2023": [ "Article 13.4" ], "emea-eu-nis2-2022": [ "Article 21.2(f)" ], "emea-eu-nis2-annex-2024": [ "1.1.1(j)" ], "emea-us-psd2-2015": [ "3" ], "emea-deu-c5-2020": [ "COM-04" ], "emea-sau-cgiot-2024": [ "1-1-4" ], "emea-esp-ccn-stic-825-2023": [ "7.6.2 [OP.MON.2]" ], "apac-aus-ism-2024-june": [ "ISM-0724" ], "apac-ind-sebi-2024": [ "GV.OV.S3", "GV.OV.S4", "PR.IP.S10" ], "apac-jpn-ismap": [ "4.6.2.1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP46", "HML46" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP38" ], "apac-sgp-mas-trm-2021": [ "4.5.3", "7.8.3" ], "americas-bmu-mba-coc-2020": [ "5.7" ], "amaericas-can-osfi-self-assessment": [ "6.9" ], "americas-can-osfi-b13-2022": [ "1", "1.2", "2.8.1" ], "americas-can-itsp-10-171-2025": [ "03.12.03" ] } }, { "control_id": "GOV-05.1", "title": "Key Performance Indicators (KPIs)", "family": "GOV", "description": "Mechanisms exist to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the Security, Compliance & Resilience Program (SCRP).", "scf_question": "Does the organization develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the Security, Compliance & Resilience Program (SCRP)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the Security, Compliance & Resilience Program (SCRP).", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Manually-generated metrics (spreadsheet)\n∙ Key security KPIs: patch compliance %, training completion %, incident count, open vulnerability age", "small": "∙ Manually-generated metrics with defined KPI thresholds\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Monthly/quarterly KPI reporting to leadership", "medium": "∙ Defined security KPI library (CIS, CISA, or custom)\n∙ Automated KPI collection via GRC or SIEM integration\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "large": "∙ Formal KPI program with defined targets, thresholds, and owners\n∙ GRC platform with automated KPI dashboards (e.g., SCFConnect, Cyturus, etc.)\n∙ Board-level security KPI reporting cadence", "enterprise": "∙ Enterprise KPI program aligned to NIST, CIS, or custom security frameworks\n∙ Automated KPI collection and reporting via GRC/SIEM integration\n∙ Board and audit committee KPI reporting with trend analysis\n∙ KPIs mapped to business risk appetite and strategic objectives" }, "risks": [ "R-AC-1", "R-GV-1", "R-GV-2", "R-GV-6", "R-GV-7", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.2", "CC1.5", "CC2.2", "CC4.1" ], "general-cobit-2019": [ "APO02.02" ], "general-coso-2013": [ "2", "5", "14", "16" ], "general-iso-31000-2018": [ "5.2" ], "general-nist-100-1-ai-rmf": [ "MEASURE 4.1", "MEASURE 4.3" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.3-002" ], "emea-sau-cgiot-2024": [ "1-1-3" ], "americas-can-osfi-b13-2022": [ "2.8.1" ] } }, { "control_id": "GOV-05.2", "title": "Key Risk Indicators (KRIs)", "family": "GOV", "description": "Mechanisms exist to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the Security, Compliance & Resilience Program (SCRP).", "scf_question": "Does the organization develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the Security, Compliance & Resilience Program (SCRP)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-13" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Organizational leadership maintains an informal process to review and respond to observed trends.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the Security, Compliance & Resilience Program (SCRP).", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Manually-generated metrics (spreadsheet)\n∙ Basic risk indicators: critical unpatched vulnerabilities, failed logins, open security incidents", "small": "∙ Manually-generated KRI tracking with alert thresholds\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Documented risk tolerance thresholds", "medium": "∙ Defined KRI library tied to organizational risk register\n∙ Automated KRI monitoring via GRC platform or SIEM (e.g., Splunk, Microsoft Sentinel)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "large": "∙ Formal KRI program with defined risk appetite thresholds\n∙ Automated KRI monitoring with escalation triggers\n∙ GRC platform with KRI dashboards linked to risk register\n∙ Regular KRI reporting to risk committee", "enterprise": "∙ Enterprise KRI program integrated with risk management framework\n∙ Automated real-time KRI monitoring with AI-assisted anomaly detection\n∙ Board-level risk indicator reporting with trend analysis\n∙ KRIs linked to enterprise risk appetite and materiality thresholds" }, "risks": [ "R-AC-1", "R-GV-1", "R-GV-2", "R-GV-6", "R-GV-7", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.2", "CC1.5", "CC2.2", "CC4.1" ], "general-cobit-2019": [ "APO02.02" ], "general-coso-2013": [ "2", "5", "14", "16" ], "general-iso-31000-2018": [ "5.2" ], "general-nist-100-1-ai-rmf": [ "MEASURE 4.1", "MEASURE 4.3" ], "general-nist-csf-2-0": [ "GV.RM-01" ] } }, { "control_id": "GOV-06", "title": "Contacts With Authorities", "family": "GOV", "description": "Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "scf_question": "Does the organization identify and document appropriate contacts with relevant law enforcement and regulatory bodies?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Cybersecurity personnel identify and maintain contact information for local and national law enforcement (e.g., FBI field office) in case of cybersecurity incidents that require law enforcement involvement.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Documented list of law enforcement and regulatory contacts (FBI, CISA, state AG)\n∙ MS-ISAC free membership (https://www.cisecurity.org/ms-isac)", "small": "∙ Documented contacts with FBI Cyber Division, CISA, and relevant regulators\n∙ MS-ISAC or sector-specific ISAC membership\n∙ Pre-established law enforcement liaisons for incident response", "medium": "∙ Integrated Security Incident Response Team (ISIRT) with defined authority contacts\n∙ CISA Cyber Liaison and FBI Cyber Division contacts\n∙ Sector ISAC membership (e.g., FS-ISAC, H-ISAC, E-ISAC)\n∙ Regulatory notification contact list (e.g., FTC, OCR, state regulators)", "large": "∙ Integrated Security Incident Response Team (ISIRT) with pre-established authority relationships\n∙ Formal engagement with law enforcement (FBI, USSS, CISA)\n∙ Sector ISAC active membership with information sharing participation\n∙ Regulatory breach notification contacts and documented procedures", "enterprise": "∙ Dedicated government liaison program (FBI, CISA, NSA, sector regulators)\n∙ Active ISAC membership with classified threat briefing access (where applicable)\n∙ Pre-established breach notification workflows for all applicable regulators\n∙ Integrated Security Incident Response Team (ISIRT) with 24/7 law enforcement contact protocols" }, "risks": [ "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF4", "CC2.3", "CC3.1-POF10" ], "general-coso-2013": [ "15" ], "general-govramp": [ "IR-06" ], "general-govramp-core": [ "IR-06" ], "general-govramp-low": [ "IR-06" ], "general-govramp-low-plus": [ "IR-06" ], "general-govramp-mod": [ "IR-06" ], "general-govramp-high": [ "IR-06" ], "general-iso-27002-2022": [ "5.5" ], "general-iso-27017-2015": [ "6.1.3" ], "general-iso-27018-2025": [ "5.5" ], "general-nist-600-1-gen-ai-profile": [ "GV-2.1-004" ], "general-nist-800-53-r4": [ "IR-6" ], "general-nist-800-53-r5-2": [ "IR-06" ], "general-nist-800-53-r5-2-privacy": [ "IR-06" ], "general-nist-800-53-r5-2-low": [ "IR-06" ], "general-nist-800-82-r3": [ "IR-06" ], "general-nist-800-82-r3-low": [ "IR-06" ], "general-nist-800-82-r3-mod": [ "IR-06" ], "general-nist-800-82-r3-high": [ "IR-06" ], "general-nist-800-161-r1": [ "IR-6" ], "usa-federal-dhs-cisa-cpg-2-0": [ "4.A" ], "usa-federal-fbi-cjis-6-0": [ "IR-6" ], "usa-federal-gsa-fedramp-5-low": [ "IR-06" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-06" ], "usa-federal-gsa-fedramp-5-high": [ "IR-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-06" ], "usa-federal-irs-1075-2021": [ "IR-6" ], "usa-federal-cms-marse-2-0": [ "IR-6" ], "usa-federal-sec-cybersecurity-rule-2023": [ "Form 8-K Item 1.05(a)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-06" ], "usa-state-tx-txramp-2-0-level-1": [ "IR-06" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-06" ], "emea-eu-eba-ict-srm-2025": [ "3.7.5(91)" ], "emea-eu-dora-2023": [ "Article 31.4" ], "emea-deu-c5-2020": [ "OIS-05" ], "emea-esp-boe-a-2022-7191": [ "Article 32.1", "Article 32.2", "Article 32.3" ], "emea-esp-decree-311-2022": [ "32.1", "32.2", "32.3" ], "apac-aus-ps-cps-230-2023": [ "33", "42", "51", "59(a)", "59(b)" ], "apac-aus-ps-cps-234-2019": [ "35", "35(a)", "35(b)", "36" ], "apac-jpn-ismap": [ "6.1.3", "6.1.3.1", "6.1.3.3.PB" ] } }, { "control_id": "GOV-07", "title": "Contacts With Groups & Associations", "family": "GOV", "description": "Mechanisms exist to establish contact with selected groups and associations within the security, compliance and resilience communities to: \n(1) Facilitate ongoing cybersecurity and data protection education and training for organizational personnel;\n(2) Maintain currency with recommended cybersecurity and data protection practices, techniques and technologies; and\n(3) Share current cybersecurity and/or data protection-related information including threats, vulnerabilities and incidents.", "scf_question": "Does the organization establish contact with selected groups and associations within the security, compliance and resilience communities to: \n(1) Facilitate ongoing cybersecurity and data protection education and training for organizational personnel;\n(2) Maintain currency with recommended cybersecurity and data protection practices, techniques and technologies; and\n(3) Share current cybersecurity and/or data protection-related information including threats, vulnerabilities and incidents?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-THR-02" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ Cybersecurity and data privacy personnel identify and maintain contact information for local, regional and national cybersecurity / data privacy groups and associations.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to establish contact with selected groups and associations within the security, compliance and resilience communities to: \n(1) Facilitate ongoing cybersecurity and data protection education and training for organizational personnel;\n(2) Maintain currency with recommended cybersecurity and data protection practices, techniques and technologies; and\n(3) Share current cybersecurity and/or data protection-related information including threats, vulnerabilities and incidents.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ ISACA chapters (https://www.isaca.org)\n∙ ISC2 chapters (https://www.isc2.org)\n∙ IAPP chapters (https://iapp.org)\n∙ CISA free resources and advisories (https://www.cisa.gov)\n∙ SANS reading room, vendor security blogs", "small": "∙ ISACA chapters (https://www.isaca.org)\n∙ ISC2 chapters (https://www.isc2.org)\n∙ IAPP chapters (https://iapp.org)\n∙ CISA free resources and advisories (https://www.cisa.gov)\n∙ MS-ISAC free membership (https://www.cisecurity.org/ms-isac)", "medium": "∙ ISACA chapters (https://www.isaca.org)\n∙ ISC2 chapters (https://www.isc2.org)\n∙ IAPP chapters (https://iapp.org)\n∙ CISA advisories and threat alerts (https://www.cisa.gov)\n∙ Sector-specific ISAC membership", "large": "∙ ISACA chapters (https://www.isaca.org)\n∙ ISC2 chapters (https://www.isc2.org)\n∙ IAPP chapters (https://iapp.org)\n∙ Sector ISAC active membership (e.g., FS-ISAC, H-ISAC)\n∙ CISA Cyber Information Sharing program\n∙ InfraGard membership (https://www.infragard.org)", "enterprise": "∙ ISACA enterprise membership (https://www.isaca.org)\n∙ ISC2 enterprise programs (https://www.isc2.org)\n∙ IAPP enterprise membership (https://iapp.org)\n∙ Sector ISAC leadership participation\n∙ InfraGard and CISA partnership programs\n∙ Sector-specific policy engagement (FS-ISAC, NTIA, etc.)" }, "risks": [ "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF4", "CC2.3" ], "general-csa-cmm-4-1-0": [ "GRC-08" ], "general-iec-62443-2-1-2024": [ "EVENT 1.3" ], "general-iso-27002-2022": [ "5.6" ], "general-iso-27017-2015": [ "6.1.4" ], "general-iso-27018-2025": [ "5.6" ], "general-nist-800-53-r4": [ "PM-15" ], "general-nist-800-53-r5-2": [ "PM-15" ], "general-nist-800-53-r5-2-privacy": [ "PM-15" ], "general-nist-800-82-r3": [ "PM-15" ], "general-nist-800-82-r3-low": [ "PM-15" ], "general-nist-800-82-r3-mod": [ "PM-15" ], "general-nist-800-82-r3-high": [ "PM-15" ], "general-nist-800-161-r1": [ "PM-15" ], "general-nist-800-161-r1-level-1": [ "PM-15" ], "general-nist-800-161-r1-level-2": [ "PM-15" ], "general-nist-csf-2-0": [ "ID.RA-02" ], "general-pci-dss-4-0-1": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-a": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.1" ], "usa-federal-doe-c2m2-2-1": [ "PROGRAM-2j" ], "usa-federal-gsa-fedramp-5-low": [ "PM-15" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-15" ], "usa-federal-gsa-fedramp-5-high": [ "PM-15" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-15" ], "usa-federal-cms-marse-2-0": [ "PM-15", "PM-15.a", "PM-15.b", "PM-15.c" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-15" ], "emea-eu-dora-2023": [ "Article 45.1", "Article 45.1(a)", "Article 45.1(b)", "Article 45.1(c)", "Article 45.2" ], "apac-jpn-ismap": [ "6.1.4", "6.1.4.1", "6.1.4.2", "6.1.4.3", "6.1.4.4", "6.1.4.5", "6.1.4.6" ], "amaericas-can-osfi-self-assessment": [ "3.7" ] } }, { "control_id": "GOV-08", "title": "Defining Business Context & Mission", "family": "GOV", "description": "Mechanisms exist to define the context of its business model and document the organization's mission.", "scf_question": "Does the organization define the context of its business model and document the mission of the organization?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRM-01" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The context of the entity's business model and its mission are documented.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document mission statement and business context in writing", "small": "∙ Written mission statement and business context document\n∙ Annual review", "medium": "∙ Formal business context document\n∙ Integrated into risk management process", "large": "∙ Formal business context and mission documentation\n∙ Linked to enterprise risk management (ERM)\n∙ Stakeholder review process", "enterprise": "∙ Enterprise business context framework\n∙ Integrated ERM platform\n∙ Formal mission alignment review process\n∙ Strategic planning documentation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.2-POF1", "CC2.2-POF10", "CC3.1-POF1", "CC3.1-POF3", "CC3.1-POF15", "CC5.1-POF2" ], "general-cobit-2019": [ "EDM05.01", "EDM05.02", "EDM05.03", "APO01.01", "APO01.02", "APO01.03", "APO01.04", "APO01.06", "APO02.01", "APO02.05", "APO08.01", "APO08.02", "APO08.03", "APO08.04" ], "general-coso-2013": [ "6", "10" ], "general-iso-22301-2019": [ "4.1", "4.2.1", "4.2.1(a)", "4.2.1(b)" ], "general-iso-27001-2022": [ "4.1", "4.2(a)", "4.3", "5.1" ], "general-iso-27701-2025": [ "4.1", "6.1.1" ], "general-iso-31000-2018": [ "5.4.1" ], "general-iso-42001-2023": [ "6.2" ], "general-nist-100-1-ai-rmf": [ "MAP 1.3" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P5", "ID.BE-P1", "ID.BE-P2", "GV.RM-P3" ], "general-nist-csf-2-0": [ "GV.OC", "GV.OC-01", "GV.OC-04", "GV.OV-01", "GV.SC-03" ], "general-scf-dpmp-2025": [ "11.1" ], "general-shared-assessments-sig-2025": [ "B.1" ], "general-tisax-6-0-3": [ "1.1.1" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(2)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(2)(i)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.1(4)" ], "emea-eu-nis2-annex-2024": [ "1.1.1(b)" ], "emea-sau-ecc-1-2018": [ "1-1-1" ], "americas-can-osfi-b13-2022": [ "1.2", "2.1.1" ] } }, { "control_id": "GOV-09", "title": "Define Control Objectives", "family": "GOV", "description": "Mechanisms exist to establish control objectives as the basis for the selection, implementation and management of the organization's internal security, compliance and resilience control system.", "scf_question": "Does the organization establish control objectives as the basis for the selection, implementation and management of the organization's internal security, compliance and resilience control system?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-10" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data privacy governance practices are informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to establish control objectives as the basis for the selection, implementation and management of the organization's internal security, compliance and resilience control system.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document basic security control objectives in a policy", "small": "∙ Written control objectives tied to applicable requirements", "medium": "∙ Formal control objectives framework\n∙ Mapped to applicable laws and regulations", "large": "∙ Enterprise control objectives library\n∙ Mapped to regulatory requirements\n∙ GRC platform for control tracking", "enterprise": "∙ Enterprise GRC platform (e.g., ServiceNow GRC, RSA Archer)\n∙ Control objectives library\n∙ Automated compliance mapping\n∙ Continuous control monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF1", "CC2.2", "CC2.2-POF1", "CC2.2-POF7", "CC3.1", "CC3.1-POF1", "CC3.1-POF8", "CC3.1-POF9", "CC3.1-POF15" ], "general-cobit-2019": [ "APO01.04" ], "general-coso-2013": [ "6", "10" ], "general-iso-27001-2022": [ "4.1", "4.2", "4.2(b)", "4.2(c)", "5.2(b)", "6.2", "6.2(a)", "6.2(b)", "6.2(c)", "6.2(d)", "6.2(e)", "6.2(f)", "6.2(g)", "6.2(h)", "6.2(i)", "6.2(j)", "6.2(k)", "6.2(l)" ], "general-iso-27701-2025": [ "6.1.3(d)" ], "general-iso-31000-2018": [ "5.4.1" ], "general-iso-42001-2023": [ "5.1", "6.2", "8.1" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)" ], "general-nist-800-66-r2": [ "164.308(a)(1)" ], "general-nist-csf-2-0": [ "GV.SC-03" ], "general-tisax-6-0-3": [ "1.1.1", "7.1.2" ], "usa-federal-dow-cert-rmm-1-2": [ "CTRL:SG1", "CTRL:SG1.SP1" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)", "609.930(c)(6)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.3(b)(1)", "314.3(b)(2)", "314.3(b)(3)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(1)", "164.308(a)(1)(ii)(B)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(1)", "164.308(a)(1)(ii)(B)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.1(5)(c)" ], "emea-eu-nis2-annex-2024": [ "1.1.1(c)" ], "emea-deu-c5-2020": [ "OIS-01", "OIS-02" ], "emea-sau-cscc-1-2019": [ "1-1" ], "apac-ind-sebi-2024": [ "GV.OC.S1", "GV.RM.S1" ], "apac-jpn-ismap": [ "4.4.4.1", "5.1.1.5" ], "americas-can-osfi-b13-2022": [ "1.2", "2.1.1" ] } }, { "control_id": "GOV-10", "title": "Data Governance", "family": "GOV", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "scf_question": "Does the organization facilitate data governance to oversee its policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Administrative processes require all employees and contractors to apply cybersecurity and data protection principles in their daily work (e.g., policies & standards).\n▪ Cybersecurity and data privacy governance practices are informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic data inventory (spreadsheet)\n∙ Designated data owner / data custodian role\n∙ Informal data classification policy", "small": "∙ Data governance policy and data classification standard\n∙ Designated data owner(s) by data type\n∙ Basic data inventory with sensitivity classification", "medium": "∙ Formal data governance program with data classification scheme\n∙ Data steward and data owner roles defined\n∙ Data catalog tool (e.g., Microsoft Purview free tier, OpenMetadata)", "large": "∙ Chief Data Officer (CDO) or equivalent role\n∙ Formal data governance committee\n∙ Enterprise data catalog and classification tool (e.g., Microsoft Purview, Collibra)\n∙ Data quality and lineage management program", "enterprise": "∙ Chief Data Officer (CDO) with executive authority\n∙ Enterprise Data Governance Council\n∙ Enterprise data catalog, classification, and lineage platform (e.g., Collibra, Alation, Informatica)\n∙ Data governance integrated with privacy, compliance, and risk programs" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.2-POF1" ], "general-iso-27002-2022": [ "5.12" ], "general-iso-27017-2015": [ "8.2.1" ], "general-iso-27018-2025": [ "5.12" ], "general-nist-800-53-r5-2": [ "PM-23", "PM-24" ], "general-nist-800-53-r5-2-privacy": [ "PM-23", "PM-24" ], "general-nist-800-82-r3": [ "PM-23", "PM-24" ], "general-nist-800-82-r3-low": [ "PM-23", "PM-24" ], "general-nist-800-82-r3-mod": [ "PM-23", "PM-24" ], "general-nist-800-82-r3-high": [ "PM-23", "PM-24" ], "general-nist-800-161-r1": [ "PM-23" ], "general-nist-800-161-r1-level-1": [ "PM-23" ], "general-pci-dss-4-0-1": [ "A3.2.5" ], "general-scf-dpmp-2025": [ "5.9" ], "general-shared-assessments-sig-2025": [ "P.8" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "8.5" ], "usa-federal-gsa-fedramp-5-low": [ "PM-23", "PM-24" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-23", "PM-24" ], "usa-federal-gsa-fedramp-5-high": [ "PM-23", "PM-24" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-23", "PM-24" ], "apac-chn-pipl-2021": [ "58", "58(1)", "58(2)", "58(3)", "58(4)" ] } }, { "control_id": "GOV-11", "title": "Purpose Validation", "family": "GOV", "description": "Mechanisms exist to monitor mission/business-critical Technology Assets, Applications and/or Services (TAAS) to ensure those resources are being used consistent with their intended purpose.", "scf_question": "Does the organization monitor mission/business-critical Technology Assets, Applications and/or Services (TAAS) to ensure those resources are being used consistent with their intended purpose?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to monitor mission/business-critical Technology Assets, Applications and/or Services (TAAS) to ensure those resources are being used consistent with their intended purpose.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document intended use for critical systems", "small": "∙ Documented intended use policy for critical systems\n∙ Periodic review", "medium": "∙ Asset purpose documentation\n∙ Log review for anomalous use patterns", "large": "∙ SIEM for usage monitoring\n∙ Asset management system with intended-use tagging\n∙ Periodic usage audits", "enterprise": "∙ SIEM platform (e.g., Splunk, IBM QRadar)\n∙ UEBA for anomaly detection\n∙ Asset inventory with purpose classification\n∙ Automated alerting for out-of-purpose usage" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-iso-42001-2023": [ "6.2" ], "general-nist-800-53-r5-2": [ "PM-32" ], "general-nist-800-82-r3": [ "PM-32" ], "general-nist-800-82-r3-low": [ "PM-32" ], "general-nist-800-82-r3-mod": [ "PM-32" ], "general-nist-800-82-r3-high": [ "PM-32" ], "general-nist-800-160-vol-2-r1": [ "PM-32" ], "general-nist-800-161-r1": [ "PM-32" ], "general-nist-800-161-r1-level-2": [ "PM-32" ], "general-nist-800-161-r1-level-3": [ "PM-32" ] } }, { "control_id": "GOV-12", "title": "Forced Technology Transfer (FTT)", "family": "GOV", "description": "Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive/regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices.", "scf_question": "Does the organization avoid and/or constrain the forced exfiltration of sensitive/regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to avoid and/or constrain the forced exfiltration of sensitive/regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Legal review", "small": "∙ Legal review", "medium": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)", "large": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)", "enterprise": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "apac-chn-cybersecurity-law-2017": [ "Article 28" ], "apac-chn-data-security-law-2021": [ "7", "8", "9", "11", "14", "15", "16", "18", "19", "20", "28", "31", "32", "33", "36", "37", "38", "48", "53" ], "apac-chn-pipl-2021": [ "38", "38(4)", "40" ] } }, { "control_id": "GOV-13", "title": "State-Sponsored Espionage", "family": "GOV", "description": "Mechanisms exist to constrain the host government's ability to leverage the organization's Technology Assets, Applications and/or Services (TAAS) for economic or political espionage and/or cyberwarfare activities.", "scf_question": "Does the organization constrain the host government's ability to leverage its Technology Assets, Applications and/or Services (TAAS) for economic or political espionage and/or cyberwarfare activities?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to constrain the host government's ability to leverage the organization's Technology Assets, Applications and/or Services (TAAS) for economic or political espionage and/or cyberwarfare activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Legal review", "small": "∙ Legal review", "medium": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)", "large": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)", "enterprise": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "apac-chn-cybersecurity-law-2017": [ "Article 28" ], "apac-chn-data-security-law-2021": [ "7", "8", "9", "11", "14", "15", "16", "18", "19", "20", "28", "31", "32", "33", "36", "37", "38", "48", "53" ], "apac-chn-pipl-2021": [ "11", "12", "38(4)", "40", "47(5)", "60", "63(3)", "63(4)", "64" ] } }, { "control_id": "GOV-14", "title": "Business As Usual (BAU) Security, Compliance & Resilience Practices", "family": "GOV", "description": "Mechanisms exist to incorporate security, compliance and resilience principles into Business As Usual (BAU) practices through executive leadership involvement.", "scf_question": "Does the organization incorporate security, compliance and resilience principles into Business As Usual (BAU) practices through executive leadership involvement?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to incorporate security, compliance and resilience principles into Business As Usual (BAU) practices through executive leadership involvement.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "small": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "medium": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "large": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "enterprise": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)" }, "risks": [ "R-AC-1", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1-POF1", "CC5.3-POF1" ], "general-bsi-200-1-1-0": [ "4.1.3" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.7" ], "general-iso-21434-2021": [ "RQ-05-06" ], "general-iso-27701-2025": [ "5.1" ], "general-iso-31000-2018": [ "5.2" ], "general-iso-31010-2009": [ "4.3.2" ], "general-iso-42001-2023": [ "5.1" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(g)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 4.0" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P2" ], "general-pci-dss-4-0-1": [ "A3.3", "A3.3.3" ], "general-shared-assessments-sig-2025": [ "K.1" ], "usa-federal-dow-cert-rmm-1-2": [ "EF:SG3.SP2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "apac-aus-ps-cps-230-2023": [ "24" ], "apac-ind-sebi-2024": [ "GV.RR.S1" ], "apac-jpn-ismap": [ "4.5.2.1", "7.2.1.8" ], "americas-can-osfi-b13-2022": [ "1.1.1", "3.2.1" ] } }, { "control_id": "GOV-15", "title": "Operationalizing Security, Compliance & Resilience Capabilities", "family": "GOV", "description": "Mechanisms exist to compel data and/or process owners to operationalize security, compliance and resilience practices for each Technology Asset, Application and/or Service (TAAS) under their control.", "scf_question": "Does the organization compel data and/or process owners to operationalize security, compliance and resilience practices for each Technology Asset, Application and/or Service (TAAS) under their control?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-19" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to compel data and/or process owners to operationalize security, compliance and resilience practices for each Technology Asset, Application and/or Service (TAAS) under their control.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "small": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "medium": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "large": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "enterprise": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF1", "CC2.1-POF2", "CC2.1-POF3", "CC2.1-POF4", "CC3.1-POF5", "CC5.1", "CC5.1-POF1", "CC5.1-POF2", "CC5.1-POF3", "CC5.1-POF4", "CC5.1-POF5", "CC5.1-POF6" ], "general-bsi-200-1-1-0": [ "4.1.3" ], "general-iec-tr-60601-4-5-2021": [ "4.1", "4.6.1", "5.1" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5" ], "general-iso-22301-2019": [ "8.1", "8.1(a)", "8.1(b)", "8.1(c)" ], "general-iso-27017-2015": [ "5.1", "7.2.1" ], "general-iso-27018-2025": [ "5.4" ], "general-iso-27701-2025": [ "5.1" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31000-2018": [ "5.2" ], "general-iso-31010-2009": [ "4.3.2" ], "general-iso-42001-2023": [ "5.1", "8.1" ], "general-mpa-csbp-5-3-1": [ "OR-1.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(g)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 4.0" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P2" ], "general-nist-800-37-r2": [ "TASK P-17" ], "general-nist-800-171-r3": [ "03.15.01.a", "03.17.01.a" ], "general-nist-800-171a-r3": [ "A.03.16.01" ], "general-scf-dpmp-2025": [ "7.0", "7.1" ], "general-swift-cscf-2025": [ "2.4" ], "general-tisax-6-0-3": [ "1.2.1", "5.3.1", "5.3.2" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.f" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-1f" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.4.a" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-eo-14028": [ "4e(i)(F)" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.30" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)(viii)", "155.260(a)(4)", "155.260(a)(4)(i)", "155.260(a)(4)(iii)", "155.260(c)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)", "164.306(b)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)", "164.306(b)(1)" ], "usa-federal-irs-1075-2021": [ "3.3.1.l" ], "usa-federal-nispom-2020": [ "§117.18(a)(1)", "§117.18(e)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.b" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(i)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B", "III.C.1", "III.C.3", "III.D", "III.D.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(b)(3)" ], "usa-state-il-ipa-2009": [ "35(c)", "37(c)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)" ], "emea-eu-ai-act-2024": [ "Article 17.2" ], "emea-eu-eba-ict-srm-2025": [ "3.3.4(22)", "3.4.1(30)(a)", "3.4.1(30)(b)", "3.4.1(30)(c)", "3.4.1(30)(d)", "3.4.1(30)(e)", "3.4.1(30)(f)", "3.4.1(30)(g)" ], "emea-eu-dora-2023": [ "Article 7", "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)", "Article 9.3" ], "emea-eu-nis2-2022": [ "Article 21.1", "Article 21.2(a)", "Article 21.2(b)", "Article 21.2(c)", "Article 21.2(d)", "Article 21.2(e)", "Article 21.2(f)", "Article 21.2(g)", "Article 21.2(h)", "Article 21.2(i)", "Article 21.2(j)" ], "emea-eu-nis2-annex-2024": [ "6.2.1", "6.7.1" ], "emea-deu-bsrit-2017": [ "5.1" ], "emea-qat-pdppl-2020": [ "8.3" ], "emea-sau-cgiot-2024": [ "1-6-1" ], "emea-sau-otcc-1-2022": [ "2-3", "2-3-2" ], "emea-srb-act-9-2018": [ "50", "51" ], "emea-esp-boe-a-2022-7191": [ "Article 5", "Article 5(a)", "Article 5(b)", "Article 5(c)", "Article 5(d)", "Article 5(e)", "Article 5(f)", "Article 5(g)", "Article 8.1", "Article 8.2", "Article 8.3", "Article 8.4", "Article 8.5", "Article 28.1", "Article 37" ], "emea-esp-decree-311-2022": [ "28.1", "37", "5", "5(a)", "5(b)", "5(c)", "5(d)", "5(e)", "5(f)", "5(g)", "8.1", "8.2", "8.3", "8.4", "8.5" ], "emea-gbr-caf-4-0": [ "B4.a" ], "emea-gbr-cap-1850-2020": [ "A5" ], "apac-aus-ism-2024-june": [ "ISM-1633", "ISM-1634", "ISM-1635", "ISM-1636" ], "apac-aus-ps-cps-230-2023": [ "29" ], "apac-ind-sebi-2024": [ "GV.RM.S2" ], "apac-jpn-ismap": [ "4.4.4.1", "4.5.2.1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP11", "HHSP16", "HHSP28", "HML11", "HML16", "HML28" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP14", "HSUP24" ], "apac-nzl-ism-3-9": [ "3.2.10.C.04", "3.4.11.C.01" ], "americas-can-osfi-b13-2022": [ "1.1.1", "2.1.1", "3.2.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A", "03.17.01.A" ] } }, { "control_id": "GOV-15.1", "title": "Select Controls", "family": "GOV", "description": "Mechanisms exist to compel data and/or process owners to select required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control.", "scf_question": "Does the organization compel data and/or process owners to select required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to compel data and/or process owners to select required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "medium": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "large": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "enterprise": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.1" ], "general-iec-tr-60601-4-5-2021": [ "4.1", "4.6.1" ], "general-iso-22301-2019": [ "8.1" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31000-2018": [ "5.2" ], "general-iso-42001-2023": [ "8.1" ], "general-mpa-csbp-5-3-1": [ "OR-1.0" ], "general-nist-800-37-r2": [ "TASK P-5", "TASK S-1" ], "general-nist-800-171-r3": [ "03.15.01.a", "03.17.01.a" ], "general-scf-dpmp-2025": [ "7.0", "7.1" ], "general-tisax-6-0-3": [ "1.2.1", "1.2.4", "5.3.1", "5.3.2" ], "usa-federal-dow-cert-rmm-1-2": [ "CTRL:SG2.SP1", "EC:SG2", "EC:SG2.SP2", "KIM:SG2", "KIM:SG2.SP2", "TM:SG2", "TM:SG2.SP2" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-1f", "ARCHITECTURE-1g" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)", "252.204-7012(b)(2)(i)", "252.204-7012(b)(2)(ii)(A)", "252.204-7012(b)(3)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)" ], "usa-federal-irs-1075-2021": [ "3.3.1.l" ], "usa-federal-nispom-2020": [ "§117.18(a)(1)", "§117.18(a)(2)", "§117.18(e)(1)", "§117.18(e)(2)", "§117.18(e)(3)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.b" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B", "III.C.1", "III.C.3", "III.D" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.4(22)", "3.3.4(23)", "3.4.1(30)(a)", "3.4.1(30)(b)", "3.4.1(30)(c)", "3.4.1(30)(d)", "3.4.1(30)(e)", "3.4.1(30)(f)", "3.4.1(30)(g)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-eu-nis2-2022": [ "Article 21.1", "Article 21.2(a)", "Article 21.2(b)", "Article 21.2(c)", "Article 21.2(d)", "Article 21.2(e)", "Article 21.2(f)", "Article 21.2(g)", "Article 21.2(h)", "Article 21.2(i)", "Article 21.2(j)" ], "emea-deu-bsrit-2017": [ "5.1" ], "emea-qat-pdppl-2020": [ "8.3", "11.1" ], "emea-sau-cgiot-2024": [ "1-6-1" ], "emea-sau-otcc-1-2022": [ "2-3", "2-3-2" ], "emea-srb-act-9-2018": [ "50", "51" ], "emea-esp-boe-a-2022-7191": [ "Article 3.3", "Article 28.1(a)", "Article 28.1(b)", "Article 28.1(c)", "Article 28.2", "Article 28.3", "Article 37" ], "emea-esp-decree-311-2022": [ "28.1(a)", "28.1(b)", "28.1(c)", "28.2", "28.3", "3.3", "37" ], "emea-gbr-caf-4-0": [ "B4.a" ], "emea-gbr-cap-1850-2020": [ "A5", "A6" ], "apac-aus-ism-2024-june": [ "ISM-1634" ], "apac-aus-ps-cps-230-2023": [ "29" ], "apac-jpn-ismap": [ "4.4.4.1" ], "apac-nzl-ism-3-9": [ "3.2.10.C.04" ], "americas-can-osfi-b13-2022": [ "1.1.1", "2.1.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A", "03.17.01.A" ] } }, { "control_id": "GOV-15.2", "title": "Implement Controls", "family": "GOV", "description": "Mechanisms exist to compel data and/or process owners to implement required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control.", "scf_question": "Does the organization compel data and/or process owners to implement required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to compel data and/or process owners to implement required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "medium": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "large": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "enterprise": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.1" ], "general-iec-tr-60601-4-5-2021": [ "4.1", "4.6.1", "5.1" ], "general-iso-22301-2019": [ "8.1" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31000-2018": [ "5.2" ], "general-iso-42001-2023": [ "8.1" ], "general-nist-800-37-r2": [ "TASK P-17", "TASK S-3", "TASK I-1" ], "general-nist-800-66-r2": [ "164.308(a)(1)" ], "general-nist-800-171-r3": [ "03.15.01.a", "03.17.01.a" ], "general-scf-dpmp-2025": [ "7.0", "7.1" ], "general-tisax-6-0-3": [ "5.3.1", "5.3.2" ], "usa-federal-dow-cert-rmm-1-2": [ "CTRL:SG2" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)", "164.306(d)(3)(ii)(A)", "164.308(a)(1)(ii)(B)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)", "164.306(d)(3)(ii)(A)", "164.308(a)(1)(ii)(B)" ], "usa-federal-nispom-2020": [ "§117.18(a)(1)", "§117.18(e)(4)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.b" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B", "III.C.1", "III.C.3", "III.D" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)" ], "emea-eu-ai-act-2024": [ "Article 17.1(e)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.1(30)(a)", "3.4.1(30)(b)", "3.4.1(30)(c)", "3.4.1(30)(d)", "3.4.1(30)(e)", "3.4.1(30)(f)", "3.4.1(30)(g)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-eu-nis2-2022": [ "Article 21.1", "Article 21.2(a)", "Article 21.2(b)", "Article 21.2(c)", "Article 21.2(d)", "Article 21.2(e)", "Article 21.2(f)", "Article 21.2(g)", "Article 21.2(h)", "Article 21.2(i)", "Article 21.2(j)" ], "emea-deu-bsrit-2017": [ "5.2" ], "emea-qat-pdppl-2020": [ "8.3", "11.3", "11.5", "11.6" ], "emea-sau-cgiot-2024": [ "1-6-1" ], "emea-sau-otcc-1-2022": [ "2-3", "2-3-2" ], "emea-srb-act-9-2018": [ "50", "51" ], "emea-esp-boe-a-2022-7191": [ "Article 3.3", "Article 37" ], "emea-esp-decree-311-2022": [ "3.3", "37" ], "emea-gbr-caf-4-0": [ "B4.a" ], "emea-gbr-cap-1850-2020": [ "A5", "A6", "B4" ], "apac-aus-ism-2024-june": [ "ISM-1635" ], "apac-nzl-ism-3-9": [ "3.4.11.C.01" ], "americas-can-osfi-b13-2022": [ "1.1.1", "2.1.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A", "03.17.01.A" ] } }, { "control_id": "GOV-15.3", "title": "Assess Controls", "family": "GOV", "description": "Mechanisms exist to compel data and/or process owners to assess if required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control are:\n(1) Implemented correctly; and \n(2) Operating as intended.", "scf_question": "Does the organization compel data and/or process owners to assess if required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control are:\n(1) Implemented correctly; and \n(2) Operating as intended?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to compel data and/or process owners to assess if required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control are:\n(1) Implemented correctly; and \n(2) Operating as intended.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "medium": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "large": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "enterprise": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.2-POF1" ], "general-iso-22301-2019": [ "8.1" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31000-2018": [ "5.2" ], "general-iso-42001-2023": [ "8.1" ], "general-nist-800-37-r2": [ "TASK A-3", "TASK M-2" ], "general-nist-800-171-r3": [ "03.15.01.a", "03.17.01.a" ], "general-scf-dpmp-2025": [ "7.0", "7.1" ], "general-tisax-6-0-3": [ "5.3.1" ], "usa-federal-dow-cert-rmm-1-2": [ "CTRL:SG3", "CTRL:SG3.SP1", "CTRL:SG4", "CTRL:SG4.SP1" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)" ], "usa-federal-nispom-2020": [ "§117.18(a)(1)", "§117.18(e)(5)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.b" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)", "899-bb.2(b)(ii)(B)(4)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.6(41)", "3.4.6(42)", "3.4.6(43)", "3.4.6(43)(a)", "3.4.6(43)(b)", "3.4.6(44)", "3.4.6(45)", "3.4.6(46)", "3.4.6(47)", "3.4.6(48)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-qat-pdppl-2020": [ "8.3", "11.1", "11.2" ], "emea-sau-cgiot-2024": [ "1-6-1" ], "emea-sau-otcc-1-2022": [ "2-3", "2-3-2" ], "emea-srb-act-9-2018": [ "50", "51" ], "emea-gbr-cap-1850-2020": [ "A5", "A6", "B4" ], "apac-aus-ism-2024-june": [ "ISM-1636" ], "americas-can-osfi-b13-2022": [ "1.1.1", "2.1.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A", "03.17.01.A" ] } }, { "control_id": "GOV-15.4", "title": "Authorize Technology Assets, Applications and/or Services (TAAS)", "family": "GOV", "description": "Mechanisms exist to compel data and/or process owners to obtain authorization for the production use of each Technology Asset, Application and/or Service (TAAS) under their control.", "scf_question": "Does the organization compel data and/or process owners to obtain authorization for the production use of each Technology Asset, Application and/or Service (TAAS) under their control?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to compel data and/or process owners to obtain authorization for the production use of each Technology Asset, Application and/or Service (TAAS) under their control.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "medium": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "large": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "enterprise": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-iso-22301-2019": [ "8.1" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31000-2018": [ "5.2" ], "general-nist-800-37-r2": [ "TASK R-4" ], "general-nist-800-171-r3": [ "03.15.01.a", "03.17.01.a" ], "general-scf-dpmp-2025": [ "7.0", "7.1" ], "general-tisax-6-0-3": [ "5.3.1" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)" ], "usa-federal-nispom-2020": [ "§117.18(a)(1)", "§117.18(e)(6)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.b", "9-3.a", "9-3.b", "9-3.d" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-qat-pdppl-2020": [ "8.3", "11.1" ], "emea-sau-cgiot-2024": [ "1-6-1" ], "emea-sau-otcc-1-2022": [ "2-3", "2-3-2" ], "emea-gbr-cap-1850-2020": [ "A5" ], "apac-aus-ism-2024-june": [ "ISM-0027" ], "apac-nzl-ism-3-9": [ "23.2.16.C.03", "23.2.16.C.04" ], "americas-can-osfi-b13-2022": [ "1.1.1", "2.1.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A", "03.17.01.A" ] } }, { "control_id": "GOV-15.5", "title": "Monitor Controls", "family": "GOV", "description": "Mechanisms exist to compel data and/or process owners to monitor Technology Assets, Applications, Services and/or Data (TAASD) under their control on an ongoing basis for applicable threats and risks, as well as to ensure security, compliance and resilience controls are operating as intended.", "scf_question": "Does the organization compel data and/or process owners to monitor Technology Assets, Applications, Services and/or Data (TAASD) under their control on an ongoing basis for applicable threats and risks, as well as to ensure security, compliance and resilience controls are operating as intended?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to compel data and/or process owners to monitor Technology Assets, Applications, Services and/or Data (TAASD) under their control on an ongoing basis for applicable threats and risks, as well as to ensure security, compliance and resilience controls are operating as intended.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "medium": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "large": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "enterprise": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-iso-27001-2022": [ "9.2.2" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31000-2018": [ "5.2" ], "general-iso-42001-2023": [ "8.1" ], "general-nist-800-37-r2": [ "TASK M-1" ], "general-nist-800-171-r3": [ "03.15.01.a", "03.17.01.a" ], "general-scf-dpmp-2025": [ "7.0", "7.1" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)" ], "usa-federal-nispom-2020": [ "§117.18(a)(1)", "§117.18(e)(7)", "§117.18(e)(7)(i)", "§117.18(e)(7)(ii)", "§117.18(e)(7)(iii)", "§117.18(e)(7)(iv)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.b" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-qat-pdppl-2020": [ "8.3", "11.7", "11.8" ], "emea-sau-cgiot-2024": [ "1-6-1" ], "emea-sau-otcc-1-2022": [ "2-3", "2-3-2" ], "emea-srb-act-9-2018": [ "50", "51" ], "emea-gbr-cap-1850-2020": [ "A5" ], "apac-aus-ism-2024-june": [ "ISM-1526" ], "apac-aus-ps-cps-230-2023": [ "30" ], "apac-nzl-ism-3-9": [ "23.2.18.C.01" ], "americas-can-osfi-b13-2022": [ "1.1.1", "2.1.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A", "03.17.01.A" ] } }, { "control_id": "GOV-16", "title": "Materiality Determination", "family": "GOV", "description": "Mechanisms exist to define materiality threshold criteria capable of designating an incident as material.", "scf_question": "Does the organization define materiality threshold criteria capable of designating an incident as material?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-14" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to define materiality threshold criteria capable of designating an incident as material.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Simple materiality threshold definition (document what constitutes a material incident)", "small": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Documented materiality criteria aligned to business impact and applicable regulations", "medium": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Documented materiality thresholds (financial, reputational, operational, regulatory)\n∙ SEC cybersecurity disclosure rules considered (if applicable)", "large": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Formal materiality determination process aligned to SEC cybersecurity disclosure rules (if public)\n∙ Cross-functional materiality review team (Legal, Finance, CISO, Operations)", "enterprise": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Enterprise materiality determination framework (SEC Item 1.05, PCAOB, SOX alignment)\n∙ Board-approved materiality thresholds with regular review cycle\n∙ Automated materiality scoring integrated with incident response workflows" }, "risks": [ "R-EX-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.1-POF6" ], "general-iso-31000-2018": [ "5.4.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.E(2)(b)" ], "general-nist-csf-2-0": [ "DE.AE-04" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.105(a)", "17 CFR 229.105(b)", "17 CFR 229.106(a)", "17 CFR 229.106(b)(2)", "17 CFR 229.106(c)(2)", "Form 8-K Item 1.05(a)" ], "usa-state-nv-regulation-5-2024": [ "5.260.4" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)", "500.4(b)(3)", "500.4(b)(5)", "500.9(b)(1)", "500.9(b)(2)" ] } }, { "control_id": "GOV-16.1", "title": "Material Risks", "family": "GOV", "description": "Mechanisms exist to define criteria necessary to designate a risk as a material risk.", "scf_question": "Does the organization define criteria necessary to designate a risk as a material risk?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-15" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to define criteria necessary to designate a risk as a material risk.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Basic risk register with materiality threshold criteria", "small": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Risk register with documented materiality criteria\n∙ Defined risk scoring methodology", "medium": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Formal risk register with quantitative/qualitative materiality thresholds\n∙ GRC platform risk management module", "large": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Formal materiality criteria for risks aligned to risk appetite\n∙ Board-approved material risk thresholds\n∙ GRC platform with automated risk scoring and materiality flagging", "enterprise": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Enterprise material risk framework aligned to SEC, SOX, and applicable regulators\n∙ Quantitative risk analysis (e.g., FAIR methodology)\n∙ Automated material risk identification and escalation" }, "risks": [ "R-EX-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-csa-iot-2": [ "RSM-01" ], "general-iso-31000-2018": [ "5.4.2" ], "general-iso-42001-2023": [ "6.1.2(c)", "6.1.2(d)", "6.1.2(d)(1)", "6.1.2(d)(2)", "6.1.2(d)(3)", "6.1.2(e)", "6.1.2(e)(1)", "6.1.2(e)(2)" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.E(2)(b)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.105(a)", "17 CFR 229.105(b)", "17 CFR 229.106(b)(2)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)", "500.4(b)(3)", "500.4(b)(5)", "500.9(b)(1)", "500.9(b)(2)" ] } }, { "control_id": "GOV-16.2", "title": "Material Threats", "family": "GOV", "description": "Mechanisms exist to define criteria necessary to designate a threat as a material threat.", "scf_question": "Does the organization define criteria necessary to designate a threat as a material threat?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-16" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to define criteria necessary to designate a threat as a material threat.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Basic threat assessment against organizational context", "small": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Documented threat assessment with materiality criteria\n∙ CISA Known Exploited Vulnerabilities (KEV) catalog reference", "medium": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Formal threat assessment with materiality thresholds\n∙ MITRE ATT&CK framework threat modeling\n∙ Threat intelligence integration (e.g., CISA advisories, sector ISAC feeds)", "large": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Formal material threat designation process with executive review\n∙ Threat intelligence platform (e.g., Recorded Future, Anomali, MISP)\n∙ MITRE ATT&CK-based threat modeling", "enterprise": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Enterprise material threat framework integrated with SEC disclosure process\n∙ Dedicated threat intelligence platform (e.g., Recorded Future, Mandiant Threat Intelligence)\n∙ Board-level material threat reporting cadence" }, "risks": [ "R-EX-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-csa-iot-2": [ "RSM-01" ], "general-iso-31000-2018": [ "5.4.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.E(2)(b)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.105(a)", "17 CFR 229.105(b)", "17 CFR 229.106(a)", "17 CFR 229.106(b)(2)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)", "500.4(b)(3)", "500.4(b)(5)", "500.9(b)(1)", "500.9(b)(2)" ] } }, { "control_id": "GOV-17", "title": "Security, Compliance & Resilience Status Reporting", "family": "GOV", "description": "Mechanisms exist to submit status reporting of the organization's security, compliance and/or resilience program to applicable statutory and/or regulatory authorities, as required.", "scf_question": "Does the organization submit status reporting of the organization's security, compliance and/or resilience program to applicable statutory and/or regulatory authorities, as required?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-GOV-17" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to submit status reporting of the organization's security, compliance and/or resilience program to applicable statutory and/or regulatory authorities, as required.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Maintain records for any required compliance filings", "small": "∙ Designate a compliance contact for required reporting\n∙ Track reporting deadlines", "medium": "∙ Compliance calendar for required submissions\n∙ Documented reporting procedures", "large": "∙ Compliance tracking platform\n∙ Dedicated compliance officer\n∙ Standardized reporting templates", "enterprise": "∙ Enterprise GRC platform for compliance reporting\n∙ Dedicated compliance team\n∙ Automated regulatory submission tracking\n∙ Legal and compliance integration" }, "risks": [ "R-EX-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.1-POF10", "CC3.2-POF3" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)(2)(ii)(B)" ], "usa-federal-far-52-204-25": [ "52.204-25(d)(2)(i)", "52.204-25(d)(2)(ii)", "52.204-25(d)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.105(b)", "17 CFR 229.106(d)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "II.B.1", "III.F.3", "V.A.1", "VI.A", "VI.B", "VI.B.1", "VI.B.2", "VI.C", "VI.D" ], "usa-state-ca-ccpa-cpra-2026": [ "7124(a)", "7124(b)", "7124(c)", "7124(c)(1)", "7124(c)(2)", "7124(c)(3)", "7124(d)", "7124(d)(1)", "7124(d)(2)", "7124(d)(3)", "7124(d)(4)", "7124(d)(5)", "7157(a)", "7157(a)(1)", "7157(a)(2)", "7157(b)", "7157(b)(1)", "7157(b)(2)", "7157(b)(3)", "7157(b)(4)", "7157(b)(5)", "7157(b)(6)", "7157(c)", "7157(c)(1)", "7157(c)(2)", "7157(c)(3)", "7157(d)", "7157(e)" ], "usa-state-il-ipa-2009": [ "35(b)", "37(b)" ], "usa-state-il-pipa-2006": [ "12(f)", "25" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.17(a)(1)", "500.17(a)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PL-01-SID" ], "usa-state-va-cdpa-2023": [ "59.1-580.C" ], "emea-eu-nis2-annex-2024": [ "1.2.3" ], "apac-aus-ism-2024-june": [ "ISM-1587" ], "apac-chn-cybersecurity-law-2017": [ "Article 38", "Article 54(1)" ], "apac-jpn-ismap": [ "4.5.3.1" ] } }, { "control_id": "GOV-18", "title": "Quality Management System (QMS)", "family": "GOV", "description": "Mechanisms exist to govern a Quality Management System (QMS) to ensure security, compliance and resilience processes conform with applicable statutory, regulatory and/or contractual obligations.", "scf_question": "Does the organization govern a Quality Management System (QMS) to ensure security, compliance and resilience processes conform with applicable statutory, regulatory and/or contractual obligations?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Unstructured review of the cybersecurity and/or data privacy program is performed on an annual basis.\n▪ Administrative processes require all employees and contractors to apply cybersecurity and data protection principles in their daily work (e.g., policies & standards).", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to govern a Quality Management System (QMS) to ensure security, compliance and resilience processes conform with applicable statutory, regulatory and/or contractual obligations.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document basic quality checkpoints for security processes", "small": "∙ Written quality standards for key security processes", "medium": "∙ Formal QMS procedures for security processes\n∙ Internal quality reviews", "large": "∙ ISO 9001-aligned QMS for security operations\n∙ Formal QA function\n∙ Periodic internal audits", "enterprise": "∙ ISO 9001 certified QMS\n∙ Dedicated quality assurance team\n∙ Continuous process improvement program\n∙ Integrated QMS platform" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-SA-1", "R-SA-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-cobit-2019": [ "APO11.01", "APO14.04", "BAI01.07" ], "general-iso-21434-2021": [ "RQ-05-11", "RQ-05-11(a)", "RQ-05-11(b)", "RQ-05-11(c)", "RQ-05-11(d)" ], "emea-eu-ai-act-2024": [ "Article 16(c)", "Article 17.1" ] } }, { "control_id": "GOV-19", "title": "Assurance", "family": "GOV", "description": "Mechanisms exist to define the basis for confidence that implemented practices conform to applicable security, compliance and resilience controls, where the control implementation performs as intended.", "scf_question": "Does the organization define the basis for confidence that implemented practices conform to applicable security, compliance and resilience controls, where the control implementation performs as intended?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to define the basis for confidence that implemented practices conform to applicable security, compliance and resilience controls, where the control implementation performs as intended.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "SCRMS" ], "possible_solutions": { "micro_small": "∙ Annual self-assessment against documented controls", "small": "∙ Annual internal assessment against documented controls\n∙ Track findings and remediation", "medium": "∙ Formal internal assessment program\n∙ Track assurance evidence\n∙ Third-party assessments as needed", "large": "∙ Formal assurance program\n∙ Third-party assessments\n∙ Internal audit function\n∙ Control testing schedule", "enterprise": "∙ Enterprise assurance program\n∙ Dedicated internal audit team\n∙ Third-party assessments (SOC 2, ISO 27001)\n∙ Continuous control monitoring platform" }, "risks": [ "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "emea-gbr-caf-4-0": [ "A2.c" ] } }, { "control_id": "GOV-19.1", "title": "Assurance Levels (AL)", "family": "GOV", "description": "Mechanisms exist to utilize defined Assurance Levels (AL) for assessment activities to standardize the following assurance attributes:\n(1) Depth that addresses the rigor and level of detail of the assessment; and\n(2) Coverage that addresses the scope and breadth of the assessment.", "scf_question": "Does the organization utilize defined Assurance Levels (AL) for assessment activities to standardize the following assurance attributes:\n(1) Depth that addresses the rigor and level of detail of the assessment; and\n(2) Coverage that addresses the scope and breadth of the assessment?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to utilize defined Assurance Levels (AL) for assessment activities to standardize the following assurance attributes:\n(1) Depth that addresses the rigor and level of detail of the assessment; and\n(2) Coverage that addresses the scope and breadth of the assessment.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Define basic assessment depth (documentation review vs. testing)", "small": "∙ Define assessment depth and coverage criteria in policy", "medium": "∙ Assurance level definitions in assessment procedures\n∙ Apply appropriate AL per control criticality", "large": "∙ Formal assurance level framework\n∙ Tiered assessment approach by risk level", "enterprise": "∙ Enterprise assurance level framework\n∙ Automated control testing for lower-risk controls\n∙ In-depth testing for critical systems\n∙ Risk-based assessment scheduling" }, "risks": [ "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": {} }, { "control_id": "GOV-19.2", "title": "Assessment Objectives (AO)", "family": "GOV", "description": "Mechanisms exist to utilize defined Assessment Objectives (AO) to assess the implementation of requirements, when available.", "scf_question": "Does the organization utilize defined Assessment Objectives (AO) to assess the implementation of requirements, when available?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to utilize defined Assessment Objectives (AO) to assess the implementation of requirements, when available.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Use control descriptions as the basis for assessment questions", "small": "∙ Define assessment objectives for key controls", "medium": "∙ Formal assessment objectives derived from control statements\n∙ Map AOs to test procedures", "large": "∙ Assessment objectives library\n∙ Linked to control framework and test procedures", "enterprise": "∙ Enterprise assessment objectives repository\n∙ GRC platform with automated assessment workflows\n∙ Linkage to risk register and control library" }, "risks": [ "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "usa-federal-dow-cert-rmm-1-2": [ "ADM:GG2.GP9", "AM:GG2.GP9", "COMM:GG2.GP9", "COMP:GG2.GP9", "CTRL:GG2.GP9", "EC:GG2.GP9", "EF:GG2.GP9", "EXD:GG2.GP9", "FRM:GG2.GP9", "HRM:GG2.GP9", "ID:GG2.GP9", "IMC:GG2.GP9", "KIM:GG2.GP9", "MA:GG2.GP9", "MON:GG2.GP9", "OPD:GG2.GP9", "OPF:GG2.GP9", "OTA:GG2.GP9", "PM:GG2.GP9", "RISK:GG2.GP9", "RRD:GG2.GP9", "RRM:GG2.GP9", "RTSE:GG2.GP9", "SC:GG2.GP9", "TM:GG2.GP9", "VAR:GG2.GP9", "GG2.GP9" ] } }, { "control_id": "GOV-20", "title": "Mergers, Acquisitions & Divestitures (MA&D)", "family": "GOV", "description": "Mechanisms exist to define standardized practices to conduct Mergers, Acquisitions and Divestiture (MA&D) activities.", "scf_question": "Does the organization define standardized practices to conduct Mergers, Acquisitions and Divestiture (MA&D) activities?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data privacy governance practices are informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to define standardized practices to conduct Mergers, Acquisitions and Divestiture (MA&D) activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "medium": "∙ Documented M&A/divestiture security procedures", "large": "∙ Formal M&A security due diligence checklist\n∙ Documented integration/separation procedures", "enterprise": "∙ Enterprise M&A security playbook\n∙ Dedicated M&A security team\n∙ Legal and compliance integration\n∙ Technical due diligence framework" }, "risks": [ "R-AC-4", "R-EX-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-26", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": {} }, { "control_id": "GOV-20.1", "title": "Virtual Data Room (VDR)", "family": "GOV", "description": "Mechanisms exist to provision a Virtual Data Room (VDR), or similar technology, to securely share documentation among stakeholders to conduct Mergers, Acquisitions and Divestiture (MA&D) activities.", "scf_question": "Does the organization provision a Virtual Data Room (VDR), or similar technology, to securely share documentation among stakeholders to conduct Mergers, Acquisitions and Divestiture (MA&D) activities?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to provision a Virtual Data Room (VDR), or similar technology, to securely share documentation among stakeholders to conduct Mergers, Acquisitions and Divestiture (MA&D) activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "medium": "∙ Secure file-sharing platform (e.g., SharePoint, Box) for M&A documentation", "large": "∙ Dedicated VDR solution (e.g., Intralinks, Merrill DatasiteOne)\n∙ Access controls and audit logs", "enterprise": "∙ Enterprise VDR solution (e.g., Intralinks, Datasite, Ansarada)\n∙ Formal access management\n∙ Audit logging\n∙ NDA and legal controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-EX-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": {} }, { "control_id": "AAT-01", "title": "Artificial Intelligence (AI) & Autonomous Technologies Governance", "family": "AAT", "description": "Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively.", "scf_question": "Does the organization ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AAT-01" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of AAT-related risks are in place, transparent and implemented effectively.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI-Enabled Operations", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ AI/ML usage policy (approved use cases and prohibited uses)\n∙ NIST AI RMF alignment (https://www.nist.gov/artificial-intelligence)\n∙ Designated AI point of contact or responsible party", "small": "∙ AI/ML usage policy with employee guidelines\n∙ NIST AI RMF alignment (https://www.nist.gov/artificial-intelligence)\n∙ AI system inventory tracking approved tools\n∙ Basic AI risk assessment for each deployed AI system", "medium": "∙ Formal AI governance program (policies, standards, procedures)\n∙ NIST AI RMF implementation (https://www.nist.gov/artificial-intelligence)\n∙ AI system inventory with risk classification\n∙ EU AI Act readiness assessment (if applicable)", "large": "∙ Formal AI governance program with dedicated AI risk function\n∙ NIST AI RMF and ISO/IEC 42001 AI Management System alignment\n∙ AI ethics and trustworthy AI policies\n∙ AI Risk Management Committee", "enterprise": "∙ Enterprise AI governance program with board-level oversight\n∙ ISO/IEC 42001 AI Management System certification or alignment\n∙ NIST AI RMF full implementation across all AI systems\n∙ Dedicated Chief AI Officer (CAIO) or AI governance function\n∙ EU AI Act compliance program (if operating in EU)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4-POF2" ], "general-csa-iot-2": [ "SAP-10" ], "general-iso-42001-2023": [ "4.1", "4.2", "4.4", "5.1", "7.4", "8.1", "8.2", "A.2.2", "A.4", "A.6.2.2" ], "general-mpa-csbp-5-3-1": [ "OR-5.0" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.0", "GOVERN 2.1", "GOVERN 4.1", "MAP 3.5", "MAP 5.2" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 1.2", "GV-1.2-001", "GV-1.2-002", "GV-1.3-005", "GV-1.5-002", "GV-1.5-003", "GOVERN 1.7", "GV-1.7-001", "GV-2.1-001", "GV-2.1-002", "GV-2.1-004", "GV-3.2-001", "GV-3.2-003", "GV-3.2-004", "GOVERN 4.1", "GV-4.1-001", "GV-4.1-002", "GV-4.1-003", "GV-4.3-002", "GOVERN 6.1", "GV-6.1-009", "GOVERN 6.2", "GV-6.2-005", "MP-3.4-003", "MAP 4.1", "MP-4.1-003", "MP-4.1-005", "MS-2.5-006", "MG-2.3-001", "MG-4.1-003" ], "general-shared-assessments-sig-2025": [ "R.1" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.7.6", "6.4", "6.4.1", "6.4.2" ], "emea-eu-ai-act-2024": [ "Article 17.1(c)" ] } }, { "control_id": "AAT-01.1", "title": "AI & Autonomous Technologies-Related Legal Requirements Definition", "family": "AAT", "description": "Mechanisms exist to identify, understand, document and manage applicable statutory and regulatory requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization identify, understand, document and manage applicable statutory and regulatory requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-AAT-02" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify, understand, document and manage applicable statutory and regulatory requirements for AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ AI applicable regulatory requirement tracking (EU AI Act, CCPA, GDPR, state AI laws)\n∙ NIST AI RMF Govern function\n∙ Legal review of AI use cases for compliance", "small": "∙ AI legal requirements register covering applicable regulations\n∙ NIST AI RMF Govern function\n∙ Legal and compliance review of AI system deployments", "medium": "∙ AI regulatory compliance tracking (EU AI Act, CCPA, applicable sector regulations)\n∙ AI governance program with legal requirements integration\n∙ NIST AI RMF Govern function implementation", "large": "∙ AI regulatory compliance program covering EU AI Act, CCPA, NIST AI RMF, sector requirements\n∙ Dedicated AI compliance role or committee\n∙ AI regulatory change monitoring with automated alerts", "enterprise": "∙ Enterprise AI legal and regulatory compliance program\n∙ EU AI Act Responsible AI Officer / CAIO designation\n∙ Cross-jurisdictional AI regulatory tracking (EU, US federal/state, APAC)\n∙ External counsel AI regulatory advisory program" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "4.1", "4.2", "8.1", "A.5", "A.5.3", "A.5.4", "A.5.5", "A.10.4" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.1" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.9-002" ], "general-shared-assessments-sig-2025": [ "R.1.1" ], "emea-eu-ai-act-2024": [ "Article 17.1(e)" ] } }, { "control_id": "AAT-01.2", "title": "Trustworthy AI & Autonomous Technologies", "family": "AAT", "description": "Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences.", "scf_question": "Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AAT-03" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI-Enabled Operations", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ AI trustworthiness assessment for AI tools in use (vendor review, privacy check)\n∙ NIST AI RMF Trustworthiness characteristics reference\n∙ AI governance program", "small": "∙ AI system trustworthiness evaluation checklist (reliability, safety, fairness, explainability)\n∙ NIST AI RMF alignment\n∙ Vendor AI security and privacy assessment", "medium": "∙ Formal AI trustworthiness evaluation process based on NIST AI RMF\n∙ AI fairness, bias, and explainability assessments\n∙ AI governance program with trustworthiness requirements", "large": "∙ AI trustworthiness governance aligned to NIST AI RMF trustworthiness principles\n∙ Independent AI ethics review for high-risk AI systems\n∙ AI transparency and explainability requirements in procurement", "enterprise": "∙ Enterprise AI trustworthiness framework (NIST AI RMF, ISO 42001)\n∙ Dedicated AI ethics board or ethics review function\n∙ Third-party AI trustworthiness audits\n∙ Explainability and transparency requirements embedded in AI development lifecycle" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "7.1", "A.4", "A.6.1.2", "A.7" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.2", "MEASURE 2.5" ], "general-shared-assessments-sig-2025": [ "R.1.1.1" ] } }, { "control_id": "AAT-01.3", "title": "AI & Autonomous Technologies Value Sustainment", "family": "AAT", "description": "Mechanisms exist to sustain the value of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization sustain the value of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to sustain the value of deployed AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ AI governance program\n∙ Ongoing AI system performance monitoring (accuracy, drift detection)\n∙ AI system review cadence defined", "small": "∙ AI governance program\n∙ Periodic AI system performance reviews\n∙ AI model performance metrics tracked\n∙ NIST AI RMF Map function", "medium": "∙ AI governance program with defined review cadence\n∙ AI performance monitoring and model drift detection\n∙ NIST AI RMF Map and Measure functions\n∙ AI value realization tracking", "large": "∙ Formal AI value sustainment program\n∙ AI performance monitoring with automated alerting (e.g., Arize AI, WhyLabs)\n∙ Periodic AI model revalidation process\n∙ AI ROI and value tracking integrated with governance", "enterprise": "∙ Enterprise AI lifecycle management program\n∙ AI model performance monitoring platform (e.g., Fiddler AI, Arize, AWS SageMaker Model Monitor)\n∙ Continuous AI improvement processes integrated with MLOps\n∙ Board-level AI value and risk reporting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "4.1" ], "general-nist-100-1-ai-rmf": [ "MANAGE 2.2" ], "general-nist-600-1-gen-ai-profile": [ "MANAGE 2.2" ], "general-shared-assessments-sig-2025": [ "R.2" ] } }, { "control_id": "AAT-01.4", "title": "AI Model & Agent Inventory & Lifecycle Management", "family": "AAT", "description": "Mechanisms exist to track the lifecycle of all AI models and AI agents, including ownership, intended purpose and status across:\n(1) Development;\n(2) Deployment;\n(3) Updates; and\n(4) Decommissioning.", "scf_question": "Does the organization track the lifecycle of all AI models and AI agents, including ownership, intended purpose and status across:\n(1) Development;\n(2) Deployment;\n(3) Updates; and\n(4) Decommissioning?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to track the lifecycle of all AI models and AI agents, including ownership, intended purpose and status across:\n(1) Development;\n(2) Deployment;\n(3) Updates; and\n(4) Decommissioning.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Spreadsheet inventory of AI tools/services in use", "small": "∙ AI tools inventory with ownership and purpose tracking", "medium": "∙ Formal AI asset inventory\n∙ Lifecycle tracking procedure\n∙ Regular review cadence", "large": "∙ AI governance program with lifecycle management\n∙ Asset management system integration", "enterprise": "∙ Enterprise AI lifecycle management platform\n∙ MLOps tooling (e.g., MLflow, AWS SageMaker)\n∙ Automated model registry\n∙ Decommissioning procedures" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-02", "title": "Situational Awareness of AI & Autonomous Technologies", "family": "AAT", "description": "Mechanisms exist to develop and maintain an inventory of Artificial Intelligence (AI) and Autonomous Technologies (AAT) (internal and third-party).", "scf_question": "Does the organization develop and maintain an inventory of Artificial Intelligence (AI) and Autonomous Technologies (AAT) (internal and third-party)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop and maintain an inventory of AAT (internal and third-party).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI-Enabled Operations", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ AI system inventory (spreadsheet listing all AI tools in use)\n∙ AI governance program\n∙ Employee AI usage disclosure process", "small": "∙ AI system inventory with risk classification\n∙ AI governance program\n∙ AI use monitoring policy and procedure", "medium": "∙ Formal AI system inventory and registry\n∙ AI governance program\n∙ NIST AI RMF Map function implementation\n∙ AI shadow use detection and disclosure process", "large": "∙ AI system registry integrated with IT asset management\n∙ AI governance program with situational awareness capability\n∙ AI risk monitoring and anomaly detection\n∙ NIST AI RMF Map and Govern functions", "enterprise": "∙ Enterprise AI system registry with real-time inventory\n∙ AI governance platform with situational awareness dashboard\n∙ Automated AI discovery and shadow AI detection\n∙ NIST AI RMF full implementation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "8.2", "A.4.4", "A.4.5" ], "general-mpa-csbp-5-3-1": [ "OR-5.0" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.6" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 1.6", "GV-1.6-001", "GV-1.6-002", "MANAGE 3.1" ], "general-shared-assessments-sig-2025": [ "R.5" ] } }, { "control_id": "AAT-02.1", "title": "AI & Autonomous Technologies Risk Mapping", "family": "AAT", "description": "Mechanisms exist to identify Artificial Intelligence (AI) and Autonomous Technologies (AAT) in use and map those components to potential legal risks, including statutory and regulatory compliance requirements.", "scf_question": "Does the organization identify Artificial Intelligence (AI) and Autonomous Technologies (AAT) in use and map those components to potential legal risks, including statutory and regulatory compliance requirements?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify AAT in use and map those components to potential legal risks, including statutory and regulatory compliance requirements.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic AI risk assessment (documented risks per AI tool)\n∙ AI governance program\n∙ NIST AI RMF Map function reference", "small": "∙ AI risk assessment for each deployed AI system\n∙ AI governance program\n∙ NIST AI RMF Map function implementation", "medium": "∙ Formal AI risk mapping process aligned to NIST AI RMF\n∙ AI risk register maintained in GRC platform\n∙ MITRE ATLAS framework reference for adversarial AI risks", "large": "∙ Enterprise AI risk mapping integrated with organizational risk register\n∙ NIST AI RMF Map function with quantified risk scores\n∙ MITRE ATLAS framework integration\n∙ AI risk dashboards for management reporting", "enterprise": "∙ Enterprise AI risk mapping program integrated with GRC and ERM\n∙ NIST AI RMF Map function at enterprise scale\n∙ Automated AI risk scoring and continuous monitoring\n∙ MITRE ATLAS-based adversarial AI risk scenarios" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "6.1.1", "8.2", "A.5.3", "A.5.4", "A.5.5" ], "general-mpa-csbp-5-3-1": [ "OR-5.0" ], "general-nist-100-1-ai-rmf": [ "MAP 4.1" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.3-005", "GV-4.1-002", "GV-4.2-002", "MP-1.1-004", "MAP 4.1" ], "emea-eu-ai-act-2024": [ "Article 9.1" ] } }, { "control_id": "AAT-02.2", "title": "AI & Autonomous Technologies Internal Controls", "family": "AAT", "description": "Mechanisms exist to identify and document internal security, compliance and resilience for Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization identify and document internal security, compliance and resilience for Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and document internal security, compliance and resilience for AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic AI usage controls (acceptable use policy, access restrictions)\n∙ AI governance program", "small": "∙ AI internal controls aligned to AI governance policy\n∙ Access controls for AI systems and models\n∙ AI governance program", "medium": "∙ Formal AI internal controls program\n∙ AI access controls and role-based permissions\n∙ AI output review and human oversight requirements\n∙ NIST AI RMF Manage function", "large": "∙ Enterprise AI internal controls aligned to NIST AI RMF Manage function\n∙ AI-specific access controls integrated with IAM\n∙ Human-in-the-loop requirements for high-risk AI decisions\n∙ AI audit trails and logging", "enterprise": "∙ Enterprise AI controls framework (NIST AI RMF, ISO 42001)\n∙ AI controls integrated with GRC platform\n∙ Automated AI control testing and monitoring\n∙ AI explainability and audit trail requirements\n∙ Independent AI controls assessment program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "5.1", "8.1", "A.6.2.2" ], "general-nist-100-1-ai-rmf": [ "MAP 4.2" ], "emea-eu-ai-act-2024": [ "Article 17.1(e)" ] } }, { "control_id": "AAT-02.3", "title": "Adequate Protections For AI & Autonomous Technologies", "family": "AAT", "description": "Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) include reasonable security, compliance and resilience protections that are commensurate with assessed risks and threats.", "scf_question": "Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) include reasonable security, compliance and resilience protections that are commensurate with assessed risks and threats?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure AAT include reasonable security, compliance and resilience protections that are commensurate with assessed risks and threats.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Contractual security requirements in AI vendor agreements", "small": "∙ Security assessment of AI tools before adoption\n∙ Vendor security questionnaires", "medium": "∙ AI security requirements checklist\n∙ Third-party risk assessment for AI vendors", "large": "∙ Formal AI security standards\n∙ Security review in AI procurement process\n∙ Ongoing vendor monitoring", "enterprise": "∙ Enterprise AI security requirements framework\n∙ Automated TPRM platform\n∙ Continuous AI vendor monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MG-3.1-001" ], "emea-eu-ai-act-2024": [ "Article 55.1(d)", "Article 55.2" ] } }, { "control_id": "AAT-02.4", "title": "AI Threat Modeling & Risk Assessment", "family": "AAT", "description": "Mechanisms exist to conduct Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific threat modeling and risk assessments to address the following criteria across the lifecycle of the AAT:\n(1) Attack surfaces;\n(2) Adversarial threats; and \n(3) Abuse / misuse scenarios.", "scf_question": "Does the organization conduct Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific threat modeling and risk assessments to address the following criteria across the lifecycle of the AAT:\n(1) Attack surfaces;\n(2) Adversarial threats; and \n(3) Abuse / misuse scenarios?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct AAT-specific threat modeling and risk assessments to address the following criteria across the lifecycle of the AAT:\n(1) Attack surfaces;\n(2) Adversarial threats; and \n(3) Abuse / misuse scenarios.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Basic threat assessment before deploying AI tools", "small": "∙ AI threat assessment checklist\n∙ Document identified risks before deployment", "medium": "∙ Formal AI threat modeling process\n∙ STRIDE or similar methodology applied to AI systems", "large": "∙ AI-specific threat modeling program\n∙ Risk assessment integrated into AI development lifecycle", "enterprise": "∙ Enterprise AI threat modeling framework\n∙ Automated risk scoring for AI deployments\n∙ Red team exercises for AI systems\n∙ AI risk register" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-mpa-csbp-5-3-1": [ "OR-5.0" ] } }, { "control_id": "AAT-03", "title": "AI & Autonomous Technologies Context Definition", "family": "AAT", "description": "Mechanisms exist to establish and document the context surrounding Artificial Intelligence (AI) and Autonomous Technologies (AAT), including:\n(1) Intended purposes;\n(2) Potentially beneficial uses;\n(3) Context-specific laws and regulations;\n(4) Norms and expectations; and\n(5) Prospective settings in which the system(s) will be deployed.", "scf_question": "Does the organization establish and document the context surrounding Artificial Intelligence (AI) and Autonomous Technologies (AAT), including:\n (1) Intended purposes;\n (2) Potentially beneficial uses;\n (3) Context-specific laws and regulations;\n (4) Norms and expectations; and\n (5) Prospective settings in which the system(s) will be deployed?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish and document the context surrounding AAT, including:\n(1) Intended purposes;\n(2) Potentially beneficial uses;\n(3) Context-specific laws and regulations;\n(4) Norms and expectations; and\n(5) Prospective settings in which the system(s) will be deployed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ AI use case documentation (purpose, data used, decisions made)\n∙ AI governance program", "small": "∙ AI context documentation for each deployed system\n∙ AI governance program\n∙ NIST AI RMF Map function", "medium": "∙ Formal AI context definition process (intended use, users, environment)\n∙ NIST AI RMF Map function - context characterization\n∙ AI governance program", "large": "∙ Formal AI context definition integrated with AI governance program\n∙ NIST AI RMF Map function - full context characterization\n∙ AI use case registry with context documentation", "enterprise": "∙ Enterprise AI context definition framework\n∙ NIST AI RMF Map function at enterprise scale\n∙ AI context documentation integrated with AI system registry\n∙ Regulatory context considerations (EU AI Act risk classification)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "4.1", "A.10.4" ], "general-nist-100-1-ai-rmf": [ "MAP 1.0", "MAP 1.1", "MAP 1.4", "MAP 3.0" ], "general-nist-600-1-gen-ai-profile": [ "MAP 1.1", "MP-1.1-001", "MP-1.1-002" ], "general-shared-assessments-sig-2025": [ "R.1" ], "emea-eu-ai-act-2024": [ "Article 8.1" ] } }, { "control_id": "AAT-03.1", "title": "AI & Autonomous Technologies Mission and Goals Definition", "family": "AAT", "description": "Mechanisms exist to define and document the organization's mission and defined goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization define and document its mission and defined goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define and document the organization's mission and defined goals for AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ AI mission and goals documentation aligned to organizational objectives\n∙ AI governance program", "small": "∙ Documented AI mission and goals for each AI system\n∙ AI governance program\n∙ NIST AI RMF Map function", "medium": "∙ Formal AI mission and goals definition process\n∙ AI governance program\n∙ NIST AI RMF Map function - organizational mission integration", "large": "∙ Enterprise AI mission and goals framework aligned to organizational strategy\n∙ NIST AI RMF Map function\n∙ AI use case approval process with mission alignment review", "enterprise": "∙ Enterprise AI strategy and mission framework\n∙ NIST AI RMF Map function at enterprise scale\n∙ Board-approved AI mission and goals aligned to organizational strategy\n∙ AI mission reviewed periodically with regulatory alignment check" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "4.1", "4.2", "A.6.2.3" ], "general-nist-100-1-ai-rmf": [ "MAP 1.3", "MAP 1.4", "MAP 3.0" ], "general-shared-assessments-sig-2025": [ "R.2.1" ] } }, { "control_id": "AAT-03.2", "title": "Model & AI Agent Documentation", "family": "AAT", "description": "Mechanisms exist to create, maintain and provide access to documentation artifacts for AI models and agents, including:\n(1) Data lineage;\n(2) Intended use; and \n(3) Limitations.", "scf_question": "Does the organization create, maintain and provide access to documentation artifacts for AI models and agents, including:\n(1) Data lineage;\n(2) Intended use; and \n(3) Limitations?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to create, maintain and provide access to documentation artifacts for AI models and agents, including:\n(1) Data lineage;\n(2) Intended use; and \n(3) Limitations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document intended use and limitations of AI tools used", "small": "∙ AI model documentation template\n∙ Record data sources and intended use", "medium": "∙ Formal AI model documentation policy\n∙ Data lineage tracking\n∙ Model cards for deployed models", "large": "∙ Model documentation repository\n∙ Standardized model cards\n∙ Data lineage tools", "enterprise": "∙ Enterprise model documentation platform\n∙ MLOps documentation automation\n∙ Data catalog integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-04", "title": "AI & Autonomous Technologies Business Case", "family": "AAT", "description": "Mechanisms exist to benchmark capabilities, targeted usage, goals and expected benefits and costs of Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization benchmark capabilities, targeted usage, goals and expected benefits and costs of Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-AAT-04" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to benchmark capabilities, targeted usage, goals and expected benefits and costs of AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ AI business case documentation (costs, benefits, risks)\n∙ AI governance program", "small": "∙ Formal AI business case process\n∙ AI governance program\n∙ NIST AI RMF Map function", "medium": "∙ Formal AI business case with risk-benefit analysis\n∙ AI governance program\n∙ NIST AI RMF Map function\n∙ AI procurement review process", "large": "∙ AI business case framework with risk, cost, and benefit analysis\n∙ Executive review and approval of AI business cases\n∙ NIST AI RMF Map function", "enterprise": "∙ Enterprise AI business case and portfolio management\n∙ Board-level AI investment review and approval\n∙ NIST AI RMF Map function at enterprise scale\n∙ AI ROI tracking and reporting" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "5.1", "6.2", "6.2(a)", "6.2(b)", "6.2(c)", "6.2(d)", "6.2(e)", "6.2(f)", "6.2(g)", "A.6.2.3", "A.9", "A.9.2", "A.9.3", "A.9.4", "A.10.4" ], "general-nist-100-1-ai-rmf": [ "MAP 1.1", "MAP 3.0", "MAP 3.1", "MAP 3.2" ] } }, { "control_id": "AAT-04.1", "title": "AI & Autonomous Technologies Potential Benefits Analysis", "family": "AAT", "description": "Mechanisms exist to assess the potential benefits of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization assess the potential benefits of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 2, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to assess the potential benefits of proposed AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ AI benefits documentation (accuracy improvements, efficiency gains, cost savings)\n∙ AI governance program", "small": "∙ Formal AI benefits analysis for each deployed system\n∙ AI governance program\n∙ NIST AI RMF Map function", "medium": "∙ Quantified AI benefits analysis (ROI, efficiency, accuracy)\n∙ AI governance program\n∙ NIST AI RMF Map function", "large": "∙ Structured AI benefits analysis integrated with business case process\n∙ AI KPI tracking for benefits realization\n∙ NIST AI RMF Map function", "enterprise": "∙ Enterprise AI benefits realization framework\n∙ AI ROI and value tracking integrated with GRC\n∙ Board-level AI value reporting\n∙ NIST AI RMF Map function at scale" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MAP 3.1" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.9-002" ] } }, { "control_id": "AAT-04.2", "title": "AI & Autonomous Technologies Potential Costs Analysis", "family": "AAT", "description": "Mechanisms exist to assess potential costs, including non-monetary costs, resulting from expected or realized Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related errors or system functionality and trustworthiness.", "scf_question": "Does the organization assess potential costs, including non-monetary costs, resulting from expected or realized Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related errors or system functionality and trustworthiness?", "relative_weight": 2, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to assess potential costs, including non-monetary costs, resulting from expected or realized AAT-related errors or system functionality and trustworthiness.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ AI cost analysis (licensing, compute, maintenance, training data)\n∙ AI governance program", "small": "∙ Formal AI cost analysis for each system\n∙ AI governance program\n∙ Total cost of ownership (TCO) assessment", "medium": "∙ Quantified AI cost analysis including operational and hidden costs\n∙ AI governance program\n∙ NIST AI RMF Map function", "large": "∙ Structured AI cost analysis integrated with financial planning\n∙ AI FinOps practices for cloud-based AI workloads\n∙ NIST AI RMF Map function", "enterprise": "∙ Enterprise AI cost management program\n∙ AI FinOps and cloud cost optimization (e.g., AWS Cost Explorer, Azure Cost Management)\n∙ Board-level AI investment and cost reporting\n∙ NIST AI RMF Map function at scale" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "A.5.3", "A.5.4", "A.5.5" ], "general-nist-100-1-ai-rmf": [ "MAP 3.2" ], "general-shared-assessments-sig-2025": [ "R.4.1" ], "emea-eu-ai-act-2024": [ "Article 9.2(b)" ] } }, { "control_id": "AAT-04.3", "title": "AI & Autonomous Technologies Targeted Application Scope", "family": "AAT", "description": "Mechanisms exist to specify and document the targeted application scope of the proposed use and operation of Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization specify and document the targeted application scope of the proposed use and operation of Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to specify and document the targeted application scope of the proposed use and operation of AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ AI scope definition (systems, use cases, data in scope)\n∙ AI governance program", "small": "∙ Documented AI application scope for each system\n∙ AI governance program\n∙ NIST AI RMF Map function", "medium": "∙ Formal AI application scope definition process\n∙ AI governance program\n∙ NIST AI RMF Map function\n∙ Scoping aligned to regulatory requirements", "large": "∙ Enterprise AI application scope management\n∙ NIST AI RMF Map function\n∙ AI scope reviews for regulatory compliance (EU AI Act, CCPA)", "enterprise": "∙ Enterprise AI application scope and portfolio management\n∙ NIST AI RMF Map function at enterprise scale\n∙ Regulatory scope mapping (EU AI Act risk tiers, sector-specific requirements)\n∙ Board-approved AI scope definitions" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "4.3", "9.2.2(a)", "A.4.4", "A.4.5" ], "general-nist-100-1-ai-rmf": [ "MAP 3.3" ] } }, { "control_id": "AAT-04.4", "title": "AI & Autonomous Technologies Cost / Benefit Mapping", "family": "AAT", "description": "Mechanisms exist to map risks and benefits for all components of Artificial Intelligence (AI) and Autonomous Technologies (AAT), including third-party software and data.", "scf_question": "Does the organization map risks and benefits for all components of Artificial Intelligence (AI) and Autonomous Technologies (AAT), including third-party software and data?", "relative_weight": 2, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to map risks and benefits for all components of AAT, including third-party software and data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ AI cost/benefit mapping (simple comparison document)\n∙ AI governance program", "small": "∙ Formal AI cost/benefit mapping for each system\n∙ AI governance program\n∙ NIST AI RMF Map function", "medium": "∙ Structured AI cost/benefit mapping with risk overlay\n∙ AI governance program\n∙ NIST AI RMF Map function", "large": "∙ Enterprise AI cost/benefit mapping integrated with risk and business case\n∙ NIST AI RMF Map function\n∙ AI portfolio cost/benefit reporting", "enterprise": "∙ Enterprise AI cost/benefit framework integrated with GRC and ERM\n∙ NIST AI RMF Map function at enterprise scale\n∙ Board-level AI portfolio cost/benefit analysis\n∙ Quantitative AI risk-adjusted ROI analysis" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MAP 4.0" ], "general-nist-600-1-gen-ai-profile": [ "MANAGE 3.1" ] } }, { "control_id": "AAT-05", "title": "AI & Autonomous Technologies Training", "family": "AAT", "description": "Mechanisms exist to ensure personnel and external stakeholders are provided with position-specific risk management training for Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization ensure personnel and external stakeholders are provided with position-specific risk management training for Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure personnel and external stakeholders are provided with position-specific risk management training for AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Employee AI awareness training (acceptable use, risks, bias awareness)\n∙ NIST AI RMF awareness resources (https://www.nist.gov/artificial-intelligence)\n∙ AI governance program", "small": "∙ AI training for relevant staff (developers, data scientists, decision-makers)\n∙ AI risk awareness training for all employees\n∙ AI governance program", "medium": "∙ Role-based AI training program (technical staff, managers, executives)\n∙ AI ethics and responsible AI training\n∙ NIST AI RMF implementation training\n∙ AI governance program", "large": "∙ Formal AI training curriculum by role (developers, operators, executives)\n∙ AI ethics, bias, and safety training\n∙ AI incident response training\n∙ Ongoing AI risk management education program", "enterprise": "∙ Enterprise AI learning and development program\n∙ CAIO-led AI training strategy\n∙ Mandatory AI risk training for all staff interacting with AI systems\n∙ AI safety and responsible AI certification programs\n∙ Continuous AI skills development with updated curriculum" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "7.2" ], "general-nist-600-1-gen-ai-profile": [ "GV-2.1-003", "MS-3.3-004" ] } }, { "control_id": "AAT-06", "title": "AI & Autonomous Technologies Fairness & Bias", "family": "AAT", "description": "Mechanisms exist to prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from unfairly identifying, profiling and/or statistically singling out a segmented population defined by race, religion, gender identity, national origin, religion, disability or any other politically-charged identifier.", "scf_question": "Does the organization prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from unfairly identifying, profiling and/or statistically singling out a segmented population defined by race, religion, gender identity, national origin, religion, disability or any other politically-charged identifier?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent AAT from unfairly identifying, profiling and/or statistically singling out a segmented population defined by race, religion, gender identity, national origin, religion, disability or any other politically-charged identifier.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Basic AI bias review before deploying AI tools (vendor documentation review)\n∙ AI governance program\n∙ NIST AI RMF fairness resources", "small": "∙ AI bias and fairness assessment for AI systems in use\n∙ Vendor AI fairness and non-discrimination documentation review\n∙ AI governance program", "medium": "∙ Formal AI fairness and bias testing process\n∙ Diverse training data requirements in AI procurement\n∙ NIST AI RMF fairness and bias guidance implementation\n∙ AI governance program", "large": "∙ AI fairness testing integrated into AI development and procurement lifecycle\n∙ Statistical bias testing tools (e.g., IBM AI Fairness 360, What-If Tool, Fairlearn)\n∙ Documented AI fairness policies and standards\n∙ Independent fairness review for high-risk AI applications", "enterprise": "∙ Enterprise AI fairness governance program\n∙ Automated bias detection in AI pipelines (e.g., IBM AI Fairness 360, Fairlearn, AWS Clarify)\n∙ AI fairness audits by independent third parties\n∙ AI disparate impact analysis tied to regulatory compliance (ECOA, FCRA, etc.)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "GOVERN 3.0" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.2-001", "MS-2.11-001", "MS-3.3-003" ], "general-shared-assessments-sig-2025": [ "R.4.1" ] } }, { "control_id": "AAT-07", "title": "AI & Autonomous Technologies Risk Management Decisions", "family": "AAT", "description": "Mechanisms exist to leverage decision makers from a diversity of demographics, disciplines, experience, expertise and backgrounds for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks.", "scf_question": "Does the organization leverage decision makers from a diversity of demographics, disciplines, experience, expertise and backgrounds for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AAT-05" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to leverage decision makers from a diversity of demographics, disciplines, experience, expertise and backgrounds for mapping, measuring and managing AAT-related risks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ AI risk management decisions documented (accept, mitigate, avoid, transfer)\n∙ AI governance program\n∙ NIST AI RMF Manage function", "small": "∙ Formal AI risk management decision process\n∙ AI governance program\n∙ NIST AI RMF Manage function", "medium": "∙ Structured AI risk management decisions aligned to NIST AI RMF Manage function\n∙ AI risk register with decision audit trail\n∙ AI governance program", "large": "∙ Enterprise AI risk management decision framework\n∙ NIST AI RMF Manage function\n∙ Executive AI risk acceptance and treatment decisions documented\n∙ AI risk decisions integrated with GRC platform", "enterprise": "∙ Enterprise AI risk management governance (NIST AI RMF, ISO 42001)\n∙ Board-level AI risk acceptance and treatment decisions\n∙ AI risk decisions integrated with ERM and GRC platforms\n∙ NIST AI RMF Manage function at enterprise scale" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "6.1.1", "6.1.2", "6.1.2(a)", "6.1.2(b)", "6.1.2(c)", "6.1.2(d)", "6.1.2(d)(1)", "6.1.2(d)(2)", "6.1.2(d)(3)", "6.1.2(e)", "6.1.2(e)(1)", "6.1.2(e)(2)", "6.1.3", "6.1.3(a)", "6.1.3(b)", "6.1.3(c)", "6.1.3(d)", "6.1.3(e)", "6.1.3(f)", "6.1.3(g)", "6.1.4", "8.2" ], "general-nist-100-1-ai-rmf": [ "GOVERN 3.1" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 1.4", "MP-1.1-003", "MAP 1.2", "MP-1.2-001", "MP-5.1-002", "MEASURE 1.1", "MS-2.8-001", "MS-2.11-003", "MEASURE 3.2", "MS-3.2-001", "MANAGE 1.3" ], "emea-eu-ai-act-2024": [ "Article 9.2(a)" ] } }, { "control_id": "AAT-07.1", "title": "AI & Autonomous Technologies Impact Assessment", "family": "AAT", "description": "Mechanisms exist to assess the impact(s) of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on individuals, groups, communities, organizations and society (e.g., Fundamental Rights Impact Assessment (FRIA)).", "scf_question": "Does the organization assess the impact(s) of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on individuals, groups, communities, organizations and society (e.g., Fundamental Rights Impact Assessment (FRIA))?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-AAT-06" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to assess the impact(s) of proposed AAT on individuals, groups, communities, organizations and society (e.g., Fundamental Rights Impact Assessment (FRIA)).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic AI impact assessment (documented impact on people, processes, decisions)\n∙ AI governance program\n∙ NIST AI RMF Map function", "small": "∙ Formal AI impact assessment for each deployed system\n∙ AI governance program\n∙ NIST AI RMF Map function", "medium": "∙ AI impact assessment process aligned to NIST AI RMF\n∙ AI governance program\n∙ Algorithmic Impact Assessment (AIA) for higher-risk systems", "large": "∙ Formal AI impact assessment program with independent review for high-risk systems\n∙ NIST AI RMF Map function\n∙ Algorithmic Impact Assessment (AIA) process\n∙ EU AI Act conformity assessment requirements (if applicable)", "enterprise": "∙ Enterprise AI impact assessment framework (NIST AI RMF, EU AI Act)\n∙ Third-party conformity assessments for high-risk AI (EU AI Act Article 43)\n∙ Algorithmic Impact Assessment (AIA) program\n∙ Board-level AI impact reporting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "8.4", "A.5.3", "A.5.4", "A.5.5" ], "general-nist-100-1-ai-rmf": [ "MAP 5.0" ], "general-nist-600-1-gen-ai-profile": [ "GV-4.2-003", "MAP 5.1", "MP-5.2-001", "MP-5.2-002", "MS-1.3-002", "MS-3.3-001" ], "emea-eu-ai-act-2024": [ "Article 27.2", "Article 27.4" ] } }, { "control_id": "AAT-07.2", "title": "AI & Autonomous Technologies Likelihood & Impact Risk Analysis", "family": "AAT", "description": "Mechanisms exist to define the potential likelihood and impact of each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts.", "scf_question": "Does the organization define the potential likelihood and impact of each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-AAT-06" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define the potential likelihood and impact of each identified risk based on expected use and past uses of AAT in similar contexts.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic AI likelihood and impact risk analysis (qualitative)\n∙ AI governance program\n∙ NIST AI RMF Measure function", "small": "∙ AI likelihood and impact risk analysis for each system\n∙ AI governance program\n∙ NIST AI RMF Measure function", "medium": "∙ Structured AI likelihood and impact risk analysis\n∙ AI risk scoring aligned to NIST AI RMF Measure function\n∙ AI governance program", "large": "∙ Quantitative/qualitative AI risk analysis (likelihood x impact)\n∙ NIST AI RMF Measure function\n∙ AI risk scoring integrated with organizational risk register", "enterprise": "∙ Enterprise AI risk quantification (NIST AI RMF Measure function, FAIR methodology)\n∙ Automated AI risk scoring and monitoring\n∙ Board-level AI risk reporting with likelihood and impact metrics" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "6.1.2", "6.1.2(a)", "6.1.2(b)", "6.1.2(c)", "6.1.2(d)", "6.1.2(d)(1)", "6.1.2(d)(2)", "6.1.2(d)(3)", "6.1.2(e)", "6.1.2(e)(1)", "6.1.2(e)(2)", "8.2" ], "general-nist-100-1-ai-rmf": [ "MAP 5.1" ], "general-nist-600-1-gen-ai-profile": [ "GV-4.1-002", "GOVERN 4.2", "GV-5.1-002", "MP-1.1-002", "MP-4.1-008", "MAP 5.1", "MP-5.1-002", "MP-5.1-006", "MP-5.2-001" ], "emea-eu-ai-act-2024": [ "Article 9.9" ] } }, { "control_id": "AAT-07.3", "title": "AI & Autonomous Technologies Continuous Improvements", "family": "AAT", "description": "Mechanisms exist to continuously improve Artificial Intelligence (AI) and Autonomous Technologies (AAT) capabilities to maximize benefits and minimize negative impacts associated with AAT.", "scf_question": "Does the organization continuously improve Artificial Intelligence (AI) and Autonomous Technologies (AAT) capabilities to maximize benefits and minimize negative impacts associated with AAT?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to continuously improve AAT capabilities to maximize benefits and minimize negative impacts associated with AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ AI improvement tracking (document lessons learned and updates)\n∙ AI governance program\n∙ NIST AI RMF Govern function", "small": "∙ Formal AI continuous improvement process\n∙ AI governance program\n∙ NIST AI RMF Govern function", "medium": "∙ AI continuous improvement program aligned to NIST AI RMF\n∙ AI performance monitoring with improvement triggers\n∙ AI governance program", "large": "∙ Enterprise AI continuous improvement program\n∙ AI performance monitoring platform (e.g., Arize AI, WhyLabs)\n∙ NIST AI RMF Govern and Improve functions\n∙ AI lessons learned integration", "enterprise": "∙ Enterprise AI continuous improvement and MLOps program\n∙ AI model retraining and improvement pipelines\n∙ NIST AI RMF full implementation with continuous improvement loop\n∙ Board-level AI improvement reporting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "5.2(d)", "9.3.2(e)", "10.1", "A.3.3" ], "general-nist-100-1-ai-rmf": [ "MANAGE 2.0" ], "general-nist-600-1-gen-ai-profile": [ "MANAGE 4.2", "MG-4.2-001" ] } }, { "control_id": "AAT-08", "title": "Assigned Responsibilities for AI & Autonomous Technologies", "family": "AAT", "description": "Mechanisms exist to define and differentiate roles and responsibilities for:\n(1) Artificial Intelligence (AI) and Autonomous Technologies (AAT) configurations; and\n(2) Oversight of AAT systems.", "scf_question": "Does the organization define and differentiate roles and responsibilities for:\n(1) Artificial Intelligence (AI) and Autonomous Technologies (AAT) configurations; and\n(2) Oversight of AAT systems?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define and differentiate roles and responsibilities for:\n(1) AAT configurations; and\n(2) Oversight of AAT systems.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Designated AI responsible party or owner\n∙ AI governance program\n∙ NIST AI RMF Govern function", "small": "∙ Assigned AI responsibilities for each system (owner, developer, operator)\n∙ AI governance program\n∙ NIST AI RMF Govern function", "medium": "∙ Formal AI responsibility assignment (RACI for AI systems)\n∙ AI governance program\n∙ NIST AI RMF Govern function\n∙ AI operator and developer responsibilities defined", "large": "∙ Enterprise AI responsibility framework\n∙ Dedicated AI Risk Officer or AI governance role\n∙ NIST AI RMF Govern function\n∙ AI responsibilities integrated with HR and accountability frameworks", "enterprise": "∙ Enterprise AI responsibility and accountability framework\n∙ Chief AI Officer (CAIO) with defined authority\n∙ NIST AI RMF Govern function at enterprise scale\n∙ EU AI Act operator/deployer obligations addressed (if applicable)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "5.3", "5.3(a)", "5.3(b)", "A.3.2" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.1", "GOVERN 3.2", "MAP 1.2" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 1.5", "GV-1.5-001", "GOVERN 2.1", "GV-2.1-001", "GV-2.1-002", "GOVERN 3.2", "MP-3.4-005" ], "general-shared-assessments-sig-2025": [ "R.10" ] } }, { "control_id": "AAT-09", "title": "AI & Autonomous Technologies Risk Profiling", "family": "AAT", "description": "Mechanisms exist to document the risks and potential impacts of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that are:\n(1) Designed;\n(2) Developed;\n(3) Deployed;\n(4) Evaluated; and/or\n(5) Used.", "scf_question": "Does the organization document the risks and potential impacts of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that are:\n(1) Designed;\n(2) Developed;\n(3) Deployed;\n(4) Evaluated; and/or\n(5) Used?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document the risks and potential impacts of AAT that are:\n(1) Designed;\n(2) Developed;\n(3) Deployed;\n(4) Evaluated; and/or\n(5) Used.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic AI risk profile (document risk level per AI tool: low/medium/high)\n∙ AI governance program\n∙ NIST AI RMF Map function", "small": "∙ Formal AI risk profiling for each deployed system\n∙ AI governance program\n∙ NIST AI RMF Map function\n∙ EU AI Act risk tier classification (if applicable)", "medium": "∙ Structured AI risk profiling aligned to NIST AI RMF and EU AI Act tiers\n∙ AI risk register with risk profiles\n∙ AI governance program", "large": "∙ Enterprise AI risk profiling program\n∙ NIST AI RMF Map function\n∙ EU AI Act risk tier classification (prohibited, high-risk, limited, minimal)\n∙ AI risk profiles integrated with GRC platform", "enterprise": "∙ Enterprise AI risk profiling framework (NIST AI RMF, EU AI Act, sector regulations)\n∙ Automated AI risk profile scoring and monitoring\n∙ AI risk profiles integrated with ERM and GRC\n∙ Board-level AI risk portfolio reporting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "6.1.1", "6.1.2", "6.1.4" ], "general-nist-100-1-ai-rmf": [ "GOVERN 4.2" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 4.2", "GV-4.2-002", "GV-6.2-005", "MP-1.1-003", "MP-1.1-004", "MANAGE 1.3" ], "general-shared-assessments-sig-2025": [ "R.14" ], "emea-eu-ai-act-2024": [ "Article 9.2(a)", "Article 9.2(b)", "Article 13.1", "Article 17.1(g)" ] } }, { "control_id": "AAT-09.1", "title": "AI & Autonomous Technologies High Risk Designations", "family": "AAT", "description": "Mechanisms exist to designate Artificial Intelligence (AI) and Autonomous Technologies (AAT) \"High Risk\" if one(1), or more, of the following criteria are met:\n(1) AAT is used as a safety component of a product or service;\n(2) AAT poses a significant risk of harm to an individual's health, safety or fundamental rights; and/or\n(3) AAT materially influences the outcome of an individual's decision making.", "scf_question": "Does the organization designate Artificial Intelligence (AI) and Autonomous Technologies (AAT) \"High Risk\" if one(1), or more, of the following criteria are met:\n(1) AAT is used as a safety component of a product or service;\n(2) AAT poses a significant risk of harm to an individual's health, safety or fundamental rights; and/or\n(3) AAT materially influences the outcome of an individual's decision making?", "relative_weight": 7, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to designate AAT \"High Risk\" if one(1), or more, of the following criteria are met:\n(1) AAT is used as a safety component of a product or service;\n(2) AAT poses a significant risk of harm to an individual's health, safety or fundamental rights; and/or\n(3) AAT materially influences the outcome of an individual's decision making.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document criteria for high-risk AI use and review before deployment", "small": "∙ AI risk classification checklist with high-risk criteria", "medium": "∙ Formal AI risk classification policy\n∙ High-risk designation process", "large": "∙ AI risk management framework with formal high-risk designation process\n∙ Risk committee review", "enterprise": "∙ Enterprise AI risk classification framework\n∙ Automated risk scoring\n∙ Legal/compliance review for high-risk AI\n∙ Regulatory compliance mapping (e.g., EU AI Act)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "GV-2.1-004" ], "emea-eu-ai-act-2024": [ "Article 6.1", "Article 6.1(a)", "Article 6.3", "Article 13.1", "Article 51.1", "Article 51.1(a)", "Article 51.2" ] } }, { "control_id": "AAT-10", "title": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)", "family": "AAT", "description": "Mechanisms exist to implement Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices to enable Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related security, resilience and compliance-related conformity testing throughout the lifecycle of the AAT.", "scf_question": "Does the organization implement Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices to enable Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related security, resilience and compliance-related conformity testing throughout the lifecycle of the AAT?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AAT-07", "E-IAO-02" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices to enable AAT-related security, resilience and compliance-related conformity testing throughout the lifecycle of the AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Information Assurance (IA) Program\n∙ AI TEVV checklist for AI tools (test accuracy, validate outputs, verify security)\n∙ AI governance program", "small": "∙ Information Assurance (IA) Program\n∙ Formal AI TEVV process for AI systems\n∙ AI governance program", "medium": "∙ Information Assurance (IA) Program\n∙ Formal AI TEVV framework aligned to NIST AI RMF Measure function\n∙ AI testing tools (e.g., IBM OpenScale, Great Expectations)\n∙ AI governance program", "large": "∙ Information Assurance (IA) Program\n∙ Enterprise AI TEVV program\n∙ NIST AI RMF Measure function\n∙ Third-party AI testing for high-risk systems\n∙ AI testing integrated with CI/CD pipelines", "enterprise": "∙ Information Assurance (IA) Program\n∙ Enterprise AI TEVV program (NIST AI RMF Measure function)\n∙ Independent AI testing and evaluation for high-risk systems\n∙ AI TEVV integrated with MLOps and CI/CD\n∙ EU AI Act conformity assessment (if applicable)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "9.1", "A.6.1.3", "A.6.2.3", "A.6.2.4", "A.6.2.5" ], "general-nist-100-1-ai-rmf": [ "GOVERN 4.3", "MEASURE 2.2" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.3-003", "GV-1.5-003", "GOVERN 4.3", "GV-4.3-003", "GOVERN 6.2", "MAP 2.3", "MP-2.3-005", "MP-4.1-007", "MP-4.1-008", "MP-5.1-001", "MS-1.3-002", "MS-2.6-003", "MEASURE 2.9", "MS-2.9-002", "MEASURE 2.13", "MS-4.2-001", "MG-2.2-007", "MG-3.1-002", "MG-4.1-003" ], "emea-eu-ai-act-2024": [ "Article 9.6", "Article 11.1", "Article 16(f)", "Article 17.1(b)", "Article 17.1(d)", "Article 23.1", "Article 23.1(a)", "Article 27.1", "Article 27.1(a)", "Article 27.1(b)", "Article 27.1(c)", "Article 27.1(d)", "Article 27.1(e)", "Article 27.1(f)", "Article 27.2", "Article 55.1(a)", "Article 55.1(b)", "Article 60.1", "Article 60.2", "Article 60.3", "Article 60.4(a)", "Article 60.4(b)", "Article 60.4(c)", "Article 60.4(d)", "Article 60.4(e)", "Article 60.4(f)", "Article 60.4(g)", "Article 60.4(h)", "Article 60.4(i)", "Article 60.4(j)", "Article 60.4(k)" ] } }, { "control_id": "AAT-10.1", "title": "AI TEVV Trustworthiness Assessment", "family": "AAT", "description": "Mechanisms exist to evaluate Artificial Intelligence (AI) and Autonomous Technologies (AAT) for trustworthy behavior and operation including security, anonymization and disaggregation of captured and stored data for approved purposes.", "scf_question": "Does the organization evaluate Artificial Intelligence (AI) and Autonomous Technologies (AAT) for trustworthy behavior and operation including security, anonymization and disaggregation of captured and stored data for approved purposes?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to evaluate AAT for trustworthy behavior and operation including security, anonymization and disaggregation of captured and stored data for approved purposes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Controls Validation Testing (CVT)\n∙ AI trustworthiness checklist (accuracy, reliability, explainability)\n∙ AI governance program", "small": "∙ Controls Validation Testing (CVT)\n∙ Formal AI trustworthiness assessment\n∙ AI governance program", "medium": "∙ Controls Validation Testing (CVT)\n∙ Structured AI trustworthiness assessment (NIST AI RMF trustworthiness dimensions)\n∙ AI governance program", "large": "∙ Controls Validation Testing (CVT)\n∙ Formal AI trustworthiness assessment with independent review\n∙ NIST AI RMF trustworthiness dimensions (accurate, explainable, interpretable, etc.)\n∙ AI governance program", "enterprise": "∙ Controls Validation Testing (CVT)\n∙ Enterprise AI trustworthiness assessment program\n∙ Third-party AI trustworthiness audits\n∙ NIST AI RMF trustworthiness dimensions at enterprise scale\n∙ EU AI Act transparency and accuracy requirements" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "9.2.1", "9.2.1(a)", "9.2.1(a)(1)", "9.2.1(a)(2)", "9.2.1(b)", "A.6.2.4" ], "general-nist-100-1-ai-rmf": [ "MEASURE 2.0" ], "general-nist-600-1-gen-ai-profile": [ "MAP 3.4", "MEASURE 4.2", "MG-3.1-003", "MANAGE 4.1" ] } }, { "control_id": "AAT-10.2", "title": "AI TEVV Tools", "family": "AAT", "description": "Mechanisms exist to document test sets, metrics and details about the tools used during Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices.", "scf_question": "Does the organization document test sets, metrics and details about the tools used during Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document test sets, metrics and details about the tools used during Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MAP 2.3", "MEASURE 2.1" ], "general-nist-600-1-gen-ai-profile": [ "MS-1.1-003" ] } }, { "control_id": "AAT-10.3", "title": "AI TEVV Trustworthiness Demonstration", "family": "AAT", "description": "Mechanisms exist to demonstrate the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed are:\n(1) Valid;\n(2) Reliable; and\n(3) Operate as intended, based on approved designs.", "scf_question": "Does the organization demonstrate the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed are:\n(1) Valid;\n(2) Reliable; and\n(3) Operate as intended, based on approved designs?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to demonstrate the AAT to be deployed are:\n(1) Valid;\n(2) Reliable; and\n(3) Operate as intended, based on approved designs.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 2.0" ], "general-nist-600-1-gen-ai-profile": [ "MEASURE 2.5" ], "emea-eu-ai-act-2024": [ "Article 9.6" ] } }, { "control_id": "AAT-10.4", "title": "AI TEVV Safety Demonstration", "family": "AAT", "description": "Mechanisms exist to demonstrate the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed are safe, residual risk does not exceed the organization's risk tolerance and can fail safely, particularly if made to operate beyond its knowledge limits.", "scf_question": "Does the organization demonstrate the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed are safe, residual risk does not exceed its risk tolerance and can fail safely, particularly if made to operate beyond its knowledge limits?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to demonstrate the AAT to be deployed are safe, residual risk does not exceed the organization's risk tolerance and can fail safely, particularly if made to operate beyond its knowledge limits.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 2.6" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.3-006", "MG-1.3-001", "MG-2.2-001", "MG-3.2-009" ], "emea-eu-ai-act-2024": [ "Article 9.6" ] } }, { "control_id": "AAT-10.5", "title": "AI TEVV Security & Resiliency Assessment", "family": "AAT", "description": "Mechanisms exist to evaluate the security and resilience of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.", "scf_question": "Does the organization evaluate the security and resilience of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to evaluate the security and resilience of AAT to be deployed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 2.7" ], "general-nist-600-1-gen-ai-profile": [ "MEASURE 2.7", "MS-2.7-001" ], "emea-eu-ai-act-2024": [ "Article 9.6" ] } }, { "control_id": "AAT-10.6", "title": "AI TEVV Transparency & Accountability Assessment", "family": "AAT", "description": "Mechanisms exist to examine risks associated with transparency and accountability of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.", "scf_question": "Does the organization examine risks associated with transparency and accountability of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to examine risks associated with transparency and accountability of AAT to be deployed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 2.8" ], "general-nist-600-1-gen-ai-profile": [ "MEASURE 2.8", "MG-4.1-005" ] } }, { "control_id": "AAT-10.7", "title": "AI TEVV Privacy Assessment", "family": "AAT", "description": "Mechanisms exist to examine the data privacy risk of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.", "scf_question": "Does the organization examine the data privacy risk of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to examine the data privacy risk of AAT to be deployed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 2.10" ], "general-nist-600-1-gen-ai-profile": [ "MEASURE 2.10" ] } }, { "control_id": "AAT-10.8", "title": "AI TEVV Fairness & Bias Assessment", "family": "AAT", "description": "Mechanisms exist to examine fairness and bias of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.", "scf_question": "Does the organization examine fairness and bias of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to examine fairness and bias of AAT to be deployed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 2.11" ], "general-nist-600-1-gen-ai-profile": [ "MP-4.1-005", "MS-2.2-001", "MEASURE 2.11", "MS-2.11-001", "MS-2.11-002", "MS-2.11-004", "MS-3.3-005", "MG-2.2-004", "MG-3.2-003" ], "emea-eu-ai-act-2024": [ "Article 10.2(f)", "Article 10.2(g)", "Article 10.4", "Article 10.5", "Article 10.5(a)" ] } }, { "control_id": "AAT-10.9", "title": "AI & Autonomous Technologies Model Validation", "family": "AAT", "description": "Mechanisms exist to validate the Artificial Intelligence (AI) and Autonomous Technologies (AAT) model.", "scf_question": "Does the organization validate the Artificial Intelligence (AI) and Autonomous Technologies (AAT) model?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to validate the AAT model.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "A.6.2.4" ], "general-nist-100-1-ai-rmf": [ "MEASURE 2.5", "MEASURE 2.9" ] } }, { "control_id": "AAT-10.10", "title": "AI TEVV Results Evaluation", "family": "AAT", "description": "Mechanisms exist to evaluate the results of Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) to determine the viability of the proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization evaluate the results of Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) to determine the viability of the proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to evaluate the results of Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) to determine the viability of the proposed AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 2.13", "MANAGE 1.1" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.6-003" ] } }, { "control_id": "AAT-10.11", "title": "AI TEVV Effectiveness", "family": "AAT", "description": "Mechanisms exist to evaluate the effectiveness of the processes utilized to perform Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV).", "scf_question": "Does the organization evaluate the effectiveness of the processes utilized to perform Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to evaluate the effectiveness of the processes utilized to perform Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 2.13" ], "general-nist-600-1-gen-ai-profile": [ "MG-4.1-002" ] } }, { "control_id": "AAT-10.12", "title": "AI TEVV Comparable Deployment Settings", "family": "AAT", "description": "Mechanisms exist to evaluate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related performance or the assurance criteria demonstrated for conditions similar to deployment settings.", "scf_question": "Does the organization evaluate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related performance or the assurance criteria demonstrated for conditions similar to deployment settings?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to evaluate AAT-related performance or the assurance criteria demonstrated for conditions similar to deployment settings.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 2.3" ], "emea-eu-ai-act-2024": [ "Article 9.7", "Article 10.3" ] } }, { "control_id": "AAT-10.13", "title": "AI TEVV Post-Deployment Monitoring", "family": "AAT", "description": "Mechanisms exist to proactively and continuously monitor deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization proactively and continuously monitor deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to proactively and continuously monitor deployed AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Manually-generated metrics\n∙ Quarterly Business Review (QBR)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Manually-generated metrics\n∙ Quarterly Business Review (QBR)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Manually-generated metrics\n∙ Quarterly Business Review (QBR)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Manually-generated metrics\n∙ Quarterly Business Review (QBR)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Manually-generated metrics\n∙ Quarterly Business Review (QBR)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "A.6.2.6", "A.9.4" ], "general-nist-100-1-ai-rmf": [ "MEASURE 2.4", "MEASURE 2.6", "MANAGE 4.1" ], "general-nist-600-1-gen-ai-profile": [ "MP-2.3-002", "MP-4.1-001", "MS-1.1-006", "MANAGE 3.2", "MG-4.1-007" ], "emea-eu-ai-act-2024": [ "Article 17.1(h)" ] } }, { "control_id": "AAT-10.14", "title": "Updating AI & Autonomous Technologies", "family": "AAT", "description": "Mechanisms exist to integrate continual improvements for deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization integrate continual improvements for deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to integrate continual improvements for deployed AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Change management program\n∙ System Development Lifecycle (SDLC) governance / oversight\n∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Change management program\n∙ System Development Lifecycle (SDLC) governance / oversight\n∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Change management program\n∙ System Development Lifecycle (SDLC) governance / oversight\n∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Change management program\n∙ System Development Lifecycle (SDLC) governance / oversight\n∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Change management program\n∙ System Development Lifecycle (SDLC) governance / oversight\n∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "5.2(d)", "6.1.1", "7.1", "9.3.2(e)" ], "general-nist-100-1-ai-rmf": [ "MANAGE 4.2" ] } }, { "control_id": "AAT-10.15", "title": "AI TEVV Reporting", "family": "AAT", "description": "Mechanisms exist to report the status and results of Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) to relevant stakeholders, including governing bodies, as required.", "scf_question": "Does the organization report the status and results of Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) to relevant stakeholders, including governing bodies, as required?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to report the status and results of Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) to relevant stakeholders, including governing bodies, as required.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Report AI testing results to management", "small": "∙ Document and communicate AI test results to stakeholders", "medium": "∙ Formal AI TEVV reporting process\n∙ Standardized reporting templates", "large": "∙ AI TEVV reporting program\n∙ Regular stakeholder briefings\n∙ Findings tracking", "enterprise": "∙ Enterprise AI TEVV reporting framework\n∙ Automated test result dashboards\n∙ Board-level AI risk reporting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MS-2.3-003" ], "emea-eu-ai-act-2024": [ "Article 27.3", "Article 60.7", "Article 60.8" ] } }, { "control_id": "AAT-10.16", "title": "AI TEVV Empirically Validated Methods", "family": "AAT", "description": "Mechanisms exist to evaluate claims of Artificial Intelligence (AI) and Autonomous Technologies (AAT) model capabilities using empirically validated methods.", "scf_question": "Does the organization evaluate claims of Artificial Intelligence (AI) and Autonomous Technologies (AAT) model capabilities using empirically validated methods?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to evaluate claims of AAT model capabilities using empirically validated methods.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Verify AI tool claims against published documentation", "small": "∙ Evaluate AI capabilities using published benchmarks", "medium": "∙ Formal AI capability evaluation using empirically validated benchmarks", "large": "∙ AI evaluation program using industry-standard benchmarks\n∙ Independent verification process", "enterprise": "∙ Enterprise AI evaluation framework\n∙ Dedicated AI red team\n∙ Third-party AI audits\n∙ Empirical validation protocols" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MS-2.3-002", "MS-2.5-001" ] } }, { "control_id": "AAT-10.17", "title": "AI TEVV Benchmarking Content Provenance", "family": "AAT", "description": "Mechanisms exist to benchmark the verifiable lineage and origin of content used by Artificial Intelligence (AI) and Autonomous Technologies (AAT) according to industry-recognized standards.", "scf_question": "Does the organization benchmark the verifiable lineage and origin of content used by Artificial Intelligence (AI) and Autonomous Technologies (AAT) according to industry -recognized standards?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to benchmark the verifiable lineage and origin of content used by AAT according to industry-recognized standards.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document training data sources for AI tools used", "small": "∙ Verify and document content provenance for AI training data", "medium": "∙ Formal content provenance policy for AI systems\n∙ Data lineage documentation", "large": "∙ Content provenance framework\n∙ Cryptographic verification where possible\n∙ Data lineage tracking tools", "enterprise": "∙ Enterprise content provenance platform\n∙ C2PA or similar standards adoption\n∙ Automated lineage verification" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "GV-6.1-003", "MP-5.1-002", "MS-1.1-002", "MS-2.7-002", "MS-2.7-005" ] } }, { "control_id": "AAT-10.18", "title": "AI TEVV Model Collapse Mitigations", "family": "AAT", "description": "Mechanisms exist to mitigate concerns of model collapse by:\n(1) Assessing the proportion of synthetic to non-synthetic training data; and\n(2) Verifying training data is not overly homogenous or Artificial Intelligence (AI) and Autonomous Technologies (AAT) system-produced.", "scf_question": "Does the organization mitigate concerns of model collapse by:\n(1) Assessing the proportion of synthetic to non-synthetic training data; and\n(2) Verifying training data is not overly homogenous or Artificial Intelligence (AI) and Autonomous Technologies (AAT) system-produced?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to mitigate concerns of model collapse by:\n(1) Assessing the proportion of synthetic to non-synthetic training data; and\n(2) Verifying training data is not overly homogenous or AAT system-produced.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Limit use of purely synthetic training data", "small": "∙ Document training data composition (synthetic vs. real)", "medium": "∙ Formal policy on synthetic data usage in AI training\n∙ Data diversity requirements", "large": "∙ AI training data governance program\n∙ Monitoring of training data diversity", "enterprise": "∙ Enterprise AI data governance platform\n∙ Automated data composition monitoring\n∙ Model collapse detection mechanisms" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MS-2.10-003", "MS-2.11-005" ] } }, { "control_id": "AAT-10.19", "title": "AI TEVV Third-Party Risk Management", "family": "AAT", "description": "Mechanisms exist to assess, approve and continuously monitor third-party Artificial Intelligence (AI) and Autonomous Technologies (AAT):\n(1) Components;\n(2) Application Programming Interfaces (APIs); and/or\n(3) Services used by AI agents for security, privacy and compliance.", "scf_question": "Does the organization assess, approve and continuously monitor third-party Artificial Intelligence (AI) and Autonomous Technologies (AAT):\n(1) Components;\n(2) Application Programming Interfaces (APIs); and/or\n(3) Services used by AI agents for security, privacy and compliance?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to assess, approve and continuously monitor third-party AAT:\n(1) Components;\n(2) Application Programming Interfaces (APIs); and/or\n(3) Services used by AI agents for security, privacy and compliance.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Review third-party AI components before use", "small": "∙ Vendor assessment for third-party AI components and APIs", "medium": "∙ Third-party AI component risk assessment process\n∙ Ongoing monitoring policy", "large": "∙ Formal TPRM program for AI vendors\n∙ API security testing\n∙ Continuous monitoring of third-party AI", "enterprise": "∙ Enterprise TPRM platform (e.g., OneTrust, BitSight)\n∙ Automated third-party AI monitoring\n∙ Supply chain security for AI components" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-11", "title": "Robust Stakeholder Engagement for AI & Autonomous Technologies", "family": "AAT", "description": "Mechanisms exist to compel ongoing engagement with relevant Artificial Intelligence (AI) and Autonomous Technologies (AAT) stakeholders to encourage feedback about positive, negative and unanticipated impacts.", "scf_question": "Does the organization compel ongoing engagement with relevant Artificial Intelligence (AI) and Autonomous Technologies (AAT) stakeholders to encourage feedback about positive, negative and unanticipated impacts?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-AAT-08" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to compel ongoing engagement with relevant AAT stakeholders to encourage feedback about positive, negative and unanticipated impacts.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ AI Steering committee / advisory board\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ AI Steering committee / advisory board\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ AI Steering committee / advisory board\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4-POF3" ], "general-iso-42001-2023": [ "5.1", "7.4", "9.3.1", "9.3.2", "9.3.2(a)", "9.3.2(b)", "9.3.2(c)", "9.3.2(d)", "9.3.2(d)(1)", "9.3.2(d)(2)", "9.3.2(d)(3)", "9.3.2(e)", "A.3.3", "A.8", "A.8.2", "A.8.3", "A.8.4", "A.8.5" ], "general-mpa-csbp-5-3-1": [ "TS-7.0" ], "general-nist-100-1-ai-rmf": [ "GOVERN 5.0", "MAP 5.2" ], "general-nist-600-1-gen-ai-profile": [ "GV-4.1-003", "GV-4.2-001", "GV-4.2-002", "GV-4.3-003", "GOVERN 5.1", "GV-5.1-001", "MP-5.1-004", "MAP 5.2", "MP-5.2-002", "MS-1.1-006", "MS-1.1-007", "MS-1.1-008", "MS-1.3-001", "MS-1.3-002", "MS-3.3-005", "MG-2.4-001" ] } }, { "control_id": "AAT-11.1", "title": "AI & Autonomous Technologies Stakeholder Feedback Integration", "family": "AAT", "description": "Mechanisms exist to regularly collect, consider, prioritize and integrate risk-related feedback from those external to the team that developed or deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization regularly collect, consider, prioritize and integrate risk-related feedback from those external to the team that developed or deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to regularly collect, consider, prioritize and integrate risk-related feedback from those external to the team that developed or deployed AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "9.3.2(c)", "A.3.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 5.1", "GOVERN 5.2", "MANAGE 4.1" ], "general-nist-600-1-gen-ai-profile": [ "GV-5.1-001", "MP-1.2-002", "MEASURE 1.3", "MS-2.10-002", "MS-4.2-005", "MG-2.2-006", "MG-3.2-007" ] } }, { "control_id": "AAT-11.2", "title": "AI & Autonomous Technologies Ongoing Assessments", "family": "AAT", "description": "Mechanisms exist to conduct regular assessments of Artificial Intelligence (AI) and Autonomous Technologies (AAT) with independent assessors and stakeholders not involved in the development of the AAT.", "scf_question": "Does the organization conduct regular assessments of Artificial Intelligence (AI) and Autonomous Technologies (AAT) with independent assessors and stakeholders not involved in the development of the AAT?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct regular assessments of AAT with independent assessors and stakeholders not involved in the development of the AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Information Assurance (IA) Program\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "5.1", "9.2.1", "9.2.1(a)", "9.2.1(a)(1)", "9.2.1(a)(2)", "9.2.1(b)", "A.3.3" ], "general-nist-100-1-ai-rmf": [ "MEASURE 1.3", "MEASURE 2.6", "MANAGE 4.1" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.7-009", "MG-3.1-003" ], "emea-eu-ai-act-2024": [ "Article 17.1(h)" ] } }, { "control_id": "AAT-11.3", "title": "AI & Autonomous Technologies End User Feedback", "family": "AAT", "description": "Mechanisms exist to collect and integrate feedback from end users and impacted communities into Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related system evaluation metrics.", "scf_question": "Does the organization collect and integrate feedback from end users and impacted communities into Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related system evaluation metrics?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to collect and integrate feedback from end users and impacted communities into AAT-related system evaluation metrics.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Formal product management practices\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Formal product management practices\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Formal product management practices\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Formal product management practices\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Formal product management practices\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "A.3.3" ], "general-nist-100-1-ai-rmf": [ "MEASURE 3.3", "MANAGE 4.1" ], "general-nist-600-1-gen-ai-profile": [ "GV-3.2-004", "GV-4.2-002", "GV-5.1-001", "MP-1.2-002", "MP-5.1-004", "MS-1.1-004", "MS-2.7-003", "MS-2.10-002", "MEASURE 3.3", "MS-4.2-005", "MG-2.2-006", "MG-2.2-008", "MG-3.2-004" ] } }, { "control_id": "AAT-11.4", "title": "AI & Autonomous Technologies Incident & Error Reporting", "family": "AAT", "description": "Mechanisms exist to communicate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related incidents and/or errors to relevant stakeholders, including affected communities.", "scf_question": "Does the organization communicate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related incidents and/or errors to relevant stakeholders, including affected communities?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to communicate AAT-related incidents and/or errors to relevant stakeholders, including affected communities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Incident Response Plan (IRP)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Incident Response Plan (IRP)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Incident Response Plan (IRP)\n∙ Integrated Security Incident Response Team (ISIRT)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Incident Response Plan (IRP)\n∙ Integrated Security Incident Response Team (ISIRT)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Incident Response Plan (IRP)\n∙ Integrated Security Incident Response Team (ISIRT)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "A.8.3", "A.8.4" ], "general-nist-100-1-ai-rmf": [ "MANAGE 4.3" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 6.2", "MANAGE 4.3" ], "emea-eu-ai-act-2024": [ "Article 17.1(i)" ] } }, { "control_id": "AAT-12", "title": "AI & Autonomous Technologies Intellectual Property Infringement Protections", "family": "AAT", "description": "Mechanisms exist to prevent third-party Intellectual Property (IP) rights infringement by Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization prevent third-party Intellectual Property (IP) rights infringement by Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AAT-09" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent third-party Intellectual Property (IP) rights infringement by AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Legal review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Legal review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "A.6.1.3", "A.6.2.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 6.1" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 6.1", "GV-6.1-001", "MP-4.1-002", "MP-4.1-006", "MP-4.1-010", "MS-2.6-002", "MS-2.8-001", "MG-3.1-004" ], "emea-eu-ai-act-2024": [ "Article 17.1(f)", "Article 53.1(c)" ], "apac-jpn-ismap": [ "18.1.2", "18.1.2.13.PB" ] } }, { "control_id": "AAT-12.1", "title": "Data Source Identification", "family": "AAT", "description": "Mechanisms exist to identify and document data sources utilized in the training and/or operation of Artificial Intelligence and Autonomous Technologies (AAT).", "scf_question": "Does the organization identify and document data sources utilized in the training and/or operation of Artificial Intelligence and Autonomous Technologies (AAT)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AAT-10" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and document data sources utilized in the training and/or operation of Artificial Intelligence and Autonomous Technologies (AAT).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Chief Data Officer (CDO)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Chief Data Officer (CDO)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "A.4.3", "A.6.1.3", "A.6.2.3", "A.7", "A.7.2", "A.7.3", "A.7.4", "A.7.5", "A.7.6" ], "general-mpa-csbp-5-3-1": [ "TS-7.0" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.5-001", "GV-6.1-001", "GV-6.1-003", "GV-6.1-004", "GV-6.1-008", "MP-2.1-001", "MP-2.1-002", "MP-2.2-001", "MP-5.1-002", "MS-2.2-001", "MS-2.2-002", "MS-2.5-003", "MS-2.5-005", "MS-2.10-003", "MG-2.2-002", "MG-2.2-003", "MG-4.1-006" ], "general-sparta": [ "CM0049" ], "emea-eu-ai-act-2024": [ "Article 17.1(f)" ] } }, { "control_id": "AAT-12.2", "title": "Data Source Integrity", "family": "AAT", "description": "Mechanisms exist to protect the integrity of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of Artificial Intelligence and Autonomous Technologies (AAT).", "scf_question": "Does the organization protect the integrity of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of Artificial Intelligence and Autonomous Technologies (AAT)?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect the integrity of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of Artificial Intelligence and Autonomous Technologies (AAT).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Chief Data Officer (CDO)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Chief Data Officer (CDO)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-mpa-csbp-5-3-1": [ "TS-7.0" ], "general-nist-600-1-gen-ai-profile": [ "MP-2.1-002", "MAP 2.3", "MP-4.1-006", "MS-1.1-007", "MS-2.7-005", "MS-2.7-007", "MG-2.2-002", "MG-2.2-003", "MG-4.1-006" ], "general-sparta": [ "CM0049" ], "emea-eu-ai-act-2024": [ "Article 17.1(f)" ] } }, { "control_id": "AAT-12.3", "title": "Data Source Lineage & Origin Disclosure", "family": "AAT", "description": "Mechanisms exist to ensure Artificial Intelligence and Autonomous Technologies (AAT) publicly disclose information with sufficient detail to assess:\n(1) Content lineage; and \n(2) The origin of data used by the AAT.", "scf_question": "Does the organization ensure Artificial Intelligence and Autonomous Technologies (AAT) publicly disclose information with sufficient detail to assess:\n(1) Content lineage; and \n(2) The origin of data used by the AAT?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure Artificial Intelligence and Autonomous Technologies (AAT) publicly disclose information with sufficient detail to assess:\n(1) Content lineage; and \n(2) The origin of data used by the AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Disclose data sources used by AI tools in user documentation", "small": "∙ Policy requiring disclosure of AI training data sources", "medium": "∙ Formal AI transparency policy\n∙ Data source disclosure in user documentation", "large": "∙ AI transparency program\n∙ Public disclosure of data lineage\n∙ Model cards with data sourcing", "enterprise": "∙ Enterprise AI transparency framework\n∙ Automated disclosure generation\n∙ Regulatory compliance tracking for AI transparency" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MP-2.1-001", "MP-3.4-001", "MP-5.1-002" ], "emea-eu-ai-act-2024": [ "Article 53.1(d)" ] } }, { "control_id": "AAT-12.4", "title": "Digital Content Modification Logging", "family": "AAT", "description": "Mechanisms exist to ensure Artificial Intelligence and Autonomous Technologies (AAT):\n(1) Enable auditing of content modifications; and \n(2) Generate event logs for content-related changes.", "scf_question": "Does the organization ensure Artificial Intelligence and Autonomous Technologies (AAT):\n(1) Enable auditing of content modifications; and \n(2) Generate event logs for content-related changes?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure Artificial Intelligence and Autonomous Technologies (AAT):\n(1) Enable auditing of content modifications; and \n(2) Generate event logs for content-related changes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Enable logging for AI-generated content modifications", "small": "∙ Log AI content generation and modification events", "medium": "∙ Formal AI content audit logging policy\n∙ Log retention procedures", "large": "∙ AI content audit trail system\n∙ SIEM integration for AI events", "enterprise": "∙ Enterprise AI audit logging platform\n∙ Immutable audit trails\n∙ SIEM integration\n∙ Automated anomaly detection" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "GV-6.1-008", "MS-1.1-001" ] } }, { "control_id": "AAT-13", "title": "AI & Autonomous Technologies Stakeholder Diversity", "family": "AAT", "description": "Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) stakeholder competencies, skills and capacities incorporate demographic diversity, broad domain and user experience expertise.", "scf_question": "Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) stakeholder competencies, skills and capacities incorporate demographic diversity, broad domain and user experience expertise?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure AAT stakeholder competencies, skills and capacities incorporate demographic diversity, broad domain and user experience expertise.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4-POF3" ], "general-iso-42001-2023": [ "A.4.6" ], "general-nist-100-1-ai-rmf": [ "MAP 1.2" ] } }, { "control_id": "AAT-13.1", "title": "AI & Autonomous Technologies Stakeholder Competencies", "family": "AAT", "description": "Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related operator and practitioner proficiency requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are defined, assessed and documented.", "scf_question": "Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related operator and practitioner proficiency requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are defined, assessed and documented?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure AAT-related operator and practitioner proficiency requirements for AAT are defined, assessed and documented.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4-POF2", "CC5.3-POF5" ], "general-iso-42001-2023": [ "5.1", "7.2", "A.4.6" ], "general-nist-100-1-ai-rmf": [ "MAP 3.4" ], "general-shared-assessments-sig-2025": [ "R.16" ], "emea-eu-ai-act-2024": [ "Article 4" ] } }, { "control_id": "AAT-14", "title": "AI & Autonomous Technologies Requirements Definitions", "family": "AAT", "description": "Mechanisms exist to take socio-technical implications into account to address risks associated with Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization take socio-technical implications into account to address risks associated with Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to take socio-technical implications into account to address risks associated with AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "4.1", "5.1", "A.5.4", "A.5.5", "A.6.2.2", "A.6.2.3" ], "general-nist-100-1-ai-rmf": [ "MAP 1.6" ], "emea-eu-ai-act-2024": [ "Article 11.1", "Article 12.2(a)" ] } }, { "control_id": "AAT-14.1", "title": "AI & Autonomous Technologies Implementation Tasks Definition", "family": "AAT", "description": "Mechanisms exist to define the tasks that Artificial Intelligence (AI) and Autonomous Technologies (AAT) will support (e.g., classifiers, generative models, recommenders).", "scf_question": "Does the organization define the tasks that Artificial Intelligence (AI) and Autonomous Technologies (AAT) will support (e.g., classifiers, generative models, recommenders)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define the tasks that AAT will support (e.g., classifiers, generative models, recommenders).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "A.6.1.3", "A.6.2.3", "A.6.2.5" ], "general-nist-100-1-ai-rmf": [ "MAP 2.1" ], "general-nist-600-1-gen-ai-profile": [ "MAP 2.1" ] } }, { "control_id": "AAT-14.2", "title": "AI & Autonomous Technologies Knowledge Limits", "family": "AAT", "description": "Mechanisms exist to identify and document knowledge limits of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to provide sufficient information to assist relevant stakeholder decision making.", "scf_question": "Does the organization identify and document knowledge limits of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to provide sufficient information to assist relevant stakeholder decision making?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and document knowledge limits of AAT to provide sufficient information to assist relevant stakeholder decision making.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "A.6.1.3", "A.6.2.3" ], "general-nist-100-1-ai-rmf": [ "MAP 2.2" ], "general-nist-600-1-gen-ai-profile": [ "MAP 2.2" ] } }, { "control_id": "AAT-15", "title": "AI & Autonomous Technologies Viability Decisions", "family": "AAT", "description": "Mechanisms exist to define the criteria as to whether Artificial Intelligence (AI) and Autonomous Technologies (AAT) achieved intended purposes and stated objectives to determine whether its development or deployment should proceed.", "scf_question": "Does the organization define the criteria as to whether Artificial Intelligence (AI) and Autonomous Technologies (AAT) achieved intended purposes and stated objectives to determine whether its development or deployment should proceed?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define the criteria as to whether AAT achieved intended purposes and stated objectives to determine whether its development or deployment should proceed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Project team review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Project team review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Project team review\n∙ Legal review\n∙ Steering committee\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "5.1" ], "general-nist-100-1-ai-rmf": [ "MANAGE 1.1" ], "general-nist-600-1-gen-ai-profile": [ "GV-4.1-002" ] } }, { "control_id": "AAT-15.1", "title": "AI & Autonomous Technologies Negative Residual Risks", "family": "AAT", "description": "Mechanisms exist to identify and document negative, residual risks (defined as the sum of all unmitigated risks) to both downstream acquirers and end users of Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization identify and document negative, residual risks (defined as the sum of all unmitigated risks) to both downstream acquirers and end users of Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and document negative, residual risks (defined as the sum of all unmitigated risks) to both downstream acquirers and end users of AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Project team review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Project team review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Project team review\n∙ Legal review\n∙ Steering committee\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "6.1.2(c)" ], "general-nist-100-1-ai-rmf": [ "MANAGE 1.1", "MANAGE 1.2", "MANAGE 1.4" ], "general-nist-600-1-gen-ai-profile": [ "MG-1.3-001" ], "general-shared-assessments-sig-2025": [ "R.18.1" ] } }, { "control_id": "AAT-15.2", "title": "Responsibility To Supersede, Deactivate and/or Disengage AI & Autonomous Technologies", "family": "AAT", "description": "Mechanisms exist to define the criteria and responsible party(ies) for superseding, disengaging or deactivating Artificial Intelligence (AI) and Autonomous Technologies (AAT) that demonstrate performance or outcomes inconsistent with intended use.", "scf_question": "Does the organization define the criteria and responsible party(ies) for superseding, disengaging or deactivating Artificial Intelligence (AI) and Autonomous Technologies (AAT) that demonstrate performance or outcomes inconsistent with intended use?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define the criteria and responsible party(ies) for superseding, disengaging or deactivating AAT that demonstrate performance or outcomes inconsistent with intended use.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Project team review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Project team review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Project team review\n∙ Legal review\n∙ Steering committee\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "5.3" ], "general-nist-100-1-ai-rmf": [ "MANAGE 1.1", "MANAGE 1.2", "MANAGE 2.4" ], "general-nist-600-1-gen-ai-profile": [ "GV-4.1-002", "MS-4.2-004", "MANAGE 2.4", "MG-2.4-002", "MG-2.4-004" ], "emea-eu-ai-act-2024": [ "Article 14.2", "Article 14.4(d)", "Article 14.4(e)" ] } }, { "control_id": "AAT-16", "title": "AI & Autonomous Technologies Production Monitoring", "family": "AAT", "description": "Mechanisms exist to monitor the functionality and behavior of the deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization monitor the functionality and behavior of the deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to monitor the functionality and behavior of the deployed AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Formal product management practices\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Formal product management practices\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Formal product management practices\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Formal product management practices\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Formal product management practices\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-csa-iot-2": [ "SAP-10" ], "general-iso-42001-2023": [ "A.6.2.6" ], "general-nist-100-1-ai-rmf": [ "MEASURE 2.4" ], "general-nist-600-1-gen-ai-profile": [ "MEASURE 2.6" ], "emea-eu-ai-act-2024": [ "Article 12.1", "Article 12.2(a)", "Article 12.2(b)", "Article 12.2(c)", "Article 14.2", "Article 15.3", "Article 17.1(h)", "Article 72.1", "Article 72.2", "Article 72.3", "Article 72.4" ] } }, { "control_id": "AAT-16.1", "title": "AI & Autonomous Technologies Measurement Approaches", "family": "AAT", "description": "Mechanisms exist to measure Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks to deployment context(s) through review and consultation with industry experts, domain specialists and end users.", "scf_question": "Does the organization measure Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks to deployment context(s) through review and consultation with industry experts, domain specialists and end users?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to measure AAT-related risks to deployment context(s) through review and consultation with industry experts, domain specialists and end users.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 4.1" ] } }, { "control_id": "AAT-16.2", "title": "Measuring AI & Autonomous Technologies Effectiveness", "family": "AAT", "description": "Mechanisms exist to regularly assess the effectiveness of existing security, compliance and resilience controls, including reports of errors and potential impacts on affected communities.", "scf_question": "Does the organization regularly assess the effectiveness of existing security, compliance and resilience controls, including reports of errors and potential impacts on affected communities?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to regularly assess the effectiveness of existing security, compliance and resilience controls, including reports of errors and potential impacts on affected communities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 1.0", "MEASURE 1.1", "MEASURE 1.2", "MEASURE 3.0" ], "general-nist-600-1-gen-ai-profile": [ "GV4.3--001", "MG-1.3-002" ] } }, { "control_id": "AAT-16.3", "title": "Unmeasurable AI & Autonomous Technologies Risks", "family": "AAT", "description": "Mechanisms exist to identify and document unmeasurable risks or trustworthiness characteristics.", "scf_question": "Does the organization identify and document unmeasurable risks or trustworthiness characteristics?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and document unmeasurable risks or trustworthiness characteristics.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "6.1.2(c)" ], "general-nist-100-1-ai-rmf": [ "MEASURE 1.1" ], "general-nist-600-1-gen-ai-profile": [ "MS-1.1-009" ], "emea-eu-ai-act-2024": [ "Article 12.2(a)" ] } }, { "control_id": "AAT-16.4", "title": "Efficacy of AI & Autonomous Technologies Measurement", "family": "AAT", "description": "Mechanisms exist to gather and assess feedback about the efficacy of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related measurements.", "scf_question": "Does the organization gather and assess feedback about the efficacy of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related measurements?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to gather and assess feedback about the efficacy of AAT-related measurements.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 4.0" ], "general-nist-600-1-gen-ai-profile": [ "MEASURE 1.1", "MG-2.2-003" ] } }, { "control_id": "AAT-16.5", "title": "AI & Autonomous Technologies Domain Expert Reviews", "family": "AAT", "description": "Mechanisms exist to utilize input from domain experts and relevant stakeholders to validate whether the Artificial Intelligence (AI) and Autonomous Technologies (AAT) perform consistently, as intended.", "scf_question": "Does the organization utilize input from domain experts and relevant stakeholders to validate whether the Artificial Intelligence (AI) and Autonomous Technologies (AAT) perform consistently, as intended?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize input from domain experts and relevant stakeholders to validate whether the AAT perform consistently, as intended.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Third-party advisors (subject matter experts)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Third-party advisors (subject matter experts)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Third-party advisors (subject matter experts)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Third-party advisors (subject matter experts)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Third-party advisors (subject matter experts)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 4.2" ], "general-nist-600-1-gen-ai-profile": [ "MP-2.3-001", "MANAGE 4.1", "MG-4.1-001" ], "general-shared-assessments-sig-2025": [ "R.13" ] } }, { "control_id": "AAT-16.6", "title": "AI & Autonomous Technologies Performance Changes", "family": "AAT", "description": "Mechanisms exist to evaluate performance improvements or declines with domain experts and relevant stakeholders to define context-relevant risks and trustworthiness issues.", "scf_question": "Does the organization evaluate performance improvements or declines with domain experts and relevant stakeholders to define context-relevant risks and trustworthiness issues?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to evaluate performance improvements or declines with domain experts and relevant stakeholders to define context-relevant risks and trustworthiness issues.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 4.3" ] } }, { "control_id": "AAT-16.7", "title": "Pre-Trained AI & Autonomous Technologies Models", "family": "AAT", "description": "Mechanisms exist to validate the information source(s) and quality of pre-trained models used in Artificial Intelligence (AI) and Autonomous Technologies (AAT) training, maintenance and improvement-related activities.", "scf_question": "Does the organization validate the information source(s) and quality of pre-trained models used in Artificial Intelligence (AI) and Autonomous Technologies (AAT) training, maintenance and improvement-related activities?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to validate the information source(s) and quality of pre-trained models used in AAT training, maintenance and improvement-related activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MANAGE 3.2" ], "general-nist-600-1-gen-ai-profile": [ "MP-4.1-004" ] } }, { "control_id": "AAT-16.8", "title": "AI & Autonomous Technologies Event Logging", "family": "AAT", "description": "Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) system event logging capabilities at a minimum provide:\n(1) Start date, start time, end date and end time for each use;\n(2) Database(s) against which input data has been checked by the system;\n(3) Input data for which the search has led to a match; and\n(4) Identification of individual(s) involved in the verification of the results.", "scf_question": "Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) system event logging capabilities at a minimum provide:\n(1) Start date, start time, end date and end time for each use;\n(2) Database(s) against which input data has been checked by the system;\n(3) Input data for which the search has led to a match; and\n(4) Identification of individual(s) involved in the verification of the results?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure AAT system event logging capabilities at a minimum provide:\n(1) Start date, start time, end date and end time for each use;\n(2) Database(s) against which input data has been checked by the system;\n(3) Input data for which the search has led to a match; and\n(4) Identification of individual(s) involved in the verification of the results.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Enable basic logging on AI/ML systems", "small": "∙ Configure event logging on AI systems\n∙ Define log retention periods", "medium": "∙ Formal AI event logging policy\n∙ Centralized log collection", "large": "∙ SIEM integration for AI system logs\n∙ Defined logging standards for AI platforms", "enterprise": "∙ Enterprise SIEM platform\n∙ Standardized AI event logging schema\n∙ Automated alerting for anomalous AI events" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "GV-4.3-002", "MANAGE 4.1" ], "emea-eu-ai-act-2024": [ "Article 12.1", "Article 12.2", "Article 12.3(a)", "Article 12.3(b)", "Article 12.3(c)", "Article 12.3(d)", "Article 16(e)", "Article 26.6" ] } }, { "control_id": "AAT-16.9", "title": "Serious Incident Reporting For AI & Autonomous Technologies", "family": "AAT", "description": "Mechanisms exist to report any serious incident involving operational Artificial Intelligence (AI) and Autonomous Technologies (AAT) to relevant authorities as to when and where the serious incident occurred, in accordance with mandated reporting timelines.", "scf_question": "Does the organization report any serious incident involving operational Artificial Intelligence (AI) and Autonomous Technologies (AAT) to relevant authorities as to when and where the serious incident occurred, in accordance with mandated reporting timelines?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to report any serious incident involving operational AAT to relevant authorities as to when and where the serious incident occurred, in accordance with mandated reporting timelines.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Report serious AI incidents to relevant authorities as required", "small": "∙ Incident reporting procedure for serious AI incidents", "medium": "∙ Formal serious AI incident reporting process\n∙ Regulatory reporting contacts", "large": "∙ AI incident response plan with regulatory reporting requirements\n∙ Legal team involvement", "enterprise": "∙ Enterprise AI incident response program\n∙ Automated regulatory notification workflows\n∙ Legal and compliance integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "GV-2.1-004", "GV-4.3-002" ], "emea-eu-ai-act-2024": [ "Article 55.1(c)", "Article 60.7", "Article 73.1", "Article 73.2", "Article 73.3", "Article 73.4", "Article 73.5" ] } }, { "control_id": "AAT-16.10", "title": "Serious Incident Root Cause Analysis (RCA) For AI & Autonomous Technologies", "family": "AAT", "description": "Mechanisms exist to perform an investigation when there is a serious incident involving operational Artificial Intelligence (AI) and Autonomous Technologies (AAT) that documents a:\n(1) Root Cause Analysis (RCA);\n(2) Risk assessment of the incident; and \n(3) Description of corrective actions taken, including measures implemented to prevent a recurrence of the incident.", "scf_question": "Does the organization perform an investigation when there is a serious incident involving operational Artificial Intelligence (AI) and Autonomous Technologies (AAT) that documents a:\n(1) Root Cause Analysis (RCA);\n(2) Risk assessment of the incident; and \n(3) Description of corrective actions taken, including measures implemented to prevent a recurrence of the incident?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform an investigation when there is a serious incident involving operational AAT that documents a:\n(1) Root Cause Analysis (RCA);\n(2) Risk assessment of the incident; and \n(3) Description of corrective actions taken, including measures implemented to prevent a recurrence of the incident.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Conduct post-incident review after serious AI incidents", "small": "∙ Root cause analysis process for serious AI incidents", "medium": "∙ Formal RCA procedure for AI incidents\n∙ Document findings and corrective actions", "large": "∙ AI incident investigation program with formal RCA methodology\n∙ Corrective action tracking", "enterprise": "∙ Enterprise AI incident management platform\n∙ Formal RCA framework (5 Whys, Fishbone)\n∙ Corrective action management system" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 73.6" ] } }, { "control_id": "AAT-16.11", "title": "Anomaly Detection & Human Oversight", "family": "AAT", "description": "Mechanisms exist to analyze anomalous Artificial Intelligence (AI) and Autonomous Technologies (AAT) behavior and provide escalation paths for human oversight, including:\n(1) Real-time review; and\n(2) Intervention.", "scf_question": "Does the organization analyze anomalous Artificial Intelligence (AI) and Autonomous Technologies (AAT) behavior and provide escalation paths for human oversight, including:\n(1) Real-time review; and\n(2) Intervention?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to analyze anomalous AAT behavior and provide escalation paths for human oversight, including:\n(1) Real-time review; and\n(2) Intervention.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Monitor AI system outputs for unusual behavior", "small": "∙ Periodic review of AI system outputs for anomalies\n∙ Escalation procedure", "medium": "∙ Formal AI anomaly detection process\n∙ Human review triggers\n∙ Escalation procedures", "large": "∙ Automated AI anomaly detection tools\n∙ Human oversight workflow\n∙ Alert thresholds", "enterprise": "∙ Enterprise AI monitoring platform (e.g., Evidently AI, WhyLabs)\n∙ Automated anomaly detection\n∙ Human-in-the-loop escalation workflows" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-csa-iot-2": [ "SAP-10" ] } }, { "control_id": "AAT-16.12", "title": "Human-in-the-Loop & Escalation", "family": "AAT", "description": "Mechanisms exist to require human review and clear escalation paths for approval for high-risk or ambiguous Artificial Intelligence (AI) and Autonomous Technologies (AAT) actions.", "scf_question": "Does the organization require human review and clear escalation paths for approval for high-risk or ambiguous Artificial Intelligence (AI) and Autonomous Technologies (AAT) actions?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require human review and clear escalation paths for approval for high-risk or ambiguous AAT actions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Require human approval for high-impact AI decisions", "small": "∙ Policy requiring human review for high-risk AI decisions\n∙ Escalation contacts", "medium": "∙ Formal human-in-the-loop policy\n∙ Defined escalation paths for ambiguous AI actions", "large": "∙ HITL workflow integration\n∙ Approval gates for high-risk AI decisions\n∙ Audit trails for approvals", "enterprise": "∙ Enterprise AI governance platform with HITL workflows\n∙ Automated escalation routing\n∙ Audit trails\n∙ Risk-based approval thresholds" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-16.13", "title": "Emergent Behavior & Collusion Protections", "family": "AAT", "description": "Mechanisms exist to detect and contain emergent or collusive behaviors among multiple Artificial Intelligence (AI) and Autonomous Technologies (AAT), including:\n(1) Automated or human-triggered containment; and \n(2) Formal investigation to determine the root cause of agentic cascades or collusion.", "scf_question": "Does the organization detect and contain emergent or collusive behaviors among multiple Artificial Intelligence (AI) and Autonomous Technologies (AAT), including:\n(1) Automated or human-triggered containment; and \n(2) Formal investigation to determine the root cause of agentic cascades or collusion?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to detect and contain emergent or collusive behaviors among multiple AAT, including:\n(1) Automated or human-triggered containment; and \n(2) Formal investigation to determine the root cause of agentic cascades or collusion.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Monitor multi-AI deployments for unexpected behavior", "small": "∙ Policy to review interactions between AI systems", "medium": "∙ Formal procedure to detect emergent/collusive AI behavior\n∙ Containment procedures", "large": "∙ AI behavior monitoring tools\n∙ Isolation procedures for compromised AI agents", "enterprise": "∙ Enterprise AI behavior monitoring platform\n∙ Automated detection of multi-agent collusion\n∙ AI sandboxing and isolation capabilities" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-16.14", "title": "Multi-Agent Trust & Communication Validation", "family": "AAT", "description": "Mechanisms exist to validate AI agent to AI agent communications to:\n(1) Detect poisoning or consensus manipulation; and \n(2) Identify rogue or compromised AI agents in distributed or multi-agent environments.", "scf_question": "Does the organization validate AI agent to AI agent communications to:\n(1) Detect poisoning or consensus manipulation; and \n(2) Identify rogue or compromised AI agents in distributed or multi-agent environments?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to validate AI agent to AI agent communications to:\n(1) Detect poisoning or consensus manipulation; and \n(2) Identify rogue or compromised AI agents in distributed or multi-agent environments.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "medium": "∙ Validate AI agent communications using defined protocols", "large": "∙ AI agent communication validation tools\n∙ Rogue agent detection procedures", "enterprise": "∙ Enterprise multi-agent trust framework\n∙ Cryptographic validation of agent communications\n∙ Automated rogue agent detection" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-17", "title": "AI & Autonomous Technologies Harm Prevention", "family": "AAT", "description": "Mechanisms exist to proactively prevent harm by regularly identifying and tracking existing, unanticipated and emergent Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks.", "scf_question": "Does the organization proactively prevent harm by regularly identifying and tracking existing, unanticipated and emergent Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks?", "relative_weight": 10, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to proactively prevent harm by regularly identifying and tracking existing, unanticipated and emergent AAT-related risks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Legal review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Legal review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Legal review\n∙ Steering committee\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 2.2", "MEASURE 3.1" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.12-001", "MG-4.3-002" ], "emea-eu-ai-act-2024": [ "Article 14.2" ] } }, { "control_id": "AAT-17.1", "title": "AI & Autonomous Technologies Human Subject Protections", "family": "AAT", "description": "Mechanisms exist to protect human subjects from harm.", "scf_question": "Does the organization protect human subjects from harm?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect human subjects from harm.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Legal review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Legal review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Legal review\n∙ Steering committee\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 2.2" ], "general-nist-600-1-gen-ai-profile": [ "MEASURE 2.2", "MS-2.6-001", "MS-2.6-002", "MS-2.8-004", "MS-2.12-001" ] } }, { "control_id": "AAT-17.2", "title": "AI & Autonomous Technologies Environmental Impact & Sustainability", "family": "AAT", "description": "Mechanisms exist to assess and document the environmental impacts and sustainability of Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization assess and document the environmental impacts and sustainability of Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to assess and document the environmental impacts and sustainability of AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Steering committee\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "4.1" ], "general-nist-100-1-ai-rmf": [ "MEASURE 2.12" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.6-002", "MEASURE 2.12", "MS-2.12-002", "MS-2.12-003", "MS-2.12-004" ] } }, { "control_id": "AAT-17.3", "title": "Previously Unknown AI & Autonomous Technologies Threats & Risks", "family": "AAT", "description": "Mechanisms exist to respond to and recover from a previously unknown Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risk when it is identified.", "scf_question": "Does the organization respond to and recover from a previously unknown Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risk when it is identified?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to respond to and recover from a previously unknown AAT-related risk when it is identified.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "6.1.2(c)", "10.2", "10.2(a)", "10.2(a)(1)", "10.2(a)(2)", "10.2(b)", "10.2(b)(1)", "10.2(b)(2)", "10.2(b)(3)", "10.2(c)", "10.2(d)", "10.2(e)" ], "general-nist-100-1-ai-rmf": [ "MANAGE 2.3" ], "general-nist-600-1-gen-ai-profile": [ "MANAGE 2.3" ], "emea-eu-ai-act-2024": [ "Article 20.2" ] } }, { "control_id": "AAT-17.4", "title": "Novel Risk Assessment Methods & Technologies", "family": "AAT", "description": "Mechanisms exist to utilize novel methods and technologies for the measurement of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks to evaluate, if applicable:\n(1) Content provenance;\n(2) Offensive cyber capabilities; \n(3) Chemical, Biological, Radiological or Nuclear (CBRN) weapons; and/or \n(4) Other dangerous materials or agents.", "scf_question": "Does the organization utilize novel methods and technologies for the measurement of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks to evaluate, if applicable:\n(1) Content provenance;\n(2) Offensive cyber capabilities; \n(3) Chemical, Biological, Radiological or Nuclear (CBRN) weapons; and/or \n(4) Other dangerous materials or agents?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize novel methods and technologies for the measurement of AAT-related risks to evaluate, if applicable:\n(1) Content provenance;\n(2) Offensive cyber capabilities; \n(3) Chemical, Biological, Radiological or Nuclear (CBRN) weapons; and/or \n(4) Other dangerous materials or agents.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "small": "∙ Research novel AI risk measurement methods as needed", "medium": "∙ Evaluate novel AI risk assessment methodologies as applicable to deployments", "large": "∙ Formal review of emerging AI risk methods\n∙ Integrate into AI risk management program", "enterprise": "∙ Enterprise AI risk research program\n∙ Dedicated AI safety team\n∙ Participation in AI risk standards bodies" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MS-1.1-005" ] } }, { "control_id": "AAT-17.5", "title": "Fine Tuning Risk Mitigation", "family": "AAT", "description": "Mechanisms exist to ensure actions to fine-tune Artificial Intelligence (AI) and Autonomous Technologies (AAT) do not compromise existing security, compliance and resilience controls.", "scf_question": "Does the organization ensure actions to fine-tune Artificial Intelligence (AI) and Autonomous Technologies (AAT) do not compromise existing security, compliance and resilience controls?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to e ensure actions to fine-tune AAT do not compromise existing security, compliance and resilience controls.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Test fine-tuned AI models before deployment", "small": "∙ Security review process before deploying fine-tuned models", "medium": "∙ Formal security testing for fine-tuned AI models\n∙ Regression testing against security controls", "large": "∙ AI security testing program for model updates\n∙ TEVV process for fine-tuned models", "enterprise": "∙ Enterprise AI model security testing framework\n∙ Automated regression testing for fine-tuned models\n∙ Red team exercises for model updates" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MS-2.7-008" ] } }, { "control_id": "AAT-18", "title": "AI & Autonomous Technologies Risk Tracking Approaches", "family": "AAT", "description": "Mechanisms exist to track Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are difficult to assess using currently available measurement techniques or where metrics are not yet available.", "scf_question": "Does the organization track Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are difficult to assess using currently available measurement techniques or where metrics are not yet available?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to track AAT-related risks are difficult to assess using currently available measurement techniques or where metrics are not yet available.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Project team review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Project team review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Project team review\n∙ Legal review\n∙ Steering committee\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MEASURE 3.2" ], "general-nist-600-1-gen-ai-profile": [ "MP-5.2-001" ], "emea-eu-ai-act-2024": [ "Article 20.2" ] } }, { "control_id": "AAT-18.1", "title": "AI & Autonomous Technologies Risk Response", "family": "AAT", "description": "Mechanisms exist to prioritize, respond to and remediate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks based on assessments and other analytical output.", "scf_question": "Does the organization prioritize, respond to and remediate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks based on assessments and other analytical output?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prioritize, respond to and remediate AAT-related risks based on assessments and other analytical output.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Incident Response Plan (IRP)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Incident Response Plan (IRP)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Integrated Security Incident Response Team (ISIRT)\n∙ Legal review\n∙ Steering committee\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Integrated Security Incident Response Team (ISIRT)\n∙ Legal review\n∙ Steering committee\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Integrated Security Incident Response Team (ISIRT)\n∙ Legal review\n∙ Steering committee\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-iso-42001-2023": [ "10.2", "10.2(a)", "10.2(a)(1)", "10.2(a)(2)", "10.2(b)", "10.2(b)(1)", "10.2(b)(2)", "10.2(b)(3)", "10.2(c)", "10.2(d)", "10.2(e)" ], "general-nist-100-1-ai-rmf": [ "MANAGE 1.0" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.3-007", "MG-2.4-003" ], "emea-eu-ai-act-2024": [ "Article 20.2" ] } }, { "control_id": "AAT-19", "title": "AI & Autonomous Technologies Conformity", "family": "AAT", "description": "Mechanisms exist to ensure deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT) conform to applicable statutory and regulatory requirements, based on:\n(1) Defined use cases;\n(2) Geographic markets; and\n(3) Use of Intellectual Property (IP).", "scf_question": "Does the organization ensure deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT) conform to applicable statutory and regulatory requirements, based on:\n(1) Defined use cases;\n(2) Geographic markets; and\n(3) Use of Intellectual Property (IP)?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure deployed AAT conform to applicable statutory and regulatory requirements, based on:\n(1) Defined use cases;\n(2) Geographic markets; and\n(3) Use of Intellectual Property (IP).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Review applicable AI regulations before deploying AI tools", "small": "∙ Legal review of AI deployments for regulatory compliance", "medium": "∙ Formal AI compliance review process\n∙ Regulatory mapping (EU AI Act, NIST AI RMF)", "large": "∙ AI regulatory compliance program\n∙ Dedicated compliance review for AI deployments", "enterprise": "∙ Enterprise AI regulatory compliance framework\n∙ Legal and compliance team integration\n∙ Automated regulatory tracking\n∙ AI Act conformity assessments" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MS-2.6-005", "MS-2.10-001" ], "emea-eu-ai-act-2024": [ "Article 5.1" ] } }, { "control_id": "AAT-19.1", "title": "Manipulative or Deceptive Techniques", "family": "AAT", "description": "Mechanisms exist to prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that utilize manipulative or deceptive techniques (including biased data) to impair an individual's ability to make a reasonably informed decision.", "scf_question": "Does the organization prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that utilize manipulative or deceptive techniques (including biased data) to impair an individual's ability to make a reasonably informed decision?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit the sale, deployment and/or use of AAT that utilize manipulative or deceptive techniques (including biased data) to impair an individual's ability to make a reasonably informed decision.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Policy prohibiting use of AI tools with deceptive/manipulative capabilities", "small": "∙ AI acceptable use policy prohibiting manipulative AI techniques", "medium": "∙ Formal policy prohibiting manipulative AI\n∙ Review process before AI tool adoption", "large": "∙ AI ethics program\n∙ Formal prohibition on manipulative AI\n∙ Vendor agreements with ethics requirements", "enterprise": "∙ Enterprise AI ethics framework\n∙ Ethics board review\n∙ Regulatory compliance for AI manipulation prohibitions" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 5.1(a)" ] } }, { "control_id": "AAT-19.2", "title": "Materially Distorting Behaviors", "family": "AAT", "description": "Mechanisms exist to prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that exploit a human subject to materially affect a targeted behavior due to their:\n(1) Age;\n(2) Disability; or \n(3) Specific social or economic situation.", "scf_question": "Does the organization prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that exploit a human subject to materially affect a targeted behavior due to their:\n(1) Age;\n(2) Disability; or \n(3) Specific social or economic situation?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit the sale, deployment and/or use of AAT that exploit a human subject to materially affect a targeted behavior due to their:\n(1) Age;\n(2) Disability; or \n(3) Specific social or economic situation.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Policy prohibiting AI tools that exploit human vulnerabilities", "small": "∙ AI acceptable use policy prohibiting exploitative AI behaviors", "medium": "∙ Formal policy prohibiting materially distorting AI\n∙ Impact assessment process", "large": "∙ AI ethics program with formal prohibition\n∙ Vendor compliance requirements", "enterprise": "∙ Enterprise AI ethics framework\n∙ Human rights impact assessments\n∙ Regulatory compliance mapping" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 5.1(b)" ] } }, { "control_id": "AAT-19.3", "title": "Social Scoring", "family": "AAT", "description": "Mechanisms exist to prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that: \n(1) Evaluate human subjects over a certain period of time based on their social behavior or known, inferred or predicted personal or personality characteristics; and\n(2) Assign a \"social score\" branding or equivalent classification.", "scf_question": "Does the organization prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that: \n(1) Evaluate human subjects over a certain period of time based on their social behavior or known, inferred or predicted personal or personality characteristics; and\n(2) Assign a \"social score\" branding or equivalent classification?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit the sale, deployment and/or use of AAT that: \n(1) Evaluate human subjects over a certain period of time based on their social behavior or known, inferred or predicted personal or personality characteristics; and\n(2) Assign a \"social score\" branding or equivalent classification.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Policy prohibiting social scoring AI tools", "small": "∙ AI acceptable use policy prohibiting social scoring", "medium": "∙ Formal prohibition on social scoring AI\n∙ Review process before AI adoption", "large": "∙ AI ethics program with formal prohibition\n∙ Legal review for AI deployments", "enterprise": "∙ Enterprise AI ethics framework\n∙ Regulatory compliance (EU AI Act Art. 5)\n∙ Automated detection of prohibited practices" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 5.1(c)" ] } }, { "control_id": "AAT-19.4", "title": "Detrimental or Unfavorable Treatment", "family": "AAT", "description": "Mechanisms exist to prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that lead to the detrimental or unfavorable treatment of certain data subjects, or groups of data subjects, in social contexts that is:\n(1) Are unrelated to the contexts in which the data was originally generated or collected; and/or\n(2) Is unjustified or disproportionate to their social behavior or its gravity.", "scf_question": "Does the organization prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that lead to the detrimental or unfavorable treatment of certain data subjects, or groups of data subjects, in social contexts that is:\n(1) Are unrelated to the contexts in which the data was originally generated or collected; and/or\n(2) Is unjustified or disproportionate to their social behavior or its gravity?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit the sale, deployment and/or use of AAT that lead to the detrimental or unfavorable treatment of certain data subjects, or groups of data subjects, in social contexts that is:\n(1) Are unrelated to the contexts in which the data was originally generated or collected; and/or\n(2) Is unjustified or disproportionate to their social behavior or its gravity.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Policy prohibiting AI tools causing unfair treatment", "small": "∙ AI acceptable use policy prohibiting discriminatory AI", "medium": "∙ Formal policy on AI fairness and non-discrimination", "large": "∙ AI fairness program\n∙ Bias testing before deployment\n∙ Vendor requirements", "enterprise": "∙ Enterprise AI fairness framework\n∙ Automated bias detection tools\n∙ Third-party AI audits" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 5.1(c)(i)", "Article 5.1(c)(ii)" ] } }, { "control_id": "AAT-19.5", "title": "Risk and Criminal Profiling", "family": "AAT", "description": "Mechanisms exist to prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that:\n(1) Assess the risk of an individual committing a criminal offence; and\n(2) Predicts risk based solely on the profiling of personality traits and characteristics.", "scf_question": "Does the organization prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that:\n(1) Assess the risk of an individual committing a criminal offence; and\n(2) Predicts risk based solely on the profiling of personality traits and characteristics?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit the sale, deployment and/or use of AAT that:\n(1) Assess the risk of an individual committing a criminal offence; and\n(2) Predicts risk based solely on the profiling of personality traits and characteristics.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Policy prohibiting criminal risk profiling AI tools", "small": "∙ AI acceptable use policy prohibiting criminal profiling AI", "medium": "∙ Formal prohibition on AI-based criminal profiling\n∙ Legal review", "large": "∙ AI ethics program with formal prohibition\n∙ Legal and compliance review", "enterprise": "∙ Enterprise AI ethics framework\n∙ Regulatory compliance (EU AI Act Art. 5)\n∙ Legal review process" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 5.1(d)" ] } }, { "control_id": "AAT-19.6", "title": "Populating Facial Recognition Databases", "family": "AAT", "description": "Mechanisms exist to prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that create, or expand, facial recognition databases through scraping facial images from:\n(1) The Internet; or \n(2) Closed-Circuit Television (CCTV) footage.", "scf_question": "Does the organization prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that create, or expand, facial recognition databases through scraping facial images from:\n(1) The Internet; or \n(2) Closed-Circuit Television (CCTV) footage?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit the sale, deployment and/or use of AAT that create, or expand, facial recognition databases through scraping facial images from:\n(1) The Internet; or \n(2) Closed-Circuit Television (CCTV) footage.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Policy prohibiting facial recognition database scraping tools", "small": "∙ AI acceptable use policy prohibiting facial recognition database scraping", "medium": "∙ Formal prohibition on scraping facial recognition databases", "large": "∙ AI ethics program with formal prohibition\n∙ Technical controls to prevent scraping", "enterprise": "∙ Enterprise AI ethics framework\n∙ Technical controls against facial recognition scraping\n∙ Regulatory compliance" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 5.1(e)" ] } }, { "control_id": "AAT-19.7", "title": "Emotion Inference", "family": "AAT", "description": "Mechanisms exist to prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that infer human emotions of an individual based on observed characteristics.", "scf_question": "Does the organization prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that infer human emotions of an individual based on observed characteristics?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit the sale, deployment and/or use of AAT that infer human emotions of an individual based on observed characteristics.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Policy prohibiting emotion inference AI tools", "small": "∙ AI acceptable use policy prohibiting emotion inference", "medium": "∙ Formal prohibition on AI emotion inference tools", "large": "∙ AI ethics program\n∙ Prohibition enforced in vendor agreements", "enterprise": "∙ Enterprise AI ethics framework\n∙ Regulatory compliance mapping\n∙ Technical controls against emotion inference" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 5.1(f)" ] } }, { "control_id": "AAT-19.8", "title": "Biometric Categorization", "family": "AAT", "description": "Mechanisms exist to prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that categorize an individual based on their biometric data to deduce, or infer, the individual's:\n(1) Race; \n(2) Political opinions;\n(3) Trade union membership;\n(4) Religious or philosophical beliefs; \n(5) Sex life or sexual orientation; and/or\n(6) Age.", "scf_question": "Does the organization prohibit the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that categorize an individual based on their biometric data to deduce, or infer, the individual's:\n(1) Race; \n(2) Political opinions;\n(3) Trade union membership;\n(4) Religious or philosophical beliefs; \n(5) Sex life or sexual orientation; and/or\n(6) Age?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit the sale, deployment and/or use of AAT that categorize an individual based on their biometric data to deduce, or infer, the individual's:\n(1) Race; \n(2) Political opinions;\n(3) Trade union membership;\n(4) Religious or philosophical beliefs; \n(5) Sex life or sexual orientation; and/or\n(6) Age.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Policy prohibiting biometric categorization AI tools", "small": "∙ AI acceptable use policy prohibiting biometric categorization", "medium": "∙ Formal prohibition on biometric categorization AI", "large": "∙ AI ethics program with formal prohibition\n∙ Legal review for biometric technologies", "enterprise": "∙ Enterprise AI ethics and privacy framework\n∙ Regulatory compliance (EU AI Act, GDPR)\n∙ Technical controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MS-2.10-001" ], "emea-eu-ai-act-2024": [ "Article 5.1(g)" ] } }, { "control_id": "AAT-20", "title": "AI & Autonomous Technologies Development Practices", "family": "AAT", "description": "Measures exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed and developed to:\n(1) Achieve an appropriate level of accuracy, robustness and cybersecurity; \n(2) Perform consistently in those respects throughout the AAT system's lifecycle; and\n(3) Be effectively overseen by competent individuals.", "scf_question": "Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed and developed to:\n(1) Achieve an appropriate level of accuracy, robustness, and cybersecurity; \n(2) Perform consistently in those respects throughout the AAT system's lifecycle; and\n(3) Be effectively overseen by competent individuals?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Measures exist to ensure AAT are designed and developed to:\n(1) Achieve an appropriate level of accuracy, robustness and cybersecurity; \n(2) Perform consistently in those respects throughout the AAT system's lifecycle; and\n(3) Be effectively overseen by competent individuals.", "4": "Artificial Intelligence and Autonomous Technology (AAT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are \"world class\" efforts the leverage predictive analysis (e.g., machine learning, AI, etc.) to enable continuously improving capabilities. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document accuracy and robustness requirements before adopting AI", "small": "∙ AI design requirements checklist covering accuracy, robustness, cybersecurity", "medium": "∙ Formal AI development standards\n∙ Security-by-design requirements for AI", "large": "∙ AI development security standards\n∙ Formal SDLC integration\n∙ Security testing requirements", "enterprise": "∙ Enterprise AI development framework\n∙ AI security standards (NIST AI RMF, ISO 42001)\n∙ DevSecOps integration for AI" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 13.1", "Article 14.1", "Article 14.3(a)", "Article 14.3(b)", "Article 15.1", "Article 15.4", "Article 15.5", "Article 16(a)", "Article 17.1(b)" ] } }, { "control_id": "AAT-20.1", "title": "AI & Autonomous Technologies Transparency", "family": "AAT", "description": "Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed and developed so its operation is sufficiently transparent such that output can be easily interpreted by personnel implementing the AAT.", "scf_question": "Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed and developed so its operation is sufficiently transparent such that output can be easily interpreted by personnel implementing the AAT?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure AAT are designed and developed so its operation is sufficiently transparent such that output can be easily interpreted by personnel implementing the AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document how AI decisions are made for key tools", "small": "∙ Transparency requirements in AI tool selection\n∙ Basic explainability documentation", "medium": "∙ AI explainability policy\n∙ Require documentation of AI decision logic", "large": "∙ AI transparency program\n∙ Explainability requirements in AI development standards", "enterprise": "∙ Enterprise AI explainability framework\n∙ XAI tools (e.g., SHAP, LIME)\n∙ Model documentation standards" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MP-2.2-002", "MS-2.8-003", "MEASURE 2.9", "MS-4.2-003", "MG-3.1-005" ], "emea-eu-ai-act-2024": [ "Article 13.1", "Article 14.3(b)", "Article 14.4", "Article 14.4(a)" ] } }, { "control_id": "AAT-20.2", "title": "AI & Autonomous Technologies Implementation Documentation", "family": "AAT", "description": "Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) include clear and concise documentation that is relevant, accessible and comprehensible to personnel implementing and maintaining the AAT that, at a minimum, provides: \n(1) Contact details of the provider; \n(2) Characteristics, capabilities and limitations of performance of the AAT;\n(3) Errata from the AAT's initial conformity assessment;\n(4) Details necessary to interpret the outputs of the AAT;\n(5) Human oversight measures necessary to facilitate the interpretation of the outputs of the AAT;\n(6) Computational and hardware resources needed to operate the AAT;\n(7) Projected useable lifetime of the AAT; and\n(8) A description of the mechanisms included within the AAT system to properly collect, store and interpret event logs.", "scf_question": "Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) include clear and concise documentation that is relevant, accessible and comprehensible to personnel implementing and maintaining the AAT that, at a minimum, provides: \n(1) Contact details of the provider; \n(2) Characteristics, capabilities and limitations of performance of the AAT;\n(3) Errata from the AAT's initial conformity assessment;\n(4) Details necessary to interpret the outputs of the AAT;\n(5) Human oversight measures necessary to facilitate the interpretation of the outputs of the AAT;\n(6) Computational and hardware resources needed to operate the AAT;\n(7) Projected useable lifetime of the AAT; and\n(8) A description of the mechanisms included within the AAT system to properly collect, store and interpret event logs?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure AAT include clear and concise documentation that is relevant, accessible and comprehensible to personnel implementing and maintaining the AAT that, at a minimum, provides: \n(1) Contact details of the provider; \n(2) Characteristics, capabilities and limitations of performance of the AAT;\n(3) Errata from the AAT's initial conformity assessment;\n(4) Details necessary to interpret the outputs of the AAT;\n(5) Human oversight measures necessary to facilitate the interpretation of the outputs of the AAT;\n(6) Computational and hardware resources needed to operate the AAT;\n(7) Projected useable lifetime of the AAT; and\n(8) A description of the mechanisms included within the AAT system to properly collect, store and interpret event logs.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document AI implementation steps and configuration", "small": "∙ AI implementation documentation template", "medium": "∙ Formal AI implementation documentation policy\n∙ Technical documentation requirements", "large": "∙ AI documentation program\n∙ Standardized implementation documentation templates", "enterprise": "∙ Enterprise AI documentation platform\n∙ Automated documentation generation from MLOps tools\n∙ Model cards and system cards" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-mpa-csbp-5-3-1": [ "TS-7.1" ], "general-nist-600-1-gen-ai-profile": [ "MEASURE 2.3", "MS-2.9-002" ], "emea-eu-ai-act-2024": [ "Article 13.2", "Article 13.3(a)", "Article 13.3(b)(i)", "Article 13.3(b)(ii)", "Article 13.3(b)(iii)", "Article 13.3(b)(iv)", "Article 13.3(b)(v)", "Article 13.3(b)(vi)", "Article 13.3(b)(vii)", "Article 13.3(c)", "Article 13.3(d)", "Article 13.3(e)", "Article 13.3(f)", "Article 14.4", "Article 14.4(a)", "Article 15.3", "Article 53.1(b)", "Article 53.1(b)(i)" ] } }, { "control_id": "AAT-20.3", "title": "AI & Autonomous Technologies Human Domain Knowledge Reliance", "family": "AAT", "description": "Mechanisms exist to document the extent to which human domain knowledge is employed to improve Artificial Intelligence (AI) and Autonomous Technologies (AAT) performance including:\n(1) Reinforcement Learning from Human Feedback (RLHF);\n(2) Fine-tuning;\n(3) Retrieval- augmented generation;\n(4) Content moderation; and\n(5) Business rules.", "scf_question": "Does the organization document the extent to which human domain knowledge is employed to improve Artificial Intelligence (AI) and Autonomous Technologies (AAT) performance including:\n(1) Reinforcement Learning from Human Feedback (RLHF);\n(2) Fine-tuning;\n(3) Retrieval- augmented generation;\n(4) Content moderation; and\n(5) Business rules?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document the extent to which human domain knowledge is employed to improve AAT performance including:\n(1) Reinforcement Learning from Human Feedback (RLHF);\n(2) Fine-tuning;\n(3) Retrieval- augmented generation;\n(4) Content moderation; and\n(5) Business rules.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document how human expertise is used to improve AI tools", "small": "∙ Document human feedback mechanisms for AI improvement", "medium": "∙ Formal policy on human domain knowledge use in AI training\n∙ RLHF documentation", "large": "∙ AI development standards covering human knowledge integration\n∙ Documentation requirements", "enterprise": "∙ Enterprise AI training governance framework\n∙ RLHF program documentation\n∙ Human feedback loop management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MS-2.5-002" ] } }, { "control_id": "AAT-21", "title": "AI & Autonomous Technologies Registration", "family": "AAT", "description": "Mechanisms exist to maintain a current registration for Artificial Intelligence (AI) and Autonomous Technologies (AAT) with the appropriate governing body, as required by statutory or regulatory requirements.", "scf_question": "Does the organization maintain a current registration for Artificial Intelligence (AI) and Autonomous Technologies (AAT) with the appropriate governing body, as required by statutory or regulatory requirements?", "relative_weight": 4, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a current registration for AAT with the appropriate governing body, as required by statutory or regulatory requirements.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "medium": "∙ Register high-risk AI systems with relevant authorities as required", "large": "∙ AI registration compliance program\n∙ Track registration requirements by jurisdiction", "enterprise": "∙ Enterprise AI regulatory compliance platform\n∙ Automated registration tracking\n∙ EU AI Act database registration compliance" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 16(i)", "Article 22.3(e)", "Article 26.8", "Article 49.1", "Article 49.2", "Article 49.3", "Article 52.1", "Article 52.2" ] } }, { "control_id": "AAT-22", "title": "AI & Autonomous Technologies Deployment", "family": "AAT", "description": "Mechanisms exist to ensure the deployment of Artificial Intelligence (AI) and Autonomous Technologies (AAT) includes appropriate technical and organizational measures so that AAT are used in accordance with the AAT developer-provided instructions for use.", "scf_question": "Does the organization ensure the deployment of Artificial Intelligence (AI) and Autonomous Technologies (AAT) includes appropriate technical and organizational measures so that AAT are used in accordance with the AAT developer-provided instructions for use?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the deployment of AAT includes appropriate technical and organizational measures so that AAT are used in accordance with the AAT developer-provided instructions for use.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Deploy AI tools only for documented, approved purposes", "small": "∙ AI deployment approval process\n∙ Document intended use and technical measures", "medium": "∙ Formal AI deployment policy\n∙ Technical and organizational measures for AI deployment", "large": "∙ AI deployment governance program\n∙ Formal approval workflows\n∙ Post-deployment monitoring", "enterprise": "∙ Enterprise AI deployment governance framework\n∙ Automated deployment controls\n∙ Continuous monitoring\n∙ Regulatory compliance" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 26.1" ] } }, { "control_id": "AAT-22.1", "title": "AI & Autonomous Technologies Human Oversight", "family": "AAT", "description": "Mechanisms exist to assign human oversight of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to prevent or minimize the risks to:\n(1) Health; \n(2) Safety; and/or \n(3) Fundamental rights.", "scf_question": "Does the organization assign human oversight of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to prevent or minimize the risks to:\n(1) Health; \n(2) Safety; and/or \n(3) Fundamental rights?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to assign human oversight of AAT to prevent or minimize the risks to:\n(1) Health; \n(2) Safety; and/or \n(3) Fundamental rights.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Assign an owner responsible for overseeing AI tool use", "small": "∙ Designate AI oversight roles\n∙ Document oversight responsibilities", "medium": "∙ Formal AI human oversight policy\n∙ Designated oversight personnel for each AI deployment", "large": "∙ AI oversight program\n∙ Named oversight roles with documented responsibilities", "enterprise": "∙ Enterprise AI human oversight framework\n∙ AI governance roles (AI Officer, AI Ethics Board)\n∙ Oversight dashboards" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 14.2" ] } }, { "control_id": "AAT-22.2", "title": "AI & Autonomous Technologies Oversight Measures", "family": "AAT", "description": "Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) oversight measures are commensurate with the:\n(1) Assessed risk(s); \n(2) Level of autonomy; and \n(3) Context of use.", "scf_question": "Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) oversight measures are commensurate with the:\n(1) Assessed risk(s); \n(2) Level of autonomy; and \n(3) Context of use?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure AAT oversight measures are commensurate with the:\n(1) Assessed risk(s); \n(2) Level of autonomy; and \n(3) Context of use.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI-Enabled Operations", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Match oversight intensity to AI tool risk level", "small": "∙ Tiered oversight based on AI risk assessment", "medium": "∙ Formal oversight measures proportionate to AI risk level", "large": "∙ Risk-tiered AI oversight program\n∙ Automated oversight for low-risk AI", "enterprise": "∙ Enterprise risk-tiered AI oversight framework\n∙ Automated monitoring for low-risk\n∙ Intensive human review for high-risk" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 14.3" ] } }, { "control_id": "AAT-22.3", "title": "AI & Autonomous Technologies Separate Verification", "family": "AAT", "description": "Mechanisms exist to ensure no action or decision is taken by the deployer of an Artificial Intelligence (AI) and Autonomous Technologies (AAT) based solely based on AAT-generated evidence, unless that evidence has been separately verified and confirmed by at least two (2) individuals with the necessary competence, training and authority.", "scf_question": "Does the organization ensure no action or decision is taken by the deployer of an Artificial Intelligence (AI) and Autonomous Technologies (AAT) based solely based on AAT-generated evidence, unless that evidence has been separately verified and confirmed by at least two (2) individuals with the necessary competence, training and authority?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure no action or decision is taken by the deployer of an AAT based solely based on AAT-generated evidence, unless that evidence has been separately verified and confirmed by at least two (2) individuals with the necessary competence, training and authority.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Policy requiring corroboration of AI decisions before acting on them", "small": "∙ Policy requiring human verification of AI-generated decisions", "medium": "∙ Formal policy requiring independent verification of AI outputs for high-stakes decisions", "large": "∙ AI decision verification program\n∙ Automated checks for critical AI decisions", "enterprise": "∙ Enterprise AI decision governance framework\n∙ Automated verification workflows\n∙ Audit trails for AI-influenced decisions" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 14.4(b)", "Article 14.4(c)", "Article 14.5" ] } }, { "control_id": "AAT-22.4", "title": "AI & Autonomous Technologies Oversight Functions Competency", "family": "AAT", "description": "Mechanisms exist to ensure the deployment of Artificial Intelligence (AI) and Autonomous Technologies (AAT) assigns human oversight to individuals who have the necessary:\n(1) Competence;\n(2) Training;\n(3) Authority; and\n(4) Resources.", "scf_question": "Does the organization ensure the deployment of Artificial Intelligence (AI) and Autonomous Technologies (AAT) assigns human oversight to individuals who have the necessary:\n(1) Competence;\n(2) Training;\n(3) Authority; and\n(4) Resources?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the deployment of AAT assigns human oversight to individuals who have the necessary:\n(1) Competence;\n(2) Training;\n(3) Authority; and\n(4) Resources.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Train AI system operators on oversight responsibilities", "small": "∙ Training program for personnel overseeing AI systems", "medium": "∙ Formal AI oversight training program\n∙ Competency requirements for AI oversight roles", "large": "∙ AI training and certification program for oversight personnel", "enterprise": "∙ Enterprise AI training and certification program\n∙ Role-based AI competency framework\n∙ Continuous learning program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 26.2" ] } }, { "control_id": "AAT-22.5", "title": "AI & Autonomous Technologies Data Relevance", "family": "AAT", "description": "Mechanisms exist to ensure the input to Artificial Intelligence (AI) and Autonomous Technologies (AAT) is relevant to the intended purpose of the AAT.", "scf_question": "Does the organization ensure the input to Artificial Intelligence (AI) and Autonomous Technologies (AAT) is relevant to the intended purpose of the AAT?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the input to AAT is relevant to the intended purpose of the AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Validate that inputs to AI tools are relevant before submitting", "small": "∙ Policy requiring relevance checking of AI inputs", "medium": "∙ Formal AI input validation policy\n∙ Input relevance criteria documentation", "large": "∙ Input validation controls for AI systems\n∙ Automated input filtering", "enterprise": "∙ Enterprise AI input governance framework\n∙ Automated input validation and filtering\n∙ Data quality controls for AI pipelines" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 26.4" ] } }, { "control_id": "AAT-22.6", "title": "AI & Autonomous Technologies Irregularity Reporting", "family": "AAT", "description": "Mechanisms exist to ensure serious incidents and/or irregularities associated with the deployment of Artificial Intelligence (AI) and Autonomous Technologies (AAT) are reported without delay to the:\n(1) AAT provider;\n(2) AAT importer or distributor, if applicable; and/or\n(3) Local law authorities and/or governmental agency, as required.", "scf_question": "Does the organization ensure serious incidents and/or irregularities associated with the deployment of Artificial Intelligence (AI) and Autonomous Technologies (AAT) are reported without delay to the:\n(1) AAT provider;\n(2) AAT importer or distributor, if applicable; and/or\n(3) Local law authorities and/or governmental agency, as required?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure serious incidents and/or irregularities associated with the deployment of AAT are reported without delay to the:\n(1) AAT provider;\n(2) AAT importer or distributor, if applicable; and/or\n(3) Local law authorities and/or governmental agency, as required.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Report serious AI incidents and irregularities to management", "small": "∙ Incident reporting procedure for AI irregularities", "medium": "∙ Formal AI incident and irregularity reporting policy\n∙ Regulatory reporting contacts", "large": "∙ AI incident response program with regulatory reporting integration", "enterprise": "∙ Enterprise AI incident management platform\n∙ Automated regulatory notification\n∙ Legal and compliance integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 26.5" ] } }, { "control_id": "AAT-22.7", "title": "AI & Autonomous Technologies Use Notification To Employees", "family": "AAT", "description": "Mechanisms exist to ensure employees, including workers' representatives, are informed about Artificial Intelligence (AI) and Autonomous Technologies (AAT) deployments, prior to the use of the AAT in a production environment.", "scf_question": "Does the organization ensure employees, including workers' representatives, are informed about Artificial Intelligence (AI) and Autonomous Technologies (AAT) deployments, prior to the use of the AAT in a production environment?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure employees, including workers' representatives, are informed about AAT deployments, prior to the use of the AAT in a production environment.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Inform employees of AI tools being used in their work", "small": "∙ Policy requiring employee notification of AI tools affecting their work", "medium": "∙ Formal employee notification policy for AI deployments\n∙ Communication procedures", "large": "∙ AI transparency program for employees\n∙ Works council/union notification as required", "enterprise": "∙ Enterprise AI employee transparency framework\n∙ Formal notification procedures\n∙ Labor law compliance tracking" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MP-5.1-003" ], "emea-eu-ai-act-2024": [ "Article 26.7" ] } }, { "control_id": "AAT-22.8", "title": "AI & Autonomous Technologies Use Notification To Users", "family": "AAT", "description": "Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) that make decisions, or assist in making decisions, inform the people in a clear manner that they are:\n(1) Utilizing an AAT solution; and\n(2) Expected to validate the output for relevance and accuracy.", "scf_question": "Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) that make decisions, or assist in making decisions, inform the people in a clear manner that they are:\n(1) Utilizing an AAT solution; and\n(2) Expected to validate the output for relevance and accuracy?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure AAT that make decisions, or assist in making decisions, inform the people in a clear manner that they are:\n(1) Utilizing an AAT solution; and\n(2) Expected to validate the output for relevance and accuracy.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Inform users when AI is making or assisting decisions affecting them", "small": "∙ User notification policy for AI-assisted decisions", "medium": "∙ Formal user notification policy and procedures for AI decision support", "large": "∙ AI user transparency program\n∙ Automated user notifications for AI decisions", "enterprise": "∙ Enterprise AI user transparency framework\n∙ Automated disclosure mechanisms\n∙ Regulatory compliance (EU AI Act, GDPR)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MP-5.1-003" ], "emea-eu-ai-act-2024": [ "Article 26.11", "Article 50.1", "Article 50.3", "Article 50.5" ] } }, { "control_id": "AAT-23", "title": "AI & Autonomous Technologies Output Marking", "family": "AAT", "description": "Mechanisms exist to mark output from Artificial Intelligence (AI) and Autonomous Technologies (AAT) in a machine-readable format so it is detectable as artificially generated or manipulated.", "scf_question": "Does the organization mark output from Artificial Intelligence (AI) and Autonomous Technologies (AAT) in a machine-readable format so it is detectable as artificially generated or manipulated?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to mark output from AAT in a machine-readable format so it is detectable as artificially generated or manipulated.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Label AI-generated content when distributing it", "small": "∙ Policy requiring labeling of AI-generated content", "medium": "∙ Formal AI content marking policy\n∙ Machine-readable metadata for AI content", "large": "∙ AI content marking program\n∙ Technical implementation of C2PA or similar standards", "enterprise": "∙ Enterprise AI content marking framework\n∙ C2PA standard implementation\n∙ Automated content marking in AI pipelines" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MP-4.1-009" ], "emea-eu-ai-act-2024": [ "Article 50.2", "Article 50.4" ] } }, { "control_id": "AAT-24", "title": "Real World Testing of AI & Autonomous Technologies", "family": "AAT", "description": "Mechanisms exist to obtain consent from the subjects of testing Artificial Intelligence (AI) and Autonomous Technologies (AAT):\n(1) Prior to their participation in such testing; and\n(2) After they have been provided with clear and concise information regarding the testing.", "scf_question": "Does the organization obtain consent from the subjects of testing Artificial Intelligence (AI) and Autonomous Technologies (AAT):\n(1) Prior to their participation in such testing; and\n(2) After they have been provided with clear and concise information regarding the testing?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to obtain consent from the subjects of testing AAT:\n(1) Prior to their participation in such testing; and\n(2) After they have been provided with clear and concise information regarding the testing.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Obtain written consent before using individuals in AI testing", "small": "∙ Consent procedures for AI real-world testing participants", "medium": "∙ Formal consent process for AI testing subjects\n∙ Pre- and post-testing consent", "large": "∙ AI testing consent management program\n∙ Ethics review for sensitive AI testing", "enterprise": "∙ Enterprise AI testing ethics program\n∙ Formal consent management platform\n∙ Ethics review board\n∙ Regulatory compliance for AI testing" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 9.7", "Article 61.1", "Article 61.1(a)", "Article 61.1(b)", "Article 61.1(c)", "Article 61.1(d)", "Article 61.1(e)", "Article 61.2" ] } }, { "control_id": "AAT-25", "title": "AI & Autonomous Technologies System Value Chain", "family": "AAT", "description": "Mechanisms exist to document the sequence of events and relevant stakeholders involved in creating and deploying Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization document the sequence of events and relevant stakeholders involved in creating and deploying Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document the sequence of events and relevant stakeholders involved in creating and deploying AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document stakeholders involved in AI tool creation and deployment", "small": "∙ AI value chain documentation for key tools", "medium": "∙ Formal AI system value chain documentation policy", "large": "∙ AI supply chain documentation program\n∙ Third-party risk integration", "enterprise": "∙ Enterprise AI supply chain transparency platform\n∙ Automated value chain mapping\n∙ SBOM for AI" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "GV-6.2-001", "MS-4.2-002" ] } }, { "control_id": "AAT-25.1", "title": "AI & Autonomous Technologies System Value Chain Fallbacks", "family": "AAT", "description": "Mechanisms exist to identify:\n(1) Over-reliance on third-party data with Artificial Intelligence (AI) and Autonomous Technologies (AAT); and\n(2) Fallback methods to address the inability to access third-party data, as necessary.", "scf_question": "Does the organization identify:\n(1) Over-reliance on third-party data with Artificial Intelligence (AI) and Autonomous Technologies (AAT); and\n(2) Fallback methods to address the inability to access third-party data, as necessary?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify:\n(1) Over-reliance on third-party data with AAT; and\n(2) Fallback methods to address the inability to access third-party data, as necessary.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Identify backup approaches if AI vendor data becomes unavailable", "small": "∙ Identify third-party data dependencies and fallback options", "medium": "∙ Formal AI data dependency risk assessment\n∙ Documented fallback methods", "large": "∙ AI supply chain resilience program\n∙ Fallback procedures for third-party data outages", "enterprise": "∙ Enterprise AI supply chain resilience framework\n∙ Automated dependency monitoring\n∙ Fallback system automation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "GV-6.2-001", "GV-6.2-006" ] } }, { "control_id": "AAT-26", "title": "AI & Autonomous Technologies Testing Techniques", "family": "AAT", "description": "Mechanisms exist to develop and implement fact-checking techniques to verify the accuracy and veracity of information generated by Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization develop and implement fact-checking techniques to verify the accuracy and veracity of information generated by Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop and implement fact-checking techniques to verify the accuracy and veracity of information generated by AAT.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Verify AI-generated content before acting on it", "small": "∙ Fact-checking procedures for AI-generated content", "medium": "∙ Formal AI output verification policy\n∙ Fact-checking techniques for AI content", "large": "∙ AI content verification program\n∙ Automated fact-checking tools integration", "enterprise": "∙ Enterprise AI content verification framework\n∙ AI fact-checking tools\n∙ Automated hallucination detection" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MP-2.3-003", "MS-1.1-002", "MS-2.2-002", "MS-2.5-003", "MS-2.6-004", "MS-2.9-001", "MS-2.11-001", "MS-4.2-001", "MG-3.1-004" ] } }, { "control_id": "AAT-26.1", "title": "Generative Artificial Intelligence (GAI) Identification", "family": "AAT", "description": "Mechanisms exist to develop and implement testing techniques to identify Generative Artificial Intelligence (GAI) produced content (e.g., synthetic media).", "scf_question": "Does the organization develop and implement testing techniques to identify Generative Artificial Intelligence (GAI) produced content (e.g., synthetic media)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop and implement testing techniques to identify Generative Artificial Intelligence (GAI) produced content (e.g., synthetic media).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Review AI-generated content for synthetic indicators", "small": "∙ Procedures to identify GAI-produced content", "medium": "∙ Formal GAI identification policy\n∙ Testing techniques for synthetic media detection", "large": "∙ GAI detection program\n∙ AI content detection tools", "enterprise": "∙ Enterprise synthetic media detection platform\n∙ AI-generated content classifiers\n∙ Digital watermarking integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MP-2.3-004", "MS-2.5-004", "MS-2.8-003" ] } }, { "control_id": "AAT-26.2", "title": "AI & Autonomous Technologies Capabilities Testing", "family": "AAT", "description": "Mechanisms exist to delineate human proficiency tests from tests of Artificial Intelligence (AI) and Autonomous Technologies (AAT) capabilities.", "scf_question": "Does the organization delineate human proficiency tests from tests of Artificial Intelligence (AI) and Autonomous Technologies (AAT) capabilities?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to delineate human proficiency tests from tests of AAT capabilities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document how AI capabilities are tested separately from human performance", "small": "∙ Policy delineating AI capability tests from human proficiency tests", "medium": "∙ Formal AI capability testing procedures\n∙ Separate benchmarks for AI vs. human performance", "large": "∙ AI capability testing program with delineated human vs. AI benchmarks", "enterprise": "∙ Enterprise AI capability evaluation framework\n∙ Standardized AI benchmarking\n∙ Independent verification of AI claims" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MP-3.4-004" ] } }, { "control_id": "AAT-26.3", "title": "Real-World Testing", "family": "AAT", "description": "Mechanisms exist to include relevant end-users, practitioners and operators in Artificial Intelligence (AI) and Autonomous Technologies (AAT) prototyping and testing activities to cover:\n(1) Applicable use case scenarios;\n(2) Crisis situations; and/or \n(3) Ethically sensitive contexts.", "scf_question": "Does the organization include relevant end-users, practitioners and operators in Artificial Intelligence (AI) and Autonomous Technologies (AAT) prototyping and testing activities to cover:\n(1) Applicable use case scenarios;\n(2) Crisis situations; and/or \n(3) Ethically sensitive contexts?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to include relevant end-users, practitioners and operators in AAT prototyping and testing activities to cover:\n(1) Applicable use case scenarios;\n(2) Crisis situations; and/or \n(3) Ethically sensitive contexts.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Include end-users in testing AI tools before deployment", "small": "∙ User acceptance testing (UAT) for AI tools with relevant end-users", "medium": "∙ Formal user involvement policy in AI prototyping and testing", "large": "∙ AI user testing program\n∙ Structured end-user, practitioner, and operator testing", "enterprise": "∙ Enterprise AI user testing framework\n∙ Diverse stakeholder involvement\n∙ Formal UAT program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MP-3.4-006", "MS-1.1-008" ] } }, { "control_id": "AAT-26.4", "title": "Documenting Testing Guidance", "family": "AAT", "description": "Mechanisms exist to document the instructions given to:\n(1) Data annotators; and/or \n(2) Artificial Intelligence (AI) and Autonomous Technologies (AAT) red-teamers.", "scf_question": "Does the organization document the instructions given to:\n(1) Data annotators; and/or \n(2) Artificial Intelligence (AI) and Autonomous Technologies (AAT) red-teamers?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document the instructions given to:\n(1) Data annotators; and/or \n(2) AAT red-teamers.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document instructions given to AI testers", "small": "∙ Written documentation of instructions to AI data annotators and testers", "medium": "∙ Formal documentation policy for AI testing guidance\n∙ Annotator and red-teamer instruction records", "large": "∙ AI testing documentation program\n∙ Standardized annotator and red-teamer guidance", "enterprise": "∙ Enterprise AI testing governance framework\n∙ Centralized testing documentation repository\n∙ Standardized red-team documentation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MS-2.8-002" ] } }, { "control_id": "AAT-27", "title": "AI & Autonomous Technologies Output Filtering", "family": "AAT", "description": "Mechanisms exist to prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from generating content that is:\n(1) Inappropriate;\n(2) Harmful;\n(3) False;\n(4) Illegal; and/or\n(5) Violent.", "scf_question": "Does the organization prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from generating content that is:\n(1) Inappropriate;\n(2) Harmful;\n(3) False;\n(4) Illegal; and/or\n(5) Violent?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent AAT from generating content that is:\n(1) Inappropriate;\n(2) Harmful;\n(3) False;\n(4) Illegal; and/or\n(5) Violent.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Configure AI tools to filter inappropriate/harmful outputs", "small": "∙ Output filtering settings for AI tools\n∙ Review AI vendor content filtering capabilities", "medium": "∙ Formal AI output filtering policy\n∙ Technical controls for content filtering", "large": "∙ AI content moderation program\n∙ Automated output filtering tools", "enterprise": "∙ Enterprise AI content governance platform\n∙ AI output filtering (AWS Guardrails, Azure Content Safety)\n∙ Custom content policies" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MP-1.1-004", "MP-4.1-009", "MG-2.2-005", "MG-3.2-005" ] } }, { "control_id": "AAT-27.1", "title": "Human Moderation", "family": "AAT", "description": "Mechanisms exist to assign personnel to review Artificial Intelligence (AI) and Autonomous Technologies (AAT)-generated content for alignment with culturally accepted norms.", "scf_question": "Does the organization assign personnel to review Artificial Intelligence (AI) and Autonomous Technologies (AAT)-generated content for alignment with culturally accepted norms?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to assign personnel to review AAT-generated content for alignment with culturally accepted norms.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Assign someone to review AI-generated content before publishing", "small": "∙ Policy requiring human review of AI-generated content", "medium": "∙ Formal human moderation policy and procedures for AI content", "large": "∙ AI content moderation team\n∙ Structured review process for AI content", "enterprise": "∙ Enterprise AI content moderation program\n∙ Dedicated moderation team\n∙ Automated pre-screening with human review" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MG-3.2-008" ] } }, { "control_id": "AAT-28", "title": "AI Model Resilience", "family": "AAT", "description": "Mechanisms exist to ensure AI models are designed with resilience capabilities that are sufficient to withstand reasonable threats.", "scf_question": "Does the organization ensure AI models are designed with resilience capabilities that are sufficient to withstand reasonable threats?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure AI models are designed with resilience capabilities that are sufficient to withstand reasonable threats.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Choose AI tools from vendors with documented resilience capabilities", "small": "∙ Resilience requirements in AI tool selection criteria", "medium": "∙ Formal AI resilience requirements in development/procurement standards", "large": "∙ AI resilience testing program\n∙ Vendor resilience requirements", "enterprise": "∙ Enterprise AI resilience framework\n∙ Adversarial robustness testing\n∙ Redundancy and failover for AI systems" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-28.1", "title": "Model Pollution", "family": "AAT", "description": "Mechanisms exist to prevent \"model pollution\" due to accidental and/or malicious inputs by an AI agent that can negatively alter the AI model.", "scf_question": "Does the organization prevent \"model pollution\" due to accidental and/or malicious inputs by an AI agent that can negatively alter the AI model?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent \"model pollution\" due to accidental and/or malicious inputs by an AI agent that can negatively alter the AI model.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Restrict who can provide inputs to AI models", "small": "∙ Access controls and input validation for AI models", "medium": "∙ Formal model pollution prevention policy\n∙ Input validation controls", "large": "∙ AI model integrity program\n∙ Input validation, sanitization, and access controls", "enterprise": "∙ Enterprise AI model integrity framework\n∙ Differential privacy techniques\n∙ Input validation and anomaly detection" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-28.2", "title": "Cascading Hallucination Defense", "family": "AAT", "description": "Mechanisms exist to detect and prevent the propagation of false data (e.g., hallucinations) within the AI model or between AI agents.", "scf_question": "Does the organization detect and prevent the propagation of false data (e.g., hallucinations) within the AI model or between AI agents?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to detect and prevent the propagation of false data (e.g., hallucinations) within the AI model or between AI agents.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Review AI outputs for signs of hallucination before use", "small": "∙ Procedures to detect and prevent AI hallucination propagation", "medium": "∙ Formal hallucination detection and prevention policy", "large": "∙ AI hallucination detection program\n∙ Technical controls to isolate false data propagation", "enterprise": "∙ Enterprise AI hallucination prevention framework\n∙ RAG architecture\n∙ Automated hallucination detection tools" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-28.3", "title": "Resource Exhaustion & DoS Resilience", "family": "AAT", "description": "Mechanisms exist to monitor and prevent resource overload or Denial of Service (DoS) conditions through:\n(1) Enforcement of quotas;\n(2) Workload controls; and \n(3) Auto-suspension of runaway AI agent processes.", "scf_question": "Does the organization monitor and prevent resource overload or Denial of Service (DoS) conditions through:\n(1) Enforcement of quotas;\n(2) Workload controls; and \n(3) Auto-suspension of runaway AI agent processes?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to monitor and prevent resource overload or Denial of Service (DoS) conditions through:\n(1) Enforcement of quotas;\n(2) Workload controls; and \n(3) Auto-suspension of runaway AI agent processes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Monitor AI tool resource usage and set limits", "small": "∙ Resource quotas for AI tool usage\n∙ Monitor for unusual resource consumption", "medium": "∙ Formal AI resource management policy\n∙ Quotas, workload controls, and monitoring", "large": "∙ AI resource governance program\n∙ Automated monitoring and auto-suspension capabilities", "enterprise": "∙ Enterprise AI resource management platform\n∙ Automated quota enforcement\n∙ Auto-scaling and auto-suspension" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29", "title": "AI Agent Governance", "family": "AAT", "description": "Mechanisms exist to ensure AI agents are designed, developed and deployed to securely operate under human oversight.", "scf_question": "Does the organization ensure AI agents are designed, developed and deployed to securely operate under human oversight?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ AAT is regarded as a technology and governed by the entity's existing IT governance practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC functions are assigned to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure AI agents are designed, developed and deployed to securely operate under human oversight.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document oversight requirements for any AI agent deployments", "small": "∙ AI agent governance policy with human oversight requirements", "medium": "∙ Formal AI agent governance framework\n∙ Human oversight requirements", "large": "∙ AI agent governance program\n∙ Formal oversight model with defined roles and controls", "enterprise": "∙ Enterprise AI agent governance framework\n∙ Dedicated AI agent oversight team\n∙ Zero-trust agent architecture" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.1", "title": "Infrastructure Hardening & Isolation", "family": "AAT", "description": "Mechanisms exist to protect, isolate and harden infrastructure resources used by AI agents, including:\n(1) Resource allocation;\n(2) Privilege management;\n(3) Network segmentation; and \n(4) Workload isolation.", "scf_question": "Does the organization protect, isolate and harden infrastructure resources used by AI agents, including:\n(1) Resource allocation;\n(2) Privilege management;\n(3) Network segmentation; and \n(4) Workload isolation?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect, isolate and harden infrastructure resources used by AI agents, including:\n(1) Resource allocation;\n(2) Privilege management;\n(3) Network segmentation; and \n(4) Workload isolation.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Use isolated environments for any AI agent deployments", "small": "∙ Network isolation and least-privilege for AI agent infrastructure", "medium": "∙ Formal AI agent infrastructure hardening policy\n∙ Isolation and privilege controls", "large": "∙ AI agent infrastructure hardening program\n∙ Network segmentation, privilege management", "enterprise": "∙ Enterprise AI agent infrastructure security framework\n∙ Zero-trust network architecture\n∙ Container isolation (e.g., Kubernetes)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.2", "title": "AI Agent Limitations", "family": "AAT", "description": "Mechanisms exist to implement limitations for AI agents according to:\n(1) Least privileges, where the AI agent operates with the minimal permissions necessary to perform designated tasks; and\n(2) Least functionality, where the AI agent is restricted to communicate with the minimal Technology Assets, Applications and/or Services (TAAS) and networks necessary to perform designated tasks.", "scf_question": "Does the organization implement limitations for AI agents according to:\n(1) Least privileges, where the AI agent operates with the minimal permissions necessary to perform designated tasks; and\n(2) Least functionality, where the AI agent is restricted to communicate with the minimal Technology Assets, Applications and/or Services (TAAS) and networks necessary to perform designated tasks?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement limitations for AI agents according to:\n(1) Least privileges, where the AI agent operates with the minimal permissions necessary to perform designated tasks; and\n(2) Least functionality, where the AI agent is restricted to communicate with the minimal Technology Assets, Applications and/or Services (TAAS) and networks necessary to perform designated tasks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Apply least privilege to AI agent accounts/access", "small": "∙ Least-privilege and minimal footprint for AI agent configurations", "medium": "∙ Formal AI agent access control policy with least-privilege requirements", "large": "∙ AI agent privilege management program\n∙ Automated enforcement of least-privilege", "enterprise": "∙ Enterprise AI agent access governance platform\n∙ PAM integration for AI agents\n∙ Just-in-time access for AI agents" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.3", "title": "Tool & API Invocation Controls", "family": "AAT", "description": "Mechanisms exist to authenticate, authorize, validate and monitor all tool and Application Programming Interface (API) invocations by AI agents, including;\n(1) Schema validation;\n(2) Rate limiting;\n(3) Access controls; and\n(4) Output validation.", "scf_question": "Does the organization authenticate, authorize, validate and monitor all tool and Application Programming Interface (API) invocations by AI agents, including;\n(1) Schema validation;\n(2) Rate limiting;\n(3) Access controls; and\n(4) Output validation?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to authenticate, authorize, validate and monitor all tool and Application Programming Interface (API) invocations by AI agents, including;\n(1) Schema validation;\n(2) Rate limiting;\n(3) Access controls; and\n(4) Output validation.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Authenticate and log AI agent tool/API calls", "small": "∙ API key management and logging for AI agent tool calls", "medium": "∙ Formal AI agent tool invocation control policy\n∙ Authentication, authorization, and logging", "large": "∙ AI agent API governance program\n∙ Schema validation, rate limiting, and audit logging", "enterprise": "∙ Enterprise AI agent API security platform\n∙ Zero-trust API security\n∙ Automated schema validation\n∙ Rate limiting and anomaly detection" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.4", "title": "Orchestration Protocol Safeguards", "family": "AAT", "description": "Mechanisms exist to validate, secure and restrict AI agent orchestration protocols to prevent:\n(1) Unauthorized tool chaining;\n(2) Context manipulation; and/or\n(3) Protocol-based escalation.", "scf_question": "Does the organization validate, secure and restrict AI agent orchestration protocols to prevent:\n(1) Unauthorized tool chaining;\n(2) Context manipulation; and/or\n(3) Protocol-based escalation?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to validate, secure and restrict AI agent orchestration protocols to prevent:\n(1) Unauthorized tool chaining;\n(2) Context manipulation; and/or\n(3) Protocol-based escalation.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Limit AI agents to approved tools only", "small": "∙ Whitelist approved tools/protocols for AI agents", "medium": "∙ Formal AI agent orchestration security policy\n∙ Protocol safeguards", "large": "∙ AI agent orchestration security program\n∙ Protocol validation and restriction controls", "enterprise": "∙ Enterprise AI agent orchestration security framework\n∙ Automated protocol enforcement\n∙ Context integrity validation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.5", "title": "Data Pipeline & Input Integrity", "family": "AAT", "description": "Mechanisms exist to validate, sanitize and monitor all data inputs and retrieval pipelines for AI agents to:\n(1) Ensure data provenance; and \n(2) Prevent unauthorized access risks (e.g., injection, manipulation or exfiltration).", "scf_question": "Does the organization validate, sanitize and monitor all data inputs and retrieval pipelines for AI agents to:\n(1) Ensure data provenance; and \n(2) Prevent unauthorized access risks (e.g., injection, manipulation or exfiltration)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to validate, sanitize and monitor all data inputs and retrieval pipelines for AI agents to:\n(1) Ensure data provenance; and \n(2) Prevent unauthorized access risks (e.g., injection, manipulation or exfiltration).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Validate inputs to AI agents before processing", "small": "∙ Input validation and sanitization for AI agent data pipelines", "medium": "∙ Formal AI agent input integrity policy\n∙ Validation and sanitization procedures", "large": "∙ AI agent data pipeline security program\n∙ Automated input validation and provenance tracking", "enterprise": "∙ Enterprise AI agent data integrity platform\n∙ Data provenance tools\n∙ Automated sanitization pipelines" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.6", "title": "Privileged Role & Delegation Boundaries", "family": "AAT", "description": "Mechanisms exist to prevent privilege escalation or unauthorized delegation by AI agents by:\n(1) Monitoring and enforcing dynamic roles; and\n(2) Establishing cross-agent delegation boundaries and privileged actions.", "scf_question": "Does the organization prevent privilege escalation or unauthorized delegation by AI agents by:\n(1) Monitoring and enforcing dynamic roles; and\n(2) Establishing cross-agent delegation boundaries and privileged actions?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent privilege escalation or unauthorized delegation by AI agents by:\n(1) Monitoring and enforcing dynamic roles; and\n(2) Establishing cross-agent delegation boundaries and privileged actions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.7", "title": "AI Agent Data Access Restrictions", "family": "AAT", "description": "Mechanisms exist to restrict agent access to sensitive/regulated data so that AI agents cannot ingest, generate or act on unauthorized data.", "scf_question": "Does the organization restrict agent access to sensitive/regulated data so that AI agents cannot ingest, generate or act on unauthorized data?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict agent access to sensitive/regulated data so that AI agents cannot ingest, generate or act on unauthorized data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.8", "title": "Data Extraction", "family": "AAT", "description": "Mechanisms exist to prevent AI agents from extracting sensitive/regulated data from volatile memory that can be exploited at a later point.", "scf_question": "Does the organization prevent AI agents from extracting sensitive/regulated data from volatile memory that can be exploited at a later point?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent AI agents from extracting sensitive/regulated data from volatile memory that can be exploited at a later point.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.9", "title": "AI Agent Identity & Impersonation Defense", "family": "AAT", "description": "Mechanisms exist to ensure user identification and authentication methods are capable of preventing AI agents from \n(1) Spoofing;\n(2) Mimicry; and/or\n(3) Impersonation attacks.", "scf_question": "Does the organization ensure user identification and authentication methods are capable of preventing AI agents from \n(1) Spoofing;\n(2) Mimicry; and/or\n(3) Impersonation attacks?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure user identification and authentication methods are capable of preventing AI agents from \n(1) Spoofing;\n(2) Mimicry; and/or\n(3) Impersonation attacks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.10", "title": "AI Agent Logic Integrity", "family": "AAT", "description": "Mechanisms exist to prevent AI agent logic from being subverted or manipulated.", "scf_question": "Does the organization prevent AI agent logic from being subverted or manipulated?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent AI agent logic from being subverted or manipulated.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.11", "title": "Sandboxing AI Agents", "family": "AAT", "description": "Mechanisms exist to utilize a \"sandbox\" capability to restrict AI agents from unrestricted access to both local and remote resources.", "scf_question": "Does the organization utilize a \"sandbox\" capability to restrict AI agents from unrestricted access to both local and remote resources?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize a \"sandbox\" capability to restrict AI agents from unrestricted access to both local and remote resources.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.12", "title": "Prompt Injection Defense", "family": "AAT", "description": "Mechanisms exist to detect and mitigate prompt injection / input attacks that seek to manipulate AI agent instructions, bypass security, compliance and/or resilience controls or result in unauthorized actions.", "scf_question": "Does the organization detect and mitigate prompt injection / input attacks that seek to manipulate AI agent instructions, bypass security, compliance and/or resilience controls or result in unauthorized actions?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to detect and mitigate prompt injection / input attacks that seek to manipulate AI agent instructions, bypass security, compliance and/or resilience controls or result in unauthorized actions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.13", "title": "Agent Kill Switch / User Control", "family": "AAT", "description": "Mechanisms exist to allow authorized users or operators to immediately halt or disable AI agent activity in case of unexpected behavior or harm.", "scf_question": "Does the organization allow authorized users or operators to immediately halt or disable AI agent activity in case of unexpected behavior or harm?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to allow authorized users or operators to immediately halt or disable AI agent activity in case of unexpected behavior or harm.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.14", "title": "Adversarial & Red Team Testing", "family": "AAT", "description": "Mechanisms exist to regularly conduct adversarial testing that simulates attacks against AI agents to identify and mitigate vulnerabilities.", "scf_question": "Does the organization regularly conduct adversarial testing that simulates attacks against AI agents to identify and mitigate vulnerabilities?", "relative_weight": 3, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to regularly conduct adversarial testing that simulates attacks against AI agents to identify and mitigate vulnerabilities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.15", "title": "Self-Modification Controls", "family": "AAT", "description": "Mechanisms exist to control, restrict and log AI agent self-modification.", "scf_question": "Does the organization control, restrict and log AI agent self-modification?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to control, restrict and log AI agent self-modification.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.16", "title": "Purging AI Agent Data", "family": "AAT", "description": "Mechanisms exist to restrict purging of any persistent memory or long-term data used by AI agents.", "scf_question": "Does the organization restrict purging of any persistent memory or long-term data used by AI agents?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict purging of any persistent memory or long-term data used by AI agents.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.17", "title": "Delegation and Chaining Control", "family": "AAT", "description": "Mechanisms exist to restrict agentic delegation, chaining and multi-agent communication to prevent unauthorized task escalation or emergent risks.", "scf_question": "Does the organization restrict agentic delegation, chaining and multi-agent communication to prevent unauthorized task escalation or emergent risks?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict agentic delegation, chaining and multi-agent communication to prevent unauthorized task escalation or emergent risks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.18", "title": "Behavioral Drift Detection", "family": "AAT", "description": "Mechanisms exist to continuously monitor for behavioral drift or deviation from established AI agent baselines.", "scf_question": "Does the organization continuously monitor for behavioral drift or deviation from established AI agent baselines?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to continuously monitor for behavioral drift or deviation from established AI agent baselines.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.19", "title": "AI Agent Action Authentication & Authorization", "family": "AAT", "description": "Mechanisms exist to ensure that all AI agent-initiated actions are properly mapped to authenticated user or system identities, with enforced authorization checks.", "scf_question": "Does the organization ensure that all AI agent-initiated actions are properly mapped to authenticated user or system identities, with enforced authorization checks?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that all AI agent-initiated actions are properly mapped to authenticated user or system identities, with enforced authorization checks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.20", "title": "Transparency & Audit", "family": "AAT", "description": "Mechanisms exist to provide comprehensive audit trails of AI agent actions including:\n(1) Rationales; and \n(2) User/trigger mappings.", "scf_question": "Does the organization provide comprehensive audit trails of AI agent actions including:\n(1) Rationales; and \n(2) User/trigger mappings?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide comprehensive audit trails of AI agent actions including:\n(1) Rationales; and \n(2) User/trigger mappings.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.21", "title": "Explainability", "family": "AAT", "description": "Mechanisms exist to:\n(1) Provide human-understandable explanations for significant AI agent actions or decisions; and \n(2) Enable users to contest outcomes.", "scf_question": "Does the organization:\n(1) Provide human-understandable explanations for significant AI agent actions or decisions; and \n(2) Enable users to contest outcomes?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to:\n(1) Provide human-understandable explanations for significant AI agent actions or decisions; and \n(2) Enable users to contest outcomes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.22", "title": "Ethics, Fairness & Bias Detection", "family": "AAT", "description": "Mechanisms exist to detect unfair, unethical or biased AI agent actions.", "scf_question": "Does the organization detect unfair, unethical or biased AI agent actions?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to detect unfair, unethical or biased AI agent actions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-29.23", "title": "Agent Output Integrity & Verification", "family": "AAT", "description": "Mechanisms exist to validate AI agent-generated outputs through the use of:\n(1) Content scanning; and\n(2) Output vetting through human approvals, where appropriate.", "scf_question": "Does the organization validate AI agent-generated outputs through the use of:\n(1) Content scanning; and\n(2) Output vetting through human approvals, where appropriate?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to validate AI agent-generated outputs through the use of:\n(1) Content scanning; and\n(2) Output vetting through human approvals, where appropriate.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-30", "title": "Agentic Output Traceability & Repudiation", "family": "AAT", "description": "Mechanisms exist to ensure AI agent actions offer non-repudiation and enable forensic examination to determine accountability.", "scf_question": "Does the organization ensure AI agent actions offer non-repudiation and enable forensic examination to determine accountability?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure AI agent actions offer non-repudiation and enable forensic examination to determine accountability.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-30.1", "title": "AI Agent Logging", "family": "AAT", "description": "Mechanisms exist to generate event logs for Artificial Intelligence (AI) and Autonomous Technologies (AAT) actions to ensure transparency and auditability.", "scf_question": "Does the organization generate event logs for Artificial Intelligence (AI) and Autonomous Technologies (AAT) actions to ensure transparency and auditability?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to generate event logs for AAT actions to ensure transparency and auditability.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-30.2", "title": "Session Management", "family": "AAT", "description": "Mechanisms exist to control AI agent sessions by:\n(1) Embedding session IDs into the requests to the AI model;\n(2) Implementing capabilities to correlate sessions; and\n(3) Terminating sessions after a defined time period.", "scf_question": "Does the organization control AI agent sessions by:\n(1) Embedding session IDs into the requests to the AI model;\n(2) Implementing capabilities to correlate sessions; and\n(3) Terminating sessions after a defined time period?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to control AI agent sessions by:\n(1) Embedding session IDs into the requests to the AI model;\n(2) Implementing capabilities to correlate sessions; and\n(3) Terminating sessions after a defined time period.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-31", "title": "Human-in-the-Loop Workload & Manipulation", "family": "AAT", "description": "Mechanisms exist to prevent cognitive overload or decision fatigue for humans-in-the-loop (HITL) through risk-based prioritization.", "scf_question": "Does the organization prevent cognitive overload or decision fatigue for humans-in-the-loop (HITL) through risk-based prioritization?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent cognitive overload or decision fatigue for humans-in-the-loop (HITL) through risk-based prioritization.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "CORE AI-Enabled Operations", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": {} }, { "control_id": "AAT-32", "title": "Robotic Process Automation (RPA)", "family": "AAT", "description": "Mechanisms exist to implement Robotic Process Automation (RPA) to improve efficiency, accuracy and speed for high-volume, repetitive and rules-based business processes.", "scf_question": "Does the organization implement Robotic Process Automation (RPA) to improve efficiency, accuracy and speed for high-volume, repetitive and rules-based business processes?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement Robotic Process Automation (RPA) to improve efficiency, accuracy and speed for high-volume, repetitive and rules-based business processes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "6.2", "6.2.2", "6.3", "6.3.1", "6.4", "6.4.2", "7.6" ] } }, { "control_id": "AAT-32.1", "title": "Business Process Task Enumeration", "family": "AAT", "description": "Mechanisms exist to identify and enumerate business process task activities that can be executed both manually and in an automated fashion.", "scf_question": "Does the organization identify and enumerate business process task activities that can be executed both manually and in an automated fashion?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Artificial Intelligence and Autonomous Technology (AAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).\n▪ No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.", "2": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Artificial Intelligence (AI)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Artificial Intelligence and Autonomous Technology (AAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AAT domain capabilities are well-documented and kept current by process owners.\n▪ An Artificial Intelligence Governance (AIG) team, or similar function, is appropriately staffed and supported to implement and maintain AAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of AI governance, risk management and compliance operations (e.g., dedicated AI governance platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and enumerate business process task activities that can be executed both manually and in an automated fashion.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Formal program with documented processes\n∙ Regular review and testing", "large": "∙ Enterprise program with dedicated resources\n∙ Automated tooling\n∙ Metrics tracking", "enterprise": "∙ Enterprise platform with dedicated team\n∙ Automated monitoring\n∙ Continuous improvement program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Artificial Intelligence & Autonomous Technologies", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "6.2.1", "6.5.1", "6.7.4" ] } }, { "control_id": "AST-01", "title": "Asset Governance", "family": "AST", "description": "Mechanisms exist to facilitate an IT Asset Management (ITAM) program to implement and manage asset management controls.", "scf_question": "Does the organization facilitate an IT Asset Management (ITAM) program to implement and manage asset management controls?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-01" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate an IT Asset Management (ITAM) program to implement and manage asset management controls.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Spreadsheet-based asset inventory\n∙ Designated asset owner responsibility", "small": "∙ IT Asset Management (ITAM) program\n∙ Formal asset management policy\n∙ Basic CMDB or asset tracking tool (e.g., Snipe-IT free)", "medium": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)\n∙ ITAM tool (e.g., ManageEngine AssetExplorer, Snipe-IT, Lansweeper)", "large": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB) (e.g., ServiceNow CMDB, Device42)\n∙ ITAM software integrated with procurement and HR offboarding", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Enterprise CMDB (e.g., ServiceNow CMDB, BMC Helix CMDB)\n∙ ITAM integrated with GRC, procurement, and HR systems" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-6", "R-EX-7", "R-GV-2", "R-GV-4", "R-IR-1", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.1-POF1" ], "general-aicpa-tsc-2017": [ "CC2.1-POF6", "CC2.1-POF9", "CC3.3-POF1", "CC6.1-POF1", "CC6.1-POF9" ], "general-cis-csc-8-1": [ "1.0", "2.0", "2.1", "2.2" ], "general-cis-csc-8-1-ig1": [ "2.1", "2.2" ], "general-cis-csc-8-1-ig2": [ "2.1", "2.2" ], "general-cis-csc-8-1-ig3": [ "2.1", "2.2" ], "general-cobit-2019": [ "BAI09.04", "BAI09.05" ], "general-csa-iot-2": [ "ASM-02" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.2.1" ], "general-iso-27002-2022": [ "5.3", "5.31", "7.9" ], "general-iso-27017-2015": [ "11.2.6" ], "general-iso-27018-2025": [ "5.30", "5.31", "7.9" ], "general-mpa-csbp-5-3-1": [ "OP-3.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(4)(b)", "4.D(2)(b)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.0" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P", "PR.DS-P3" ], "general-nist-800-37-r2": [ "TASK P-18" ], "general-nist-800-53-r4": [ "PM-5" ], "general-nist-800-53-r5-2": [ "PM-05" ], "general-nist-800-53-r5-2-privacy": [ "PM-05" ], "general-nist-800-66-r2": [ "164.308(a)(7)", "164.310(d)" ], "general-nist-800-82-r3": [ "PM-05" ], "general-nist-800-82-r3-low": [ "PM-05" ], "general-nist-800-82-r3-mod": [ "PM-05" ], "general-nist-800-82-r3-high": [ "PM-05" ], "general-nist-800-161-r1": [ "PM-5" ], "general-nist-800-161-r1-flowdown": [ "PM-5" ], "general-nist-800-161-r1-level-2": [ "PM-5" ], "general-nist-800-161-r1-level-3": [ "PM-5" ], "general-nist-800-171-r2": [ "3.4.1", "3.8.3" ], "general-nist-800-171-r3": [ "03.01.03", "03.01.18.a", "03.04.11.a", "03.07.04.a" ], "general-nist-800-207": [ "NIST Tenet 1", "NIST Tenet 5" ], "general-nist-csf-2-0": [ "GV.SC-04", "ID.AM", "ID.AM-08" ], "general-pci-dss-4-0-1": [ "6.3.2", "9.5.1", "9.5.1.1", "11.2", "11.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.2" ], "general-pci-dss-4-0-1-saq-b": [ "9.5.1", "9.5.1.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.5.1", "9.5.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.5.1", "9.5.1.1", "11.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.2", "9.5.1", "9.5.1.1", "11.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.2", "9.5.1", "9.5.1.1", "11.2.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.5.1", "9.5.1.1" ], "general-shared-assessments-sig-2025": [ "D.1" ], "general-tisax-6-0-3": [ "3.1.3", "5.3.3" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG1", "ADM:SG1.SP2", "ADM:GG1.GP1", "ADM:GG2", "ADM:GG2.GP2", "KIM:SG1", "KIM:SG1.SP1", "KIM:SG1.SP2", "TM:SG4.SP4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.A" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-1d", "ASSET-1h", "ASSET-2e" ], "usa-federal-dow-cmmc-2-level-1": [ "MP.L1-B.1.VII" ], "usa-federal-dow-cmmc-2-level-2": [ "CML2.-3.4.1", "MPL2.-3.8.3" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.2" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "2.2.1" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(vii)" ], "usa-federal-gsa-fedramp-5-low": [ "PM-05" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-05" ], "usa-federal-gsa-fedramp-5-high": [ "PM-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-05" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(7)(ii)(E)", "164.310(d)(1)", "164.310(d)(2)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(7)(ii)(E)", "164.310(d)(1)", "164.310(d)(2)(i)" ], "usa-federal-irs-1075-2021": [ "2.B.7.1", "2.B.7.2", "2.B.7.3", "PM-5" ], "usa-federal-cms-marse-2-0": [ "PM-5" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1", "CIP-003-8 1.2.5", "CIP-003-8 R2", "CIP-011-3 R1", "CIP-011-3 1.2" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.3(c)", "500.13(a)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-05" ], "emea-eu-eba-ict-srm-2025": [ "3.5(53)", "3.5(54)" ], "emea-eu-nis2-2022": [ "Article 21.2(i)" ], "emea-eu-nis2-annex-2024": [ "12.1.1", "12.1.3", "12.2.1", "12.2.2(a)", "12.2.3", "12.3.3" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "12.2" ], "emea-deu-c5-2020": [ "AM-03" ], "emea-sau-cscc-1-2019": [ "2-1", "2-5" ], "emea-sau-ecc-1-2018": [ "2-1-1", "2-1-2", "2-6-1", "2-6-2", "2-6-4" ], "emea-sau-otcc-1-2022": [ "2-1" ], "emea-sau-sama-csf-1-2017": [ "3.3.3" ], "emea-zaf-popia-2013": [ "19.1", "19.2" ], "emea-esp-boe-a-2022-7191": [ "Article 18" ], "emea-esp-decree-311-2022": [ "18" ], "emea-gbr-caf-4-0": [ "A3" ], "emea-gbr-cap-1850-2020": [ "A3" ], "emea-gbr-def-stan-05-138-2024": [ "1300", "1301", "2202" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1300" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1300", "1301", "2202" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1300", "1301", "2202" ], "apac-aus-ism-2024-june": [ "ISM-0285", "ISM-0286", "ISM-0289", "ISM-0290", "ISM-0591", "ISM-1457", "ISM-1480" ], "apac-aus-ps-cps-234-2019": [ "21", "21(c)" ], "apac-ind-sebi-2024": [ "GV.PO.S5" ], "apac-jpn-ismap": [ "8", "8.1", "8.1.1.1", "8.1.1.6.PB" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP05", "HHSP54", "HML05", "HML54" ], "apac-nzl-hisf-microsmall-2023": [ "HMS12", "HMS14" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP05", "HSUP46" ], "apac-nzl-ism-3-9": [ "8.4.9.C.01" ], "apac-sgp-mas-trm-2021": [ "3.3.1", "3.3.1(a)", "3.3.1(d)", "7.1.1", "11.4.1", "11.4.2", "11.4.3" ], "americas-bmu-mba-coc-2020": [ "5.9" ], "americas-can-osfi-b13-2022": [ "2.2", "2.2.1", "2.2.2", "2.9.2" ], "americas-can-itsp-10-171-2025": [ "03.01.03", "03.01.18.A", "03.04.11.A", "03.07.04.A" ] } }, { "control_id": "AST-01.1", "title": "Asset-Service Dependencies", "family": "AST", "description": "Mechanisms exist to identify and assess the security of Technology Assets, Applications and/or Services (TAAS) that support more than one critical business function.", "scf_question": "Does the organization identify and assess the security of Technology Assets, Applications and/or Services (TAAS) that support more than one critical business function?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-09" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Inventories are manual (e.g., spreadsheets).\n▪ Data / process owners maintain limited network diagrams to document the flow of sensitive/regulated data that is specific to their initiative.\n▪ Inventory of physical technology assets are assigned to individual users or teams and covers common devices (e.g., laptops, workstations and servers).\n▪ No structured process exists to review or share the results of the inventories.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to i identify and assess the security of Technology Assets, Applications and/or Services (TAAS) that support more than one critical business function.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program", "small": "∙ IT Asset Management (ITAM) program", "medium": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "large": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-6", "R-GV-2", "R-IR-1", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Asset Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.2-POF1" ], "general-cobit-2019": [ "APO09.01", "BAI04.02", "BAI09.02" ], "general-cr-cmm-2026": [ "CR1.1.4" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.2.1", "3.5.2.2" ], "general-iso-27002-2022": [ "5.9", "5.3" ], "general-iso-27017-2015": [ "8.1.1" ], "general-iso-27018-2025": [ "5.9", "5.30" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P8" ], "general-nist-800-66-r2": [ "164.308(a)(7)" ], "general-nist-800-171-r3": [ "03.01.03" ], "general-nist-800-207": [ "NIST Tenet 1" ], "general-nist-csf-2-0": [ "GV.OC", "GV.SC-04", "ID.AM" ], "general-sparta": [ "CM0013", "CM0022" ], "general-tisax-6-0-3": [ "1.3.1" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG2", "ADM:SG2.SP1", "ADM:SG2.SP2" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-1a", "RISK-2m", "THIRD-PARTIES-1a" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(7)(ii)(E)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(7)(ii)(E)" ], "usa-federal-nerc-cip-2024": [ "CIP-011-3 1.2" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B.1.a" ], "emea-eu-eba-ict-srm-2025": [ "3.3.3(17)", "3.3.3(18)", "3.5(54)" ], "emea-eu-dora-2023": [ "Article 8.5" ], "emea-deu-bsrit-2017": [ "12.2" ], "emea-sau-cgiot-2024": [ "4-1-4" ], "emea-gbr-caf-4-0": [ "A3", "A3.a (point 2)" ], "emea-gbr-cap-1850-2020": [ "A4" ], "apac-aus-ps-cps-234-2019": [ "21(a)" ], "americas-can-osfi-b13-2022": [ "2.2", "2.2.2", "2.9.2" ], "americas-can-itsp-10-171-2025": [ "03.01.03" ] } }, { "control_id": "AST-01.2", "title": "Stakeholder Identification & Involvement", "family": "AST", "description": "Mechanisms exist to identify and involve pertinent stakeholders of critical Technology Assets, Applications, Services and/or Data (TAASD) to support the ongoing secure management of those assets.", "scf_question": "Does the organization identify and involve pertinent stakeholders of critical Technology Assets, Applications, Services and/or Data (TAASD) to support the ongoing secure management of those assets?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ Inventories may be manual (e.g., spreadsheets) or automated.\n▪ Data/process owners for business-critical assets are documented and are reviewed as part of the annual asset inventories.\n▪ Annual IT asset inventories validate or update stakeholders /owners.", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and involve pertinent stakeholders of critical TAASD to support the ongoing secure management of those assets.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ System Security & Privacy Plan (SSPP)", "small": "∙ System Security & Privacy Plan (SSPP)", "medium": "∙ System Security & Privacy Plan (SSPP)", "large": "∙ System Security & Privacy Plan (SSPP)", "enterprise": "∙ System Security & Privacy Plan (SSPP)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-6", "R-GV-2", "R-GV-4", "R-IR-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-cobit-2019": [ "EDM05.01", "EDM05.02", "EDM05.03", "BAI01.03" ], "general-iso-27001-2022": [ "4.2", "4.2(a)" ], "general-iso-27002-2022": [ "5.9" ], "general-iso-27017-2015": [ "8.1.1" ], "general-iso-27018-2025": [ "5.9" ], "general-iso-27701-2025": [ "4.2" ], "general-iso-42001-2023": [ "9.3.2(c)", "A.4.6", "A.8", "A.8.2", "A.8.3", "A.8.4", "A.8.5" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.1", "GOVERN 2.0", "GOVERN 5.0" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P8" ], "general-nist-800-37-r2": [ "TASK P-9" ], "general-nist-csf-2-0": [ "GV.OC", "GV.OC-02", "ID.AM", "ID.AM-08" ], "general-tisax-6-0-3": [ "1.2.2", "1.3.1" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:GG2.GP7", "AM:GG2.GP7", "COMM:GG2.GP7", "COMP:GG2.GP7", "CTRL:GG2.GP7", "EC:GG2.GP7", "EF:GG2.GP7", "EXD:GG2.GP7", "FRM:GG2.GP7", "HRM:GG2.GP7", "ID:GG2.GP7", "IMC:GG2.GP7", "KIM:GG2.GP7", "MA:GG2.GP7", "MON:GG2.GP7", "OPD:GG2.GP7", "OPF:GG2.GP7", "OTA:GG2.GP7", "PM:GG2.GP7", "RISK:GG2.GP7", "RRD:GG2.GP7", "RRM:GG2.GP7", "RTSE:GG2.GP7", "SC:GG2.GP7", "TM:GG2.GP7", "VAR:GG2.GP7", "GG2.GP7" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 R3" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.A" ], "emea-eu-eba-ict-srm-2025": [ "3.3.2(16)", "3.5(54)" ], "emea-sau-otcc-1-2022": [ "2-1-1-4" ], "emea-gbr-caf-4-0": [ "A3.a (point 4)" ], "apac-ind-sebi-2024": [ "GV.PO.S5" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP27" ], "apac-sgp-mas-trm-2021": [ "3.3.1(c)" ] } }, { "control_id": "AST-01.3", "title": "Standardized Naming Convention", "family": "AST", "description": "Mechanisms exist to implement a scalable, standardized naming convention for Technology Assets, Applications, Services and/or Data (TAASD) that avoids asset naming conflicts.", "scf_question": "Does the organization implement a scalable, standardized naming convention for Technology Assets, Applications, Services and/or Data (TAASD) that avoids asset naming conflicts?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement a scalable, standardized naming convention for TAASD that avoids asset naming conflicts.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program", "small": "∙ IT Asset Management (ITAM) program", "medium": "∙ IT Asset Management (ITAM) program", "large": "∙ IT Asset Management (ITAM) program", "enterprise": "∙ IT Asset Management (ITAM) program" }, "risks": [ "R-AC-1", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-5", "R-EX-1", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-6", "R-GV-7", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-csa-cmm-4-1-0": [ "DCS-09" ], "general-csa-iot-2": [ "ASM-04" ] } }, { "control_id": "AST-01.4", "title": "Approved Technologies", "family": "AST", "description": "Mechanisms exist to maintain a current list of approved technologies (hardware and software).", "scf_question": "Does the organization maintain a current list of approved technologies (hardware and software)?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Inventories are manual (e.g., spreadsheets).\n▪ Inventory of physical technology assets are assigned to individual users or teams and covers common devices (e.g., laptops, workstations and servers).\n▪ Software licensing is tracked as part of IT asset inventories.\n▪ No structured process exists to review or share the results of the inventories.\n▪ Software licensing restrictions for users, as part of acceptable and unacceptable behaviors.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a current list of approved technologies (hardware and software).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "small": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "medium": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "large": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-nist-800-171a-r3": [ "A.03.04.08.c" ], "emea-gbr-def-stan-05-138-2024": [ "2410" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2410" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2410" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2410" ], "apac-nzl-hisf-microsmall-2023": [ "HMS12" ] } }, { "control_id": "AST-01.5", "title": "Authorized To Connect", "family": "AST", "description": "Mechanisms exist to maintain a list of Technology Asset, Application and/or Service (TAAS) that are authorized to connect to organizational Technology Assets, Applications, Services and/or Data (TAASD).", "scf_question": "Does the organization maintain a list of Technology Asset, Application and/or Service (TAAS) that are authorized to connect to organizational Technology Assets, Applications, Services and/or Data (TAASD)?", "relative_weight": 6, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-AST-29" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Inventories are manual (e.g., spreadsheets).\n▪ Inventory of physical technology assets are assigned to individual users or teams and covers common devices (e.g., laptops, workstations and servers).", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a list of Technology Asset, Application and/or Service (TAAS) that are authorized to connect to organizational TAASD.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Spreadsheet asset inventory", "small": "∙ Asset inventory spreadsheet\n∙ Asset ownership assignment", "medium": "∙ Asset management tool (e.g., Snipe-IT)\n∙ Asset classification policy", "large": "∙ Enterprise asset management platform (e.g., ServiceNow CMDB, Lansweeper)\n∙ Automated discovery", "enterprise": "∙ Enterprise CMDB (e.g., ServiceNow)\n∙ Automated network discovery\n∙ Asset lifecycle management" }, "risks": [ "R-AC-1", "R-AM-1", "R-AM-2", "R-BC-4", "R-GV-4", "R-GV-6", "R-IR-1" ], "threats": [ "NT-7", "MT-2", "MT-5", "MT-8", "MT-9", "MT-10" ], "errata": "- new control (SCF)", "family_name": "Asset Management", "crosswalks": {} }, { "control_id": "AST-02", "title": "Asset Inventories", "family": "AST", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "scf_question": "Does the organization perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n (1) Accurately reflects the current TAASD in use; \n (2) Identifies authorized software products, including business justification details;\n (3) Is at the level of granularity deemed necessary for tracking and reporting;\n (4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n (5) Is available for review and audit by designated organizational personnel?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-04", "E-AST-05", "E-AST-07", "E-AST-28" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ Inventories may be manual (e.g., spreadsheets) or automated.\n▪ Data/process owners for business-critical assets are documented and are reviewed as part of the annual asset inventories.\n▪ Software licensing is tracked as part of IT asset inventories.\n▪ No structured process exists to review or share the results of the inventories.\n▪ Annual IT asset inventories validate or update stakeholders /owners.", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform inventories of TAASD that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Spreadsheet-based asset inventory or Snipe-IT (free, https://snipeitapp.com)\n∙ JAMF (https://jamf.com) for Apple device management\n∙ Configuration Management Database (CMDB)", "small": "∙ IT Asset Management (ITAM) program\n∙ ManageEngine AssetExplorer (https://manageengine.com)\n∙ JAMF (https://jamf.com) or Microsoft Intune for device management\n∙ Configuration Management Database (CMDB)", "medium": "∙ IT Asset Management (ITAM) program\n∙ ManageEngine AssetExplorer (https://manageengine.com)\n∙ Ivanti (https://ivanti.com) or Microsoft Intune\n∙ Configuration Management Database (CMDB)\n∙ Lansweeper for network device discovery", "large": "∙ IT Asset Management (ITAM) program\n∙ ManageEngine AssetExplorer or Ivanti (https://ivanti.com)\n∙ Configuration Management Database (CMDB) (e.g., ServiceNow, Device42)\n∙ Integration with network discovery tools (e.g., Nmap, Qualys Asset Inventory)", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Enterprise ITAM solution (e.g., Ivanti, Snow Software, Flexera)\n∙ Configuration Management Database (CMDB) (e.g., ServiceNow CMDB)\n∙ Automated asset discovery integrated with vulnerability management\n∙ CIS Control 1 & 2 alignment" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.4" ], "general-aicpa-tsc-2017": [ "CC2.1-POF6", "CC2.1-POF9", "CC6.1-POF1" ], "general-cis-csc-8-1": [ "1.0", "1.1", "2.0", "2.1", "2.2", "2.4", "6.6" ], "general-cis-csc-8-1-ig1": [ "1.1", "2.1", "2.2" ], "general-cis-csc-8-1-ig2": [ "1.1", "2.1", "2.2", "2.4", "6.6" ], "general-cis-csc-8-1-ig3": [ "1.1", "2.1", "2.2", "2.4", "6.6" ], "general-cobit-2019": [ "APO14.08", "BAI09.01", "BAI09.05" ], "general-csa-cmm-4-1-0": [ "DCS-07", "DSP-03", "UEM-04" ], "general-csa-iot-2": [ "ASM-01", "SNT-04" ], "general-govramp": [ "CM-08" ], "general-govramp-core": [ "CM-08" ], "general-govramp-low": [ "CM-08" ], "general-govramp-low-plus": [ "CM-08" ], "general-govramp-mod": [ "CM-08" ], "general-govramp-high": [ "CM-08" ], "general-iec-62443-2-1-2024": [ "CM 1.1", "CM 1.1(a)", "CM 1.1(b)", "CM 1.1(c)", "CM 1.1(d)", "CM 1.1(e)", "CM 1.1(f)", "CM 1.1(g)", "CM 1.1(h)", "CM 1.1(i)" ], "general-iec-62443-3-3-2013": [ "SR 7.8" ], "general-iec-62443-4-2-2019": [ "CR 7.8" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.2.2" ], "general-iso-27002-2022": [ "5.9" ], "general-iso-27017-2015": [ "8.1.1" ], "general-iso-27018-2025": [ "5.9" ], "general-mitre-att&ck-16-1": [ "T1011.001", "T1020.001", "T1021.001", "T1021.003", "T1021.004", "T1021.005", "T1021.006", "T1046", "T1052", "T1052.001", "T1053", "T1053.002", "T1053.005", "T1059", "T1059.001", "T1059.005", "T1059.007", "T1059.010", "T1068", "T1072", "T1091", "T1092", "T1098.004", "T1119", "T1127", "T1127.001", "T1127.002", "T1133", "T1137", "T1137.001", "T1189", "T1190", "T1195", "T1195.003", "T1203", "T1210", "T1211", "T1212", "T1213", "T1213.001", "T1213.002", "T1213.005", "T1218", "T1218.003", "T1218.004", "T1218.005", "T1218.008", "T1218.009", "T1218.012", "T1218.013", "T1218.014", "T1218.015", "T1221", "T1495", "T1505", "T1505.001", "T1505.002", "T1505.004", "T1530", "T1542", "T1542.001", "T1542.003", "T1542.004", "T1542.005", "T1546.002", "T1546.006", "T1546.014", "T1547.007", "T1548", "T1548.004", "T1548.006", "T1553", "T1553.006", "T1556.009", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1559", "T1559.002", "T1563", "T1563.001", "T1563.002", "T1564.006", "T1564.007", "T1565", "T1565.001", "T1565.002", "T1574", "T1574.004", "T1574.007", "T1574.008", "T1574.009", "T1593.003", "T1601", "T1601.001", "T1601.002", "T1602", "T1602.001", "T1602.002", "T1622" ], "general-mpa-csbp-5-3-1": [ "OP-3.0", "TS-5.0" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.6" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 1.6", "GV-1.6-001", "GV-1.6-002" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P1" ], "general-nist-800-37-r2": [ "TASK P-10" ], "general-nist-800-53-r4": [ "CM-8", "PM-5" ], "general-nist-800-53-r5-2": [ "CM-08", "PM-05" ], "general-nist-800-53-r5-2-privacy": [ "CM-08", "PM-05" ], "general-nist-800-53-r5-2-low": [ "CM-08" ], "general-nist-800-66-r2": [ "164.310(d)" ], "general-nist-800-82-r3": [ "CM-08", "PM-05" ], "general-nist-800-82-r3-low": [ "CM-08", "PM-05" ], "general-nist-800-82-r3-mod": [ "CM-08", "PM-05" ], "general-nist-800-82-r3-high": [ "CM-08", "PM-05" ], "general-nist-800-161-r1": [ "CM-8", "PM-5" ], "general-nist-800-161-r1-cscrm": [ "CM-8" ], "general-nist-800-161-r1-flowdown": [ "CM-8", "PM-5" ], "general-nist-800-161-r1-level-2": [ "CM-8", "PM-5" ], "general-nist-800-161-r1-level-3": [ "CM-8", "PM-5" ], "general-nist-800-171-r2": [ "3.4.1" ], "general-nist-800-171-r3": [ "03.04.08.a", "03.04.08.c", "03.04.10.a", "03.04.10.b", "03.04.11.a" ], "general-nist-800-171a": [ "3.4.1[d]", "3.4.1[e]", "3.4.1[f]" ], "general-nist-800-171a-r3": [ "A.03.04.10.ODP[01]", "A.03.04.10.a", "A.03.04.10.b[01]", "A.03.04.10.b[02]" ], "general-nist-800-172": [ "3.1.2e" ], "general-nist-800-207": [ "NIST Tenet 1" ], "general-nist-csf-2-0": [ "ID.AM", "ID.AM-01", "ID.AM-02" ], "general-pci-dss-4-0-1": [ "6.3.2", "9.5.1", "9.5.1.1", "11.2", "11.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.2" ], "general-pci-dss-4-0-1-saq-b": [ "9.5.1", "9.5.1.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.5.1", "9.5.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.5.1", "9.5.1.1", "11.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.2", "9.5.1", "9.5.1.1", "11.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.2", "9.5.1", "9.5.1.1", "11.2.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.5.1", "9.5.1.1" ], "general-scf-dpmp-2025": [ "5.2" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG1.SP1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DA.DINVE", "3.UNI.INVENT" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.A" ], "usa-federal-fbi-cjis-6-0": [ "CM-8" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-1a", "ASSET-1b", "ASSET-1d", "ASSET-1e", "ASSET-1f", "ASSET-1g", "ASSET-2a", "ASSET-2b", "ASSET-2f", "ASSET-2g", "RISK-2h" ], "usa-federal-dow-cmmc-2-level-2": [ "CML2.-3.4.1" ], "usa-federal-dow-cmmc-2-level-3": [ "AC.L3-3.1.2E" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.1", "2.1.1", "3.1", "3.1.1" ], "usa-federal-gsa-fedramp-5-low": [ "CM-08", "PM-05" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-08", "PM-05" ], "usa-federal-gsa-fedramp-5-high": [ "CM-08", "PM-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-08", "PM-05" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(d)(2)(iii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(d)(2)(iii)" ], "usa-federal-irs-1075-2021": [ "PM-5" ], "usa-federal-cms-marse-2-0": [ "CM-8", "CM-8.a", "CM-8.a.1", "CM-8.a.2", "CM-8.a.3", "CM-8.a.4", "CM-8.b", "CM-8-IS.1", "CM-8-IS.2", "PM-5" ], "usa-federal-nerc-cip-2024": [ "CIP-011-3 1.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)", "7123(c)(4)(B)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.13(a)", "500.13(a)(1)", "500.13(a)(1)(i)", "500.13(a)(1)(ii)", "500.13(a)(1)(iii)", "500.13(a)(1)(iv)", "500.13(a)(1)(v)", "500.13(a)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-08", "PM-05", "PM-05-SID" ], "usa-state-tx-txramp-2-0-level-1": [ "CM-08" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-08" ], "emea-eu-eba-ict-srm-2025": [ "3.5(53)", "3.5(54)" ], "emea-eu-dora-2023": [ "Article 8.4", "Article 8.6" ], "emea-eu-nis2-2022": [ "Article 21.2(i)" ], "emea-eu-nis2-annex-2024": [ "5.2(b)", "12.4.1", "12.4.2", "12.4.2(a)", "12.4.2(b)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "8.2", "12.2" ], "emea-deu-c5-2020": [ "AM-01", "AM-02" ], "emea-sau-cscc-1-2019": [ "2-1-1-1" ], "emea-sau-cgiot-2024": [ "2-1-1" ], "emea-sau-otcc-1-2022": [ "2-1", "2-1-1", "2-1-1-3" ], "emea-esp-ccn-stic-825-2023": [ "7.3.1 [OP.EXP.1]" ], "emea-uae-niaf-2023": [ "3.1.1" ], "emea-gbr-caf-4-0": [ "A3.a (point 1)" ], "emea-gbr-def-stan-05-138-2024": [ "1301", "2202", "2310" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2310" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1301", "2202", "2310" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1301", "2202", "2310" ], "apac-aus-essential-8-2024": [ "ML1-P1", "ML1-P2", "ML2-P1", "ML2-P2", "ML3-P1", "ML3-P2" ], "apac-aus-ism-2024-june": [ "ISM-0336", "ISM-1643", "ISM-1807" ], "apac-ind-sebi-2024": [ "ID.AM.S1", "ID.AM.S5", "ID.AM.S6" ], "apac-jpn-ismap": [ "8.1.1", "8.1.1.2", "8.1.1.3", "8.1.1.4", "8.1.2.3" ], "apac-nzl-hisf-microsmall-2023": [ "HMS03" ], "apac-nzl-ism-3-9": [ "8.4.8.C.01", "8.4.9.C.01" ], "apac-sgp-mas-trm-2021": [ "3.3.1(a)", "3.3.2" ], "americas-bmu-mba-coc-2020": [ "5.9" ], "amaericas-can-osfi-self-assessment": [ "3.1" ], "americas-can-osfi-b13-2022": [ "2.2", "2.2.2", "2.2.3" ], "americas-can-itsp-10-171-2025": [ "03.04.08.A", "03.04.08.C", "03.04.10.A", "03.04.10.B", "03.04.11.A" ] } }, { "control_id": "AST-02.1", "title": "Updates During Installations / Removals", "family": "AST", "description": "Mechanisms exist to update asset inventories as part of component installations, removals and asset upgrades.", "scf_question": "Does the organization update asset inventories as part of component installations, removals and asset upgrades?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to update asset inventories as part of component installations, removals and asset upgrades.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Configuration Management Database (CMDB)", "small": "∙ Configuration Management Database (CMDB)", "medium": "∙ Configuration Management Database (CMDB)", "large": "∙ Configuration Management Database (CMDB)", "enterprise": "∙ Configuration Management Database (CMDB)" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-GV-2", "R-IR-1", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-govramp": [ "CM-08(01)" ], "general-govramp-low": [ "CM-08(01)" ], "general-govramp-low-plus": [ "CM-08(01)" ], "general-govramp-mod": [ "CM-08(01)" ], "general-govramp-high": [ "CM-08(01)" ], "general-nist-800-53-r4": [ "CM-8(1)" ], "general-nist-800-53-r5-2": [ "CM-08(01)" ], "general-nist-800-53-r5-2-mod": [ "CM-08(01)" ], "general-nist-800-66-r2": [ "164.310(d)" ], "general-nist-800-82-r3": [ "CM-08(01)" ], "general-nist-800-82-r3-mod": [ "CM-08(01)" ], "general-nist-800-82-r3-high": [ "CM-08(01)" ], "general-nist-800-161-r1": [ "CM-8(1)" ], "general-nist-800-161-r1-level-3": [ "CM-8(1)" ], "general-nist-800-171-r3": [ "03.04.10.a", "03.04.10.b", "03.04.10.c" ], "general-nist-800-171a": [ "3.4.1[f]" ], "general-nist-800-171a-r3": [ "A.03.04.10.c[01]", "A.03.04.10.c[02]", "A.03.04.10.c[03]" ], "general-tisax-6-0-3": [ "5.3.3" ], "usa-federal-fbi-cjis-6-0": [ "CM-8(1)" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-2g" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-08(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-08(01)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(d)(2)(iii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(d)(2)(iii)" ], "usa-federal-irs-1075-2021": [ "CM-8(CE-1)" ], "usa-federal-cms-marse-2-0": [ "CM-8(1)" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-08 (01)" ], "emea-eu-dora-2023": [ "Article 8.6" ], "emea-eu-nis2-annex-2024": [ "12.4.3" ], "emea-deu-c5-2020": [ "AM-01", "AM-02" ], "emea-sau-cgiot-2024": [ "2-1-2" ], "emea-sau-otcc-1-2022": [ "2-1-1-1" ], "americas-can-itsp-10-171-2025": [ "03.04.10.A", "03.04.10.B", "03.04.10.C" ] } }, { "control_id": "AST-02.2", "title": "Automated Unauthorized Component Detection", "family": "AST", "description": "Automated mechanisms exist to detect and alert upon the detection of unauthorized hardware, software and firmware components.", "scf_question": "Does the organization use automated mechanisms to detect and alert upon the detection of unauthorized hardware, software and firmware components?", "relative_weight": 3, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically detect and alert upon the detection of unauthorized hardware, software and firmware components.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ DHCP logging\n∙ Active discovery scan (e.g., Nmap, Angry IP Scanner - free)\n∙ Configuration Management Database (CMDB)", "small": "∙ DHCP logging\n∙ Active discovery tools (e.g., Nmap, Lansweeper free tier)\n∙ Configuration Management Database (CMDB)", "medium": "∙ DHCP logging\n∙ Active discovery tools (e.g., Lansweeper, Nmap)\n∙ Configuration Management Database (CMDB)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netwrix.com)", "large": "∙ DHCP logging\n∙ Network access control (NAC) for unauthorized device blocking\n∙ Configuration Management Database (CMDB)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netwrix.com)\n∙ Qualys or Tenable asset discovery", "enterprise": "∙ Enterprise asset discovery with continuous monitoring (e.g., Qualys CSAM, Tenable.io)\n∙ Network Access Control (NAC) integration\n∙ DHCP + SIEM correlation for unauthorized device alerting\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ CIS Control 1 automated asset discovery alignment" }, "risks": [ "R-AM-3", "R-BC-4", "R-EX-6", "R-GV-2", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.1-POF4" ], "general-cis-csc-8-1": [ "1.2", "1.3", "1.5", "2.3", "2.4" ], "general-cis-csc-8-1-ig1": [ "1.2", "2.3" ], "general-cis-csc-8-1-ig2": [ "1.2", "1.3", "2.3", "2.4" ], "general-cis-csc-8-1-ig3": [ "1.2", "1.3", "1.5", "2.3", "2.4" ], "general-csa-iot-2": [ "SNT-04" ], "general-govramp": [ "CM-08(03)" ], "general-govramp-mod": [ "CM-08(03)" ], "general-govramp-high": [ "CM-08(03)" ], "general-iec-62443-2-1-2024": [ "ORG 2.2(a)" ], "general-nist-800-53-r4": [ "CM-8(3)" ], "general-nist-800-53-r5-2": [ "CM-08(03)" ], "general-nist-800-53-r5-2-privacy": [ "CM-08(03)" ], "general-nist-800-53-r5-2-mod": [ "CM-08(03)" ], "general-nist-800-82-r3": [ "CM-08(03)" ], "general-nist-800-82-r3-mod": [ "CM-08(03)" ], "general-nist-800-82-r3-high": [ "CM-08(03)" ], "general-nist-800-160-vol-2-r1": [ "CM-08(03)" ], "general-nist-800-207": [ "NIST Tenet 5", "NIST Tenet 6" ], "usa-federal-fbi-cjis-6-0": [ "CM-8(3)" ], "usa-federal-gsa-fedramp-5-low": [ "CM-08(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-08(03)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-08(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-08(03)" ], "usa-federal-irs-1075-2021": [ "CM-8(CE-3)", "CM-8(CE-3).a", "CM-8(CE-3).b", "CM-8(CE-3).b.1", "CM-8(CE-3).b.2", "CM-8(CE-3).b.3" ], "usa-federal-cms-marse-2-0": [ "CM-8(3)", "CM-8(3).a", "CM-8(3).b", "CM-8(3)-IS", "CM-8(3)-IS.1", "CM-8(3)-IS.2" ], "emea-deu-c5-2020": [ "AM-02" ], "emea-sau-otcc-1-2022": [ "2-3-1-11" ], "emea-gbr-def-stan-05-138-2024": [ "3204" ], "emea-gbr-def-stan-05-138-l1-2024": [ "3204" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3204" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3204" ], "apac-aus-ism-2024-june": [ "ISM-1807" ] } }, { "control_id": "AST-02.3", "title": "Component Duplication Avoidance", "family": "AST", "description": "Mechanisms exist to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories.", "scf_question": "Does the organization establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Inventories are manual (e.g., spreadsheets).", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Configuration Management Database (CMDB)", "small": "∙ Configuration Management Database (CMDB)", "medium": "∙ Configuration Management Database (CMDB)", "large": "∙ Configuration Management Database (CMDB)", "enterprise": "∙ Configuration Management Database (CMDB)" }, "risks": [ "R-AM-3", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-cis-csc-8-1": [ "1.3" ], "general-cis-csc-8-1-ig2": [ "1.3" ], "general-cis-csc-8-1-ig3": [ "1.3" ], "general-govramp": [ "CM-08" ], "general-govramp-core": [ "CM-08" ], "general-govramp-low": [ "CM-08" ], "general-govramp-low-plus": [ "CM-08" ], "general-govramp-mod": [ "CM-08" ], "general-govramp-high": [ "CM-08" ], "general-nist-800-53-r4": [ "CM-8(5)" ], "general-nist-800-53-r5-2": [ "CM-08" ], "general-nist-800-53-r5-2-privacy": [ "CM-08" ], "general-nist-800-53-r5-2-low": [ "CM-08" ], "general-nist-800-82-r3": [ "CM-08" ], "general-nist-800-82-r3-low": [ "CM-08" ], "general-nist-800-82-r3-mod": [ "CM-08" ], "general-nist-800-82-r3-high": [ "CM-08" ], "general-nist-800-161-r1": [ "CM-8" ], "general-nist-800-161-r1-cscrm": [ "CM-8" ], "general-nist-800-161-r1-flowdown": [ "CM-8" ], "general-nist-800-161-r1-level-2": [ "CM-8" ], "general-nist-800-161-r1-level-3": [ "CM-8" ], "general-nist-800-171-r2": [ "NFO - CM-8(5)" ], "general-nist-800-207": [ "NIST Tenet 1" ], "usa-federal-fbi-cjis-6-0": [ "CM-8" ], "usa-federal-gsa-fedramp-5-low": [ "CM-08" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-08" ], "usa-federal-gsa-fedramp-5-high": [ "CM-08" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-08" ], "usa-federal-irs-1075-2021": [ "CM-8" ], "usa-federal-cms-marse-2-0": [ "CM-8", "CM-8(5)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-08" ], "usa-state-tx-txramp-2-0-level-1": [ "CM-08" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-08" ] } }, { "control_id": "AST-02.4", "title": "Approved Baseline Deviations", "family": "AST", "description": "Mechanisms exist to document and govern instances of approved deviations from established baseline configurations.", "scf_question": "Does the organization document and govern instances of approved deviations from established baseline configurations?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-33", "E-RSK-03", "E-TDA-14" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document and govern instances of approved deviations from established baseline configurations.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Configuration Management Database (CMDB)", "small": "∙ Configuration Management Database (CMDB)", "medium": "∙ Configuration Management Database (CMDB)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)\n∙ Tripwire Enterprise (https://tripwire.com/products/tripwire-enterprise)\n∙ Puppet (https://puppet.com)\n∙ Chef (https://chef.io) (https://chef.io)", "large": "∙ Configuration Management Database (CMDB)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)\n∙ Tripwire Enterprise (https://tripwire.com/products/tripwire-enterprise)\n∙ Puppet (https://puppet.com)\n∙ Chef (https://chef.io) (https://chef.io)", "enterprise": "∙ Configuration Management Database (CMDB)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)\n∙ Tripwire Enterprise (https://tripwire.com/products/tripwire-enterprise)\n∙ Puppet (https://puppet.com)\n∙ Chef (https://chef.io) (https://chef.io)" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-iec-tr-60601-4-5-2021": [ "5.2" ], "general-nist-800-53-r4": [ "CM-8(6)" ], "general-nist-800-53-r5-2": [ "CM-08(06)" ], "general-nist-800-82-r3": [ "CM-08(06)" ], "general-nist-800-161-r1": [ "CM-8(6)" ], "general-nist-800-161-r1-level-3": [ "CM-8(6)" ], "general-nist-800-171-r3": [ "03.04.02.b", "03.04.06.a" ], "emea-deu-c5-2020": [ "SP-03" ], "emea-isr-cmo-1-0": [ "6.8" ], "emea-gbr-def-stan-05-138-2024": [ "2202" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2202" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2202" ], "americas-can-itsp-10-171-2025": [ "03.04.02.B", "03.04.06.A" ] } }, { "control_id": "AST-02.5", "title": "Network Access Control (NAC)", "family": "AST", "description": "Automated mechanisms exist to employ Network Access Control (NAC), or a similar technology, which is capable of detecting unauthorized devices and disable network access to those unauthorized devices.", "scf_question": "Does the organization use automated mechanisms to employ Network Access Control (NAC), or a similar technology, which is capable of detecting unauthorized devices and disable network access to those unauthorized devices?", "relative_weight": 4, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically employ Network Access Control (NAC), or a similar technology, which is capable of detecting unauthorized devices and disable network access to those unauthorized devices.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ VLAN segmentation to isolate unknown devices\n∙ Basic wireless network access controls", "small": "∙ VLAN segmentation to isolate unknown devices\n∙ MAC address filtering (basic NAC)\n∙ Wireless access point policies", "medium": "∙ Cisco Identity Services Engine (ISE) (https://cisco.com)\n∙ HPE Aruba Central (https://arubanetworks.com)\n∙ Juniper Mist Access Assurance (https://juniper.net)\n∙ Open-source NAC (e.g., PacketFence)", "large": "∙ Cisco Identity Services Engine (ISE) (https://cisco.com)\n∙ HPE Aruba Central (https://arubanetworks.com)\n∙ Juniper Mist Access Assurance (https://juniper.net)\n∙ 802.1X certificate-based authentication", "enterprise": "∙ Cisco Identity Services Engine (ISE) (https://cisco.com)\n∙ HPE Aruba Central (https://arubanetworks.com)\n∙ Juniper Mist Access Assurance (https://juniper.net)\n∙ Zero Trust Network Access (ZTNA) integration\n∙ 802.1X with EAP-TLS and certificate infrastructure" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-cis-csc-8-1": [ "13.9" ], "general-cis-csc-8-1-ig3": [ "13.9" ], "general-nist-800-53-r4": [ "IA-3(4)" ], "general-nist-800-53-r5-2": [ "IA-03(03)", "SC-07(19)" ], "general-nist-800-82-r3": [ "IA-03(03)", "SC-07(19)" ], "general-nist-800-161-r1": [ "SC-7(19)" ], "general-nist-800-161-r1-level-3": [ "SC-7(19)" ], "general-nist-800-172": [ "3.5.3e" ], "general-nist-800-207": [ "NIST Tenet 6" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.INVENT" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-2k" ], "usa-federal-dow-cmmc-2-level-3": [ "IA.L3-3.5.3E" ], "emea-isr-cmo-1-0": [ "23.6" ], "apac-aus-ism-2024-june": [ "ISM-0520", "ISM-1182" ], "apac-sgp-mas-trm-2021": [ "11.2.4" ], "amaericas-can-osfi-self-assessment": [ "4.21", "4.24" ] } }, { "control_id": "AST-02.6", "title": "Dynamic Host Configuration Protocol (DHCP) Server Logging", "family": "AST", "description": "Mechanisms exist to enable Dynamic Host Configuration Protocol (DHCP) server logging to improve asset inventories and assist in detecting unknown systems.", "scf_question": "Does the organization enable Dynamic Host Configuration Protocol (DHCP) server logging to improve asset inventories and assist in detecting unknown systems?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [ "E-MON-04" ], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enable Dynamic Host Configuration Protocol (DHCP) server logging to improve asset inventories and assist in detecting unknown systems.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Centralized log collector\n∙ Security Incident Event Manager (SIEM)", "small": "∙ Centralized log collector\n∙ Security Incident Event Manager (SIEM)", "medium": "∙ Security Incident Event Manager (SIEM)", "large": "∙ Security Incident Event Manager (SIEM)", "enterprise": "∙ Security Incident Event Manager (SIEM)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-cis-csc-8-1": [ "1.4", "1.5" ], "general-cis-csc-8-1-ig2": [ "1.4" ], "general-cis-csc-8-1-ig3": [ "1.4", "1.5" ], "general-nist-800-207": [ "NIST Tenet 7" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "2.2.1" ] } }, { "control_id": "AST-02.7", "title": "Software Licensing Restrictions", "family": "AST", "description": "Mechanisms exist to protect Intellectual Property (IP) rights with software licensing restrictions.", "scf_question": "Does the organization protect Intellectual Property (IP) rights with software licensing restrictions?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Software licensing restrictions for users, as part of acceptable and unacceptable behaviors.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ Software licensing is tracked as part of IT asset inventories.\n▪ Software licensing restrictions for users, as part of acceptable and unacceptable behaviors are primarily administrative and preventative in nature.", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect Intellectual Property (IP) rights with software licensing restrictions.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program", "small": "∙ IT Asset Management (ITAM) program", "medium": "∙ IT Asset Management (ITAM) program", "large": "∙ IT Asset Management (ITAM) program", "enterprise": "∙ IT Asset Management (ITAM) program" }, "risks": [ "R-AC-3", "R-AM-1", "R-AM-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-6", "R-IR-3", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-cis-csc-8-1": [ "2.2" ], "general-cis-csc-8-1-ig1": [ "2.2" ], "general-cis-csc-8-1-ig2": [ "2.2" ], "general-cis-csc-8-1-ig3": [ "2.2" ], "general-cobit-2019": [ "BAI09.05" ], "general-iso-27002-2022": [ "5.32" ], "general-iso-27017-2015": [ "18.1.2" ], "general-iso-27018-2025": [ "5.32" ], "general-mpa-csbp-5-3-1": [ "TS-1.17" ], "general-nist-800-53-r4": [ "SC-18(2)" ], "general-nist-800-53-r5-2": [ "SC-18(02)" ], "general-nist-800-53-r5-2-privacy": [ "SC-18(02)" ], "general-nist-800-82-r3": [ "SC-18(02)" ], "general-nist-800-161-r1": [ "SC-18(2)" ], "general-nist-800-161-r1-level-3": [ "SC-18(2)" ], "general-tisax-6-0-3": [ "1.3.4" ], "usa-federal-gsa-fedramp-5-low": [ "SC-18(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-18(02)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-18(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-18(02)" ], "usa-federal-irs-1075-2021": [ "SC-18(CE-2)" ], "emea-isr-cmo-1-0": [ "3.1" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "3" ], "apac-jpn-ismap": [ "14.2.7.1", "18.1.2", "18.1.2.1", "18.1.2.2", "18.1.2.3", "18.1.2.4", "18.1.2.5", "18.1.2.6", "18.1.2.7", "18.1.2.8", "18.1.2.9", "18.1.2.10", "18.1.2.11", "18.1.2.12" ], "apac-nzl-hisf-microsmall-2023": [ "HMS14" ] } }, { "control_id": "AST-02.8", "title": "Data Action Mapping", "family": "AST", "description": "Mechanisms exist to create and maintain a map of Technology Assets, Applications and/or Services (TAAS) where sensitive/regulated data is stored, transmitted or processed.", "scf_question": "Does the organization create and maintain a map of Technology Assets, Applications and/or Services (TAAS) where sensitive/regulated data is stored, transmitted or processed?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-DCH-05" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ IT and/or cybersecurity personnel work with process owners to generate and maintain Data Flow Diagrams (DFDs) and network diagrams to document the flow of data to create and maintain a map of systems where sensitive/regulated data is stored, transmitted or processed.", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to create and maintain a map of Technology Assets, Applications and/or Services (TAAS) where sensitive/regulated data is stored, transmitted or processed.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Visio or draw.io (free, https://draw.io) for data flow diagrams\n∙ LucidChart (https://lucidchart.com)", "small": "∙ Microsoft Visio or draw.io (free, https://draw.io)\n∙ LucidChart (https://lucidchart.com)\n∙ Documented data flow diagrams with sensitivity labels", "medium": "∙ Microsoft Visio\n∙ LucidChart (https://lucidchart.com)\n∙ draw.io (https://draw.io)\n∙ Data flow diagrams integrated with privacy impact assessments", "large": "∙ Microsoft Visio\n∙ LucidChart (https://lucidchart.com)\n∙ Data flow diagrams maintained in CMDB or GRC platform\n∙ Automated data mapping tools (e.g., BigID, OneTrust Data Mapping)", "enterprise": "∙ Enterprise data flow/action mapping platform (e.g., BigID, OneTrust, Securiti.ai)\n∙ Microsoft Visio / LucidChart for technical documentation\n∙ Automated data lineage tools (e.g., Collibra, Alation)\n∙ Data maps maintained current for regulatory compliance (GDPR Article 30)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF5", "CC2.1-POF9" ], "general-iso-27002-2022": [ "5.9" ], "general-iso-27017-2015": [ "8.1.1" ], "general-iso-27018-2025": [ "5.9" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P4", "ID.IM-P5", "ID.IM-P6", "ID.IM-P8" ], "general-nist-800-53-r5-2": [ "CM-13" ], "general-nist-800-82-r3": [ "CM-13" ], "general-nist-800-161-r1": [ "CM-13" ], "general-nist-800-161-r1-level-2": [ "CM-13" ], "general-nist-800-161-r1-level-3": [ "CM-13" ], "general-nist-800-171-r3": [ "03.04.11.a", "03.04.11.b" ], "general-nist-800-171a-r3": [ "A.03.04.11.a[01]", "A.03.04.11.a[02]", "A.03.04.11.a[03]", "A.03.04.11.b[01]", "A.03.04.11.b[02]" ], "general-nist-800-172": [ "3.1.3e" ], "general-nist-800-207": [ "NIST Tenet 1", "NIST Tenet 7" ], "general-scf-dpmp-2025": [ "5.2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DA.DAUTE" ], "usa-federal-dow-cmmc-2-level-3": [ "AC.L3-3.1.3E" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.1.1", "5.1" ], "usa-federal-irs-1075-2021": [ "2.A.2", "CM-13" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(A)" ], "emea-sau-otcc-1-2022": [ "2-4-1-16" ], "apac-ind-sebi-2024": [ "ID.AM.S2" ], "americas-can-itsp-10-171-2025": [ "03.04.11.A", "03.04.11.B" ] } }, { "control_id": "AST-02.9", "title": "Configuration Management Database (CMDB)", "family": "AST", "description": "Mechanisms exist to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information.", "scf_question": "Does the organization implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Configuration Management Database (CMDB)", "small": "∙ Configuration Management Database (CMDB)", "medium": "∙ Configuration Management Database (CMDB)", "large": "∙ Configuration Management Database (CMDB)", "enterprise": "∙ Configuration Management Database (CMDB)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-cis-csc-8-1": [ "2.1", "2.4" ], "general-cis-csc-8-1-ig1": [ "2.1" ], "general-cis-csc-8-1-ig2": [ "2.1", "2.4" ], "general-cis-csc-8-1-ig3": [ "2.1", "2.4" ], "general-cobit-2019": [ "EDM05.01", "EDM05.02", "EDM05.03", "APO01.06", "BAI10.02", "BAI10.03" ], "general-csa-iot-2": [ "SNT-04" ], "general-govramp": [ "CM-08(02)" ], "general-govramp-high": [ "CM-08(02)" ], "general-iso-27002-2022": [ "8.9" ], "general-iso-27018-2025": [ "8.9" ], "general-mpa-csbp-5-3-1": [ "TS-5.0" ], "general-nist-800-53-r4": [ "CM-8(2)" ], "general-nist-800-53-r5-2": [ "CM-08(02)", "CM-08(07)" ], "general-nist-800-53-r5-2-high": [ "CM-08(02)" ], "general-nist-800-66-r2": [ "164.310(d)" ], "general-nist-800-82-r3": [ "CM-08(02)", "CM-08(07)" ], "general-nist-800-82-r3-high": [ "CM-08(02)" ], "general-nist-800-161-r1": [ "CM-8(2)", "CM-8(7)" ], "general-nist-800-161-r1-level-3": [ "CM-8(2)", "CM-8(7)" ], "general-nist-800-171-r3": [ "03.04.08.a", "03.04.10.a", "03.04.10.b", "03.04.10.c" ], "general-nist-800-172": [ "3.4.1e", "3.4.3e" ], "general-nist-800-207": [ "NIST Tenet 1", "NIST Tenet 6", "NIST Tenet 7" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG3.SP1", "ADM:SG3.SP2" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-1d", "ASSET-2e", "ASSET-2g" ], "usa-federal-dow-cmmc-2-level-3": [ "CM.L3-3.4.1E", "CM.L3-3.4.3E" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.1.1" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "2.2.1" ], "usa-federal-gsa-fedramp-5-high": [ "CM-08(02)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(d)(2)(iii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(d)(2)(iii)" ], "emea-sau-cgiot-2024": [ "2-1-2" ], "emea-sau-otcc-1-2022": [ "2-1-1", "2-1-1-2", "2-1-1-3" ], "emea-gbr-def-stan-05-138-2024": [ "1301", "2423" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2423" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1301", "2423" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1301", "2423" ], "apac-aus-ism-2024-june": [ "ISM-1493" ], "americas-can-osfi-b13-2022": [ "2.2.3" ], "americas-can-itsp-10-171-2025": [ "03.04.08.A", "03.04.10.A", "03.04.10.B", "03.04.10.C" ] } }, { "control_id": "AST-02.10", "title": "Automated Location\nTracking", "family": "AST", "description": "Mechanisms exist to track the geographic location of system components.", "scf_question": "Does the organization track the geographic location of system components?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to track the geographic location of system components.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Prey (https://preyproject.com)\n∙ Apple Find My / Google Find My Device for mobile assets", "small": "∙ Prey (https://preyproject.com)\n∙ MDM solution with location tracking (e.g., Jamf Now, Microsoft Intune)", "medium": "∙ Prey (https://preyproject.com)\n∙ MDM solution with location tracking (e.g., Jamf, Microsoft Intune, Mosyle)\n∙ RFID asset tagging for physical hardware", "large": "∙ MDM solution with location tracking (e.g., Jamf, Microsoft Intune, VMware Workspace ONE)\n∙ RFID asset tracking system\n∙ Prey (https://preyproject.com) for supplemental coverage", "enterprise": "∙ Enterprise MDM with location tracking (e.g., Jamf Pro, Microsoft Intune, VMware Workspace ONE)\n∙ Enterprise RFID/barcode asset tracking system\n∙ Integration of location data with CMDB and ITAM platform" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "MT-2", "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF6", "CC2.1-POF9" ], "general-nist-800-53-r5-2": [ "CM-08(08)" ], "general-nist-800-82-r3": [ "CM-08(08)" ], "general-nist-800-161-r1": [ "CM-8(8)" ], "general-nist-800-161-r1-level-2": [ "CM-8(8)" ], "general-nist-800-161-r1-level-3": [ "CM-8(8)" ] } }, { "control_id": "AST-02.11", "title": "Component Assignment", "family": "AST", "description": "Mechanisms exist to bind components to a specific system.", "scf_question": "Does the organization bind components to a specific system?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Inventories are manual (e.g., spreadsheets).", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to bind components to a specific system.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Spreadsheet asset inventory", "small": "∙ Asset inventory spreadsheet\n∙ Asset ownership assignment", "medium": "∙ Asset management tool (e.g., Snipe-IT)\n∙ Asset classification policy", "large": "∙ Enterprise asset management platform (e.g., ServiceNow CMDB, Lansweeper)\n∙ Automated discovery", "enterprise": "∙ Enterprise CMDB (e.g., ServiceNow)\n∙ Automated network discovery\n∙ Asset lifecycle management" }, "risks": [ "R-AC-3", "R-AM-1", "R-AM-2", "R-AM-3", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4" ], "threats": [ "MT-2", "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-nist-800-53-r5-2": [ "CM-08(09)" ], "general-nist-800-82-r3": [ "CM-08(09)" ], "general-nist-800-161-r1": [ "CM-8(9)" ], "general-nist-800-161-r1-level-3": [ "CM-8(9)" ], "general-shared-assessments-sig-2025": [ "G.3" ] } }, { "control_id": "AST-03", "title": "Asset Ownership Assignment", "family": "AST", "description": "Mechanisms exist to ensure asset ownership responsibilities are assigned, tracked and managed at a team, individual, or responsible organization level to establish a common understanding of requirements for asset protection.", "scf_question": "Does the organization ensure asset ownership responsibilities are assigned, tracked and managed at a team, individual, or responsible organization level to establish a common understanding of requirements for asset protection?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-01", "E-CPL-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ Data/process owners for business-critical assets are documented and are reviewed as part of the annual asset inventories.\n▪ Annual IT asset inventories validate or update stakeholders /owners.", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure asset ownership responsibilities are assigned, tracked and managed at a team, individual, or responsible organization level to establish a common understanding of requirements for asset protection.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "small": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "medium": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "large": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-4", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-cobit-2019": [ "APO01.06", "APO01.07" ], "general-iso-27002-2022": [ "5.9" ], "general-iso-27017-2015": [ "8.1.1", "8.1.2" ], "general-iso-27018-2025": [ "5.9" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P2" ], "general-nist-800-53-r5-2": [ "SA-04(12)" ], "general-nist-800-53-r5-2-privacy": [ "SA-04(12)" ], "general-nist-800-66-r2": [ "164.310(d)" ], "general-nist-800-82-r3": [ "SA-04(12)" ], "general-nist-800-82-r3-low": [ "SA-04(12)" ], "general-nist-800-82-r3-mod": [ "SA-04(12)" ], "general-nist-800-82-r3-high": [ "SA-04(12)" ], "general-nist-800-171-r3": [ "03.09.02.a.03" ], "general-nist-csf-2-0": [ "ID.AM" ], "general-pci-dss-4-0-1": [ "2.2.2", "2.2.4", "2.2.5", "6.5.2" ], "general-pci-dss-4-0-1-saq-a": [ "2.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "2.2.2", "2.2.4", "2.2.5", "6.5.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "2.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.2", "2.2.4", "2.2.5", "6.5.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.2.2", "2.2.4", "2.2.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "2.2.2", "2.2.4", "2.2.5", "6.5.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "2.2.2", "2.2.4", "2.2.5", "6.5.2" ], "general-scf-dpmp-2025": [ "5.3" ], "general-tisax-6-0-3": [ "1.3.1" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG1.SP3" ], "usa-federal-gsa-fedramp-5-low": [ "SA-04(12)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-04(12)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-04(12)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-04(12)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(d)(2)(iii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(d)(2)(iii)" ], "usa-federal-irs-1075-2021": [ "SA-4(CE-12)", "SA-4(CE-12).a" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.A" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-sau-cscc-1-2019": [ "2-1-1-2" ], "emea-gbr-caf-4-0": [ "A3.a (point 4)" ], "apac-aus-ism-2024-june": [ "ISM-1071" ], "apac-ind-sebi-2024": [ "GV.PO.S5" ], "apac-jpn-ismap": [ "8.1.1.5", "8.1.2", "8.1.2.1", "8.1.2.2" ], "americas-can-itsp-10-171-2025": [ "03.09.02.A.03" ] } }, { "control_id": "AST-03.1", "title": "Accountability Information", "family": "AST", "description": "Mechanisms exist to include capturing the name, position and/or role of individuals responsible/accountable for administering assets as part of the technology asset inventory process.", "scf_question": "Does the organization include capturing the name, position and/or role of individuals responsible/accountable for administering assets as part of the technology asset inventory process?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-01" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ Data/process owners for business-critical assets are documented and are reviewed as part of the annual asset inventories.\n▪ Annual IT asset inventories validate or update stakeholders /owners.", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to include capturing the name, position and/or role of individuals responsible/accountable for administering assets as part of the technology asset inventory process.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "small": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "medium": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "large": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-cobit-2019": [ "EDM05.01", "EDM05.02", "EDM05.03", "APO01.06" ], "general-govramp": [ "CM-08(04)" ], "general-govramp-high": [ "CM-08(04)" ], "general-iso-27002-2022": [ "5.9" ], "general-iso-27017-2015": [ "8.1.1" ], "general-iso-27018-2025": [ "5.9" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P2" ], "general-nist-800-53-r4": [ "CM-8(4)" ], "general-nist-800-53-r5-2": [ "CM-08(04)" ], "general-nist-800-53-r5-2-high": [ "CM-08(04)" ], "general-nist-800-66-r2": [ "164.310(d)" ], "general-nist-800-82-r3": [ "CM-08(04)" ], "general-nist-800-82-r3-high": [ "CM-08(04)" ], "general-nist-800-161-r1": [ "CM-8(4)" ], "general-nist-800-161-r1-level-3": [ "CM-8(4)" ], "general-nist-800-171-r3": [ "03.09.02.a.03" ], "general-nist-csf-2-0": [ "ID.AM" ], "general-scf-dpmp-2025": [ "5.3" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG1.SP3" ], "usa-federal-gsa-fedramp-5-high": [ "CM-08(04)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(d)(2)(iii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(d)(2)(iii)" ], "americas-can-itsp-10-171-2025": [ "03.09.02.A.03" ] } }, { "control_id": "AST-03.2", "title": "Provenance", "family": "AST", "description": "Mechanisms exist to track the origin, development, ownership, location and changes to Technology Assets, Applications, Services and/or Data (TAASD).", "scf_question": "Does the organization track the origin, development, ownership, location and changes to Technology Assets, Applications, Services and/or Data (TAASD)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-22" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Inventories are manual (e.g., spreadsheets).", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to track the origin, development, ownership, location and changes to TAASD.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "small": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "medium": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "large": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-cis-csc-8-1": [ "16.5" ], "general-cis-csc-8-1-ig2": [ "16.5" ], "general-cis-csc-8-1-ig3": [ "16.5" ], "general-csa-iot-2": [ "DAT-03" ], "general-iso-27002-2022": [ "5.21" ], "general-iso-27018-2025": [ "5.21" ], "general-iso-42001-2023": [ "A.7.5" ], "general-mitre-att&ck-16-1": [ "T1041", "T1048", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1059.002", "T1195", "T1195.001", "T1195.002", "T1195.003", "T1204.003", "T1505", "T1505.001", "T1505.002", "T1505.004", "T1546.006", "T1554", "T1567", "T1601", "T1601.001", "T1601.002" ], "general-nist-800-53-r5-2": [ "SR-04", "SR-04(01)", "SR-04(02)" ], "general-nist-800-82-r3": [ "SR-04", "SR-04(01)", "SR-04(02)" ], "general-nist-800-160-vol-2-r1": [ "SR-04", "SR-04(01)", "SR-04(02)" ], "general-nist-800-161-r1": [ "SR-4" ], "general-nist-800-161-r1-level-2": [ "SR-4" ], "general-nist-800-161-r1-level-3": [ "SR-4" ], "general-sparta": [ "CM0026", "CM0049" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "4.2" ], "apac-aus-ism-2024-june": [ "ISM-1790", "ISM-1791", "ISM-1792" ] } }, { "control_id": "AST-04", "title": "Network Diagrams & Data Flow Diagrams (DFDs)", "family": "AST", "description": "Mechanisms exist to maintain network architecture diagrams that: \n(1) Contain sufficient detail to assess the security of the network's architecture;\n(2) Reflect the current architecture of the network environment; and\n(3) Document all sensitive/regulated data flows.", "scf_question": "Does the organization maintain network architecture diagrams that: \n (1) Contain sufficient detail to assess the security of the network's architecture;\n (2) Reflect the current architecture of the network environment; and\n (3) Document all sensitive/regulated data flows?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-DCH-03", "E-DCH-04", "E-DCH-05" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ IT and/or cybersecurity personnel work with process owners to generate and maintain Data Flow Diagrams (DFDs) and network diagrams to document the flow of data to create and maintain a map of systems where sensitive/regulated data is stored, transmitted or processed.", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain network architecture diagrams that: \n(1) Contain sufficient detail to assess the security of the network's architecture;\n(2) Reflect the current architecture of the network environment; and\n(3) Document all sensitive/regulated data flows.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ High-Level Diagram (HLD)\n∙ Data Flow Diagram (DFD)\n∙ draw.io (free, https://draw.io) or Microsoft Visio", "small": "∙ High-Level Diagram (HLD)\n∙ Low-Level Diagram (LLD)\n∙ Data Flow Diagram (DFD)\n∙ draw.io (free) or Microsoft Visio", "medium": "∙ High-Level Diagram (HLD)\n∙ Low-Level Diagram (LLD)\n∙ Data Flow Diagram (DFD)\n∙ LucidChart (https://lucidchart.com) or Microsoft Visio\n∙ Network documentation tool (e.g., NetBox, SolarWinds NTM)", "large": "∙ High-Level Diagram (HLD)\n∙ Low-Level Diagram (LLD)\n∙ Data Flow Diagram (DFD)\n∙ Network topology tool (e.g., SolarWinds Network Topology Mapper, NetBox)\n∙ Automated network diagram updates via discovery tools", "enterprise": "∙ High-Level Diagram (HLD)\n∙ Low-Level Diagram (LLD)\n∙ Data Flow Diagram (DFD)\n∙ Enterprise network documentation platform (e.g., NetBox, SolarWinds NTM)\n∙ Automated network discovery and diagram generation\n∙ Diagrams integrated with CMDB and change management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-aicpa-tsc-2017": [ "C1.1-POF1", "CC2.1", "CC2.1-POF2", "CC2.1-POF5" ], "general-cis-csc-8-1": [ "3.8", "12.4" ], "general-cis-csc-8-1-ig2": [ "3.8", "12.4" ], "general-cis-csc-8-1-ig3": [ "3.8", "12.4" ], "general-cobit-2019": [ "APO14.08" ], "general-coso-2013": [ "13" ], "general-csa-cmm-4-1-0": [ "DSP-05", "I&S-08" ], "general-csa-iot-2": [ "DAT-03" ], "general-govramp": [ "PL-02", "SA-04(01)", "SA-04(02)" ], "general-govramp-low": [ "PL-02" ], "general-govramp-low-plus": [ "PL-02" ], "general-govramp-mod": [ "PL-02", "SA-04(01)" ], "general-govramp-high": [ "PL-02", "SA-04(01)", "SA-04(02)" ], "general-iec-62443-2-1-2024": [ "CM 1.2" ], "general-iso-27002-2022": [ "5.9", "8.2" ], "general-iso-27017-2015": [ "8.1.1" ], "general-iso-27018-2025": [ "5.9", "8.20" ], "general-mpa-csbp-5-3-1": [ "TS-2.2" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P7", "ID.IM-P8" ], "general-nist-800-37-r2": [ "TASK P-11" ], "general-nist-800-53-r4": [ "PL-2", "SA-5(1)", "SA-5(2)", "SA-5(3)", "SA-5(4)" ], "general-nist-800-53-r5-2": [ "PL-02", "SA-04(01)", "SA-04(02)" ], "general-nist-800-53-r5-2-privacy": [ "PL-02", "SA-04(01)", "SA-04(02)" ], "general-nist-800-53-r5-2-low": [ "PL-02" ], "general-nist-800-53-r5-2-mod": [ "SA-04(01)", "SA-04(02)" ], "general-nist-800-82-r3": [ "PL-02", "SA-04(01)", "SA-04(02)" ], "general-nist-800-82-r3-low": [ "PL-02" ], "general-nist-800-82-r3-mod": [ "PL-02", "SA-04(01)", "SA-04(02)" ], "general-nist-800-82-r3-high": [ "PL-02", "SA-04(01)", "SA-04(02)" ], "general-nist-800-161-r1": [ "PL-2" ], "general-nist-800-161-r1-cscrm": [ "PL-2" ], "general-nist-800-161-r1-flowdown": [ "PL-2" ], "general-nist-800-161-r1-level-3": [ "PL-2" ], "general-nist-800-171-r3": [ "03.01.03", "03.04.11.a", "03.04.11.b" ], "general-nist-800-172": [ "3.1.3e" ], "general-nist-800-207": [ "NIST Tenet 1" ], "general-nist-csf-2-0": [ "ID.AM-03" ], "general-pci-dss-4-0-1": [ "1.2.3", "1.2.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.3", "1.2.4" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.2.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.3", "1.2.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.3", "1.2.4" ], "general-scf-dpmp-2025": [ "5.2" ], "general-sparta": [ "CM0022" ], "general-swift-cscf-2025": [ "2.4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.P" ], "usa-federal-fbi-cjis-6-0": [ "PL-2", "SA-4(1)", "SA-4(2)" ], "usa-federal-dow-cmmc-2-level-3": [ "AC.L3-3.1.3E" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.1.1", "5.1" ], "usa-federal-gsa-fedramp-5-low": [ "PL-02", "SA-04(01)", "SA-04(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-02", "SA-04(01)", "SA-04(02)" ], "usa-federal-gsa-fedramp-5-high": [ "PL-02", "SA-04(01)", "SA-04(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-02", "SA-04(01)", "SA-04(02)" ], "usa-federal-irs-1075-2021": [ "PL-2", "SA-4(CE-1)", "SA-4(CE-2)" ], "usa-federal-cms-marse-2-0": [ "PL-2", "SA-4(1)", "SA-4(2)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B.1.a", "III.B.1.b", "III.B.1.c" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(A)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PL-02" ], "usa-state-tx-txramp-2-0-level-1": [ "PL-02" ], "usa-state-tx-txramp-2-0-level-2": [ "PL-02", "SA-04 (01)", "SA-04 (02)" ], "emea-eu-dora-2023": [ "Article 8.4" ], "emea-eu-nis2-annex-2024": [ "6.7.2(a)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-c5-2020": [ "COS-07" ], "emea-sau-otcc-1-2022": [ "2-4-1-16" ], "emea-gbr-caf-4-0": [ "B3.a" ], "emea-gbr-def-stan-05-138-2024": [ "1203", "2301" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1203" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1203", "2301" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1203", "2301" ], "apac-aus-ism-2024-june": [ "ISM-0516", "ISM-0518", "ISM-1645", "ISM-1646" ], "apac-ind-sebi-2024": [ "ID.AM.S2" ], "apac-jpn-ismap": [ "4.4.4" ], "apac-nzl-ism-3-9": [ "18.1.9.C.02", "18.1.11.C.01", "18.1.12.C.01", "18.1.12.C.02" ], "amaericas-can-osfi-self-assessment": [ "3.1" ], "americas-can-itsp-10-171-2025": [ "03.01.03", "03.04.11.A", "03.04.11.B" ] } }, { "control_id": "AST-04.1", "title": "Asset Scope Classification", "family": "AST", "description": "Mechanisms exist to determine security, compliance and resilience control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all Technology Assets, Applications and/or Services (TAAS) and personnel (internal and third-parties).", "scf_question": "Does the organization determine security, compliance and resilience control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all Technology Assets, Applications and/or Services (TAAS) and personnel (internal and third-parties)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-02", "E-CPL-02", "E-DCH-01", "E-DCH-02" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to determine security, compliance and resilience control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all Technology Assets, Applications and/or Services (TAAS) and personnel (internal and third-parties).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "small": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "medium": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "large": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "enterprise": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Asset Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF7", "CC2.2-POF11", "CC6.1-POF1" ], "general-cobit-2019": [ "APO14.05" ], "general-csa-cmm-4-1-0": [ "LOG-07" ], "general-govramp": [ "SA-05" ], "general-govramp-low": [ "SA-05" ], "general-govramp-low-plus": [ "SA-05" ], "general-govramp-mod": [ "SA-05" ], "general-govramp-high": [ "SA-05" ], "general-iec-tr-60601-4-5-2021": [ "4.1" ], "general-iec-62443-4-1-2018": [ "SM-3" ], "general-iso-27001-2022": [ "4.3" ], "general-iso-27002-2022": [ "5.12" ], "general-iso-27017-2015": [ "8.2.1" ], "general-iso-27018-2025": [ "5.12" ], "general-iso-42001-2023": [ "4.3" ], "general-nist-800-53-r5-2": [ "PE-22", "SA-05" ], "general-nist-800-53-r5-2-privacy": [ "PE-22", "SA-05" ], "general-nist-800-53-r5-2-low": [ "SA-05" ], "general-nist-800-82-r3": [ "PE-22", "SA-05" ], "general-nist-800-82-r3-low": [ "SA-05" ], "general-nist-800-82-r3-mod": [ "PE-22", "SA-05" ], "general-nist-800-82-r3-high": [ "PE-22", "SA-05" ], "general-nist-800-161-r1": [ "SA-5" ], "general-nist-800-161-r1-cscrm": [ "SA-5" ], "general-nist-800-161-r1-level-3": [ "SA-5" ], "general-nist-800-171-r3": [ "03.04.11.a", "03.04.11.b" ], "general-nist-800-172": [ "3.14.3e" ], "general-nist-800-207": [ "NIST Tenet 1" ], "general-nist-csf-2-0": [ "ID.AM-05" ], "general-pci-dss-4-0-1": [ "A3.2.5" ], "general-shared-assessments-sig-2025": [ "P.3.1" ], "general-sparta": [ "CM0001" ], "general-swift-cscf-2025": [ "2.4" ], "general-tisax-6-0-3": [ "1.2.3", "1.2.4", "8.2.4", "8.2.6" ], "usa-federal-fbi-cjis-6-0": [ "SA-5" ], "usa-federal-dow-cmmc-2-level-3": [ "SI.L3-3.14.3E" ], "usa-federal-gsa-fedramp-5-low": [ "PE-22", "SA-05" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-22", "SA-05" ], "usa-federal-gsa-fedramp-5-high": [ "PE-22", "SA-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-22", "SA-05" ], "usa-federal-irs-1075-2021": [ "SA-5" ], "usa-federal-cms-marse-2-0": [ "SA-5" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B.1.c" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(A)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-05" ], "usa-state-tx-txramp-2-0-level-1": [ "SA-05" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-05" ], "emea-eu-eba-ict-srm-2025": [ "3.3.3(17)", "3.3.3(18)" ], "emea-eu-nis2-annex-2024": [ "11.7.2", "12.1.1", "12.1.3" ], "emea-deu-bsrit-2017": [ "12.4" ], "apac-jpn-ismap": [ "4.4.4", "4.4.4.1", "8.1.2.4" ], "americas-can-itsp-10-171-2025": [ "03.04.11.A", "03.04.11.B" ] } }, { "control_id": "AST-04.2", "title": "Control Applicability Boundary Graphical Representation", "family": "AST", "description": "Mechanisms exist to ensure control applicability is appropriately-determined for Technology Assets, Applications and/or Services (TAAS) and third parties by graphically representing applicable boundaries.", "scf_question": "Does the organization ensure control applicability is appropriately-determined for Technology Assets, Applications and/or Services (TAAS) and third parties by graphically representing applicable boundaries?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-02", "E-CPL-02" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure control applicability is appropriately-determined for Technology Assets, Applications and/or Services (TAAS) and third parties by graphically representing applicable boundaries.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "small": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "medium": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "large": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "enterprise": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)" }, "risks": [ "R-AM-3", "R-EX-5", "R-GV-1", "R-SA-1" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF11", "CC5.2-POF2" ], "general-nist-800-171-r3": [ "03.04.11.a", "03.04.11.b", "03.15.02.a.04" ], "general-nist-csf-2-0": [ "ID.AM-03" ], "general-pci-dss-4-0-1": [ "1.2.3", "12.5.2.1", "A3.2.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.2.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.3", "12.5.2.1" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.P" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B.1.c" ], "emea-sau-otcc-1-2022": [ "2-4-1-16" ], "americas-can-itsp-10-171-2025": [ "03.04.11.A", "03.04.11.B", "03.15.02.A.04" ] } }, { "control_id": "AST-04.3", "title": "Compliance-Specific Asset Identification", "family": "AST", "description": "Mechanisms exist to create and maintain a current inventory of Technology Assets, Applications, Services and/or Data (TAASD) that are in scope for statutory, regulatory and/or contractual compliance obligations that provides sufficient detail to determine control applicability, based on asset scope categorization.", "scf_question": "Does the organization create and maintain a current inventory of Technology Assets, Applications, Services and/or Data (TAASD) that are in scope for statutory, regulatory and/or contractual compliance obligations that provides sufficient detail to determine control applicability, based on asset scope categorization?", "relative_weight": 6, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-AST-02", "E-CPL-02" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to create and maintain a current inventory of TAASD that are in scope for statutory, regulatory and/or contractual compliance obligations that provides sufficient detail to determine control applicability, based on asset scope categorization.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "small": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "medium": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "large": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "enterprise": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)" }, "risks": [ "R-AM-3", "R-EX-5", "R-GV-1", "R-SA-1" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-nist-800-171-r3": [ "03.01.03" ], "general-pci-dss-4-0-1": [ "6.3.2", "12.5.1", "12.5.2.1", "A3.2.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.2", "12.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.2", "12.5.1", "12.5.2.1" ], "emea-eu-nis2-annex-2024": [ "12.4.2(a)", "12.4.2(b)" ], "americas-can-itsp-10-171-2025": [ "03.01.03" ] } }, { "control_id": "AST-05", "title": "Security of Assets & Media", "family": "AST", "description": "Mechanisms exist to maintain strict control over the internal or external distribution of any kind of sensitive/regulated media.", "scf_question": "Does the organization maintain strict control over the internal or external distribution of any kind of sensitive/regulated media?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ IT personnel collect technology assets and media for destruction when it is no longer needed for business or legal reasons.", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain strict control over the internal or external distribution of any kind of sensitive/regulated media.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Formally assigned roles & responsibilities\n∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Confidentiality / Non-Disclosure Agreements (NDAs)", "small": "∙ Formally assigned roles & responsibilities\n∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Confidentiality / Non-Disclosure Agreements (NDAs)", "medium": "∙ Formally assigned roles & responsibilities\n∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Confidentiality / Non-Disclosure Agreements (NDAs)", "large": "∙ Formally assigned roles & responsibilities\n∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Confidentiality / Non-Disclosure Agreements (NDAs)", "enterprise": "∙ Formally assigned roles & responsibilities\n∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Confidentiality / Non-Disclosure Agreements (NDAs)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.7-POF3" ], "general-csa-cmm-4-1-0": [ "DCS-03" ], "general-iso-27002-2022": [ "7.9" ], "general-iso-27017-2015": [ "11.2.6" ], "general-iso-27018-2025": [ "7.9" ], "general-nist-800-171-r2": [ "NFO - MP-1" ], "general-nist-800-171-r3": [ "03.07.04.a" ], "general-pci-dss-4-0-1": [ "9.4", "9.4.4" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.4" ], "emea-eu-nis2-annex-2024": [ "12.2.2(c)" ], "emea-sau-otcc-1-2022": [ "2-6-1-4" ], "apac-aus-ism-2024-june": [ "ISM-0161", "ISM-0293", "ISM-1178" ], "apac-jpn-ismap": [ "8.3", "8.3.1" ], "americas-can-itsp-10-171-2025": [ "03.07.04.A" ] } }, { "control_id": "AST-05.1", "title": "Management Approval For External Media Transfer", "family": "AST", "description": "Mechanisms exist to obtain management approval for any sensitive/regulated media that is transferred outside of the organization's facilities.", "scf_question": "Does the organization obtain management approval for any sensitive/regulated media that is transferred outside of its facilities?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Generic guidelines are published for users to secure laptops and other mobile devices while traveling.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to obtain management approval for any sensitive/regulated media that is transferred outside of the organization's facilities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Spreadsheet asset inventory", "small": "∙ Asset inventory spreadsheet\n∙ Asset ownership assignment", "medium": "∙ Asset management tool (e.g., Snipe-IT)\n∙ Asset classification policy", "large": "∙ Enterprise asset management platform (e.g., ServiceNow CMDB, Lansweeper)\n∙ Automated discovery", "enterprise": "∙ Enterprise CMDB (e.g., ServiceNow)\n∙ Automated network discovery\n∙ Asset lifecycle management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-csa-cmm-4-1-0": [ "DCS-03" ], "general-pci-dss-4-0-1": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.4" ], "emea-sau-cscc-1-2019": [ "2-6-1-5" ], "apac-jpn-ismap": [ "8.3.1.2", "13.2.2.1" ] } }, { "control_id": "AST-06", "title": "Unattended End-User Equipment", "family": "AST", "description": "Mechanisms exist to implement enhanced protection measures for unattended technology assets to protect against tampering and unauthorized access.", "scf_question": "Does the organization implement enhanced protection measures for unattended technology assets to protect against tampering and unauthorized access?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement enhanced protection measures for unattended technology assets to protect against tampering and unauthorized access.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Lockable casings\n∙ Tamper detection tape\n∙ Full Disk Encryption (FDE)", "small": "∙ Lockable casings\n∙ Tamper detection tape\n∙ Full Disk Encryption (FDE)", "medium": "∙ Lockable casings\n∙ Tamper detection tape\n∙ Full Disk Encryption (FDE) \n∙ File Integrity Monitoring (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "large": "∙ Lockable casings\n∙ Tamper detection tape\n∙ Full Disk Encryption (FDE) \n∙ File Integrity Monitoring (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "enterprise": "∙ Lockable casings\n∙ Tamper detection tape\n∙ Full Disk Encryption (FDE) \n∙ File Integrity Monitoring (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-iso-21434-2021": [ "RQ-05-12" ], "general-iso-27002-2022": [ "7.7", "7.9", "8.1" ], "general-iso-27017-2015": [ "11.2.6", "11.2.8", "11.2.9" ], "general-iso-27018-2025": [ "7.7", "7.9", "8.1" ], "general-pci-dss-4-0-1": [ "9.5", "9.5.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.5.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.5.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.5.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.5.1" ], "emea-esp-ccn-stic-825-2023": [ "8.3.2 [MP.EQ.2]" ], "apac-aus-ism-2024-june": [ "ISM-0161" ], "apac-jpn-ismap": [ "6.2.1.18", "6.2.1.19", "8.2.3.5", "11.2.8", "11.2.8.1", "11.2.8.2", "11.2.8.3", "11.2.8.4" ] } }, { "control_id": "AST-06.1", "title": "Asset Storage In Automobiles", "family": "AST", "description": "Mechanisms exist to educate users on the need to physically secure laptops and other mobile devices out of sight when traveling, preferably in the trunk of a vehicle.", "scf_question": "Does the organization educate users on the need to physically secure laptops and other mobile devices out of sight when traveling, preferably in the trunk of a vehicle?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Generic guidelines are published for users to secure laptops and other mobile devices while traveling.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to educate users on the need to physically secure laptops and other mobile devices out of sight when traveling, preferably in the trunk of a vehicle.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Physical security awareness training", "small": "∙ Physical security awareness training", "medium": "∙ Physical security awareness training", "large": "∙ Physical security awareness training", "enterprise": "∙ Physical security awareness training" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-4", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "emea-deu-c5-2020": [ "AM-02" ] } }, { "control_id": "AST-07", "title": "Kiosks & Point of Interaction (PoI) Devices", "family": "AST", "description": "Mechanisms exist to appropriately protect devices that capture sensitive/regulated data via direct physical interaction from tampering and substitution.", "scf_question": "Does the organization appropriately protect devices that capture sensitive/regulated data via direct physical interaction from tampering and substitution?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to appropriately protect devices that capture sensitive/regulated data via direct physical interaction from tampering and substitution.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Lockable casings\n∙ Tamper detection tape\n∙ Full Disk Encryption (FDE)", "small": "∙ Lockable casings\n∙ Tamper detection tape\n∙ Full Disk Encryption (FDE)", "medium": "∙ Lockable casings\n∙ Tamper detection tape\n∙ Full Disk Encryption (FDE) \n∙ File Integrity Monitoring (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "large": "∙ Lockable casings\n∙ Tamper detection tape\n∙ Full Disk Encryption (FDE) \n∙ File Integrity Monitoring (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "enterprise": "∙ Lockable casings\n∙ Tamper detection tape\n∙ Full Disk Encryption (FDE) \n∙ File Integrity Monitoring (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-csa-iot-2": [ "PHY-01" ], "general-iso-27002-2022": [ "8.1" ], "general-iso-27018-2025": [ "8.1" ], "general-pci-dss-4-0-1": [ "9.5", "9.5.1", "9.5.1.1", "9.5.1.2" ], "general-pci-dss-4-0-1-saq-b": [ "9.5.1", "9.5.1.1", "9.5.1.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.5.1", "9.5.1.1", "9.5.1.2" ], "general-pci-dss-4-0-1-saq-c": [ "9.5.1", "9.5.1.1", "9.5.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.5.1", "9.5.1.1", "9.5.1.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.5.1", "9.5.1.1", "9.5.1.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.5.1", "9.5.1.1", "9.5.1.2" ], "emea-sau-sama-csf-1-2017": [ "3.3.12" ] } }, { "control_id": "AST-08", "title": "Physical Tampering Detection", "family": "AST", "description": "Mechanisms exist to periodically inspect systems and system components for Indicators of Compromise (IoC).", "scf_question": "Does the organization periodically inspect systems and system components for Indicators of Compromise (IoC)?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ Periodic physical inspections are performed to validate the integrity of unattended technology assets (e.g., kiosks, ATMs, point of sale devices, etc.).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to periodically inspect systems and system components for Indicators of Compromise (IoC).", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Tamper detection tape", "small": "∙ Tamper detection tape", "medium": "∙ Tamper detection tape", "large": "∙ Tamper detection tape", "enterprise": "∙ Tamper detection tape" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-csa-iot-2": [ "PHY-01" ], "general-iec-62443-4-2-2019": [ "CR 3.11", "EDR 3.11", "HDR 3.11", "NDR 3.11" ], "general-iso-27002-2022": [ "7.9" ], "general-iso-27017-2015": [ "11.2.6" ], "general-iso-27018-2025": [ "7.9" ], "general-pci-dss-4-0-1": [ "9.5.1.2", "9.5.1.2.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.5.1.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.5.1.2" ], "general-pci-dss-4-0-1-saq-c": [ "9.5.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.5.1.2", "9.5.1.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.5.1.2", "9.5.1.2.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.5.1.2" ], "emea-sau-cgiot-2024": [ "2-6-2", "2-13-2" ], "apac-nzl-ism-3-9": [ "8.5.3.C.01", "8.5.3.C.02", "8.5.3.C.03", "8.5.3.C.04", "8.5.4.C.01", "8.5.4.C.02", "8.5.4.C.03", "8.5.5.C.01" ] } }, { "control_id": "AST-09", "title": "Secure Disposal, Destruction or Re-Use of Equipment", "family": "AST", "description": "Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.", "scf_question": "Does the organization securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Decentralized requirements for data / process owners to dispose of, destroy or repurpose systems when no longer needed for business or legal reasons.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ IT personnel collect technology assets and media for destruction when it is no longer needed for business or legal reasons.\n▪ IT personnel perform the destruction of technology assets and media in a secure manner or outsource the destruction to a third-party that specializes in technology assets and media destruction, as well as provides evidence of destruction (e.g., certificate of destruction).\n▪ Asset decommissioning consists of mainly wiping hard drives.\n▪ IT personnel use technology to re-image, or configure, assets from configuration-controlled and integrity-protected images or scripts (infrastructure as code).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "small": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "medium": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "large": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "enterprise": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-aicpa-tsc-2017": [ "C1.2-POF2", "CC6.5", "CC6.5-POF2", "P4.3-POF2", "P4.3-POF3" ], "general-cis-csc-8-1": [ "3.5" ], "general-cis-csc-8-1-ig1": [ "3.5" ], "general-cis-csc-8-1-ig2": [ "3.5" ], "general-cis-csc-8-1-ig3": [ "3.5" ], "general-csa-cmm-4-1-0": [ "DCS-02", "DSP-02" ], "general-csa-iot-2": [ "POL-04" ], "general-iso-27002-2022": [ "7.14", "8.1" ], "general-iso-27017-2015": [ "11.2.7" ], "general-iso-27018-2025": [ "7.14", "7.14(a)", "8.10" ], "general-mpa-csbp-5-3-1": [ "OP-3.2" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.7" ], "general-nist-800-37-r2": [ "TASK M-7" ], "general-nist-800-53-r4": [ "SA-19(3)" ], "general-nist-800-53-r5-2": [ "SR-12" ], "general-nist-800-53-r5-2-privacy": [ "SR-12" ], "general-nist-800-53-r5-2-low": [ "SR-12" ], "general-nist-800-66-r2": [ "164.310(d)" ], "general-nist-800-82-r3": [ "SR-12" ], "general-nist-800-82-r3-low": [ "SR-12" ], "general-nist-800-82-r3-mod": [ "SR-12" ], "general-nist-800-82-r3-high": [ "SR-12" ], "general-nist-800-161-r1": [ "SR-12" ], "general-nist-800-161-r1-cscrm": [ "SR-12" ], "general-nist-800-161-r1-level-2": [ "SR-12" ], "general-nist-800-161-r1-level-3": [ "SR-12" ], "general-nist-800-171-r2": [ "3.8.3" ], "general-nist-800-171-r3": [ "03.07.04.c", "03.08.03" ], "general-pci-dss-4-0-1": [ "9.4.7" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.7" ], "general-swift-cscf-2025": [ "3.1" ], "general-tisax-6-0-3": [ "3.1.3" ], "usa-federal-fbi-cjis-6-0": [ "SR-12" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-1h", "ASSET-2h" ], "usa-federal-dow-cmmc-2-level-1": [ "MP.L1-B.1.VII" ], "usa-federal-dow-cmmc-2-level-2": [ "MPL2.-3.8.3" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(vii)" ], "usa-federal-gsa-fedramp-5-low": [ "SR-12" ], "usa-federal-gsa-fedramp-5-mod": [ "SR-12" ], "usa-federal-gsa-fedramp-5-high": [ "SR-12" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SR-12" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(6)(i)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(d)(2)(i)", "164.310(d)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(d)(2)(i)", "164.310(d)(2)(ii)" ], "usa-federal-irs-1075-2021": [ "2.F.3.1" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "6-2.a", "6-3", "6-3.a", "11-3.a(4)(d)", "11-3.a(5)(c)", "11-3.c" ], "usa-state-ak-pipa-2009": [ "45.48.500 - .590" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.13(b)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SR-12" ], "emea-us-psd2-2015": [ "24" ], "emea-deu-c5-2020": [ "AM-04", "PI-03" ], "emea-isr-cmo-1-0": [ "15.4", "17.21" ], "emea-sau-cgiot-2024": [ "2-5-1", "2-15-3" ], "emea-sau-ecc-1-2018": [ "2-14-3-4" ], "emea-sau-otcc-1-2022": [ "2-6-1-3" ], "emea-sau-sacs-002-2022": [ "TPC-19", "TPC-66" ], "emea-sau-sama-csf-1-2017": [ "3.3.11" ], "emea-esp-ccn-stic-825-2023": [ "8.5.5 [MP.SI.5]" ], "emea-gbr-def-stan-05-138-2024": [ "2323" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2323" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2323" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2323" ], "apac-aus-ism-2024-june": [ "ISM-0311", "ISM-0312", "ISM-0315", "ISM-0318", "ISM-0321", "ISM-0330", "ISM-0350", "ISM-0363", "ISM-0370", "ISM-0372", "ISM-0378", "ISM-0839", "ISM-1076", "ISM-1217", "ISM-1218", "ISM-1219", "ISM-1220", "ISM-1221", "ISM-1222", "ISM-1223", "ISM-1225", "ISM-1534", "ISM-1550", "ISM-1641", "ISM-1722", "ISM-1723", "ISM-1724", "ISM-1725", "ISM-1726", "ISM-1727", "ISM-1728", "ISM-1729", "ISM-1741", "ISM-1742" ], "apac-ind-sebi-2024": [ "PR.AA.S14" ], "apac-jpn-ismap": [ "8.1.2.6", "8.3.1.1", "8.3.2", "8.3.2.1", "8.3.2.2", "8.3.2.3", "11.2.7", "11.2.7.1", "11.2.7.2" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP06", "HHSP45", "HML06", "HML45" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP06" ], "apac-nzl-ism-3-9": [ "11.2.13.C.01", "11.2.13.C.02", "11.7.35.C.01", "12.6.4.C.01", "12.6.4.C.02", "12.6.5.C.01", "12.6.5.C.02", "12.6.5.C.03", "12.6.5.C.04", "12.6.5.C.05", "12.6.8.C.01", "12.6.9.C.01", "12.6.10.C.01", "13.4.19.C.02", "13.4.10.C.01", "13.5.24.C.01", "13.5.24.C.02", "13.5.24.C.03", "13.5.24.C.04", "13.5.25.C.01", "13.5.26.C.01", "13.5.26.C.02", "13.5.26.C.03", "13.5.29.C.01", "13.5.29.C.02", "13.5.30.C.01", "13.6.6.C.01", "13.6.6.C.02", "13.6.7.C.01", "13.6.8.C.01", "13.6.9.C.01", "13.6.10.C.01", "13.6.10.C.02", "13.6.10.C.03", "13.6.11.C.01", "13.6.12.C.01" ], "apac-sgp-mas-trm-2021": [ "11.1.7" ], "americas-can-osfi-b13-2022": [ "2.2", "2.2.4" ], "americas-can-itsp-10-171-2025": [ "03.07.04.C", "03.08.03" ] } }, { "control_id": "AST-10", "title": "Return of Assets", "family": "AST", "description": "Mechanisms exist to ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement.", "scf_question": "Does the organization ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-01" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Decentralized requirements for data / process owners to dispose of, destroy or repurpose systems when no longer needed for business or legal reasons.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ IT personnel collect technology assets and media for destruction when it is no longer needed for business or legal reasons.\n▪ The IT department receives organization-owned assets up on termination of an individual's employment.\n▪ Assets not returned are reported as a security incident, based on the data that may exist on the device(s).\n▪ Mobile devices are escrowed in storage for a period of time before being wiped and reissued, in case data on the devices are needed for investigations or business purposes.\n▪ IT personnel use technology to re-image, or configure, assets from configuration-controlled and integrity-protected images or scripts (infrastructure as code).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program", "small": "∙ IT Asset Management (ITAM) program", "medium": "∙ IT Asset Management (ITAM) program", "large": "∙ IT Asset Management (ITAM) program", "enterprise": "∙ IT Asset Management (ITAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.4-POF3" ], "general-csa-cmm-4-1-0": [ "HRS-05" ], "general-iso-27002-2022": [ "5.11" ], "general-iso-27017-2015": [ "8.1.3", "8.1.4" ], "general-iso-27018-2025": [ "5.11" ], "general-nist-800-171-r3": [ "03.09.02.a.03" ], "general-nist-800-171a-r3": [ "A.03.09.02.a.03" ], "emea-deu-c5-2020": [ "AM-04", "AM-05" ], "emea-isr-cmo-1-0": [ "11.12" ], "apac-jpn-ismap": [ "8.1.4" ], "americas-can-itsp-10-171-2025": [ "03.09.02.A.03" ] } }, { "control_id": "AST-11", "title": "Removal of Assets", "family": "AST", "description": "Mechanisms exist to authorize, control and track technology assets entering and exiting organizational facilities.", "scf_question": "Does the organization authorize, control and track technology assets entering and exiting organizational facilities?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to authorize, control and track technology assets entering and exiting organizational facilities.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program", "small": "∙ IT Asset Management (ITAM) program", "medium": "∙ IT Asset Management (ITAM) program\n∙ RFID asset tagging\n∙ RFID proximity sensors at access points", "large": "∙ IT Asset Management (ITAM) program\n∙ RFID asset tagging\n∙ RFID proximity sensors at access points", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ RFID asset tagging\n∙ RFID proximity sensors at access points" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2-POF2" ], "general-iso-27002-2022": [ "7.1" ], "general-iso-27017-2015": [ "11.2.5" ], "general-iso-27018-2025": [ "7.10" ], "general-nist-800-66-r2": [ "164.310(d)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(d)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(d)(1)" ] } }, { "control_id": "AST-12", "title": "Use of Personal Devices", "family": "AST", "description": "Mechanisms exist to restrict the possession and/or use of personally-owned Technology Assets, Applications and/or Services (TAAS) within organization-controlled facilities.", "scf_question": "Does the organization restrict the possession and/or use of personally-owned Technology Assets, Applications and/or Services (TAAS) within organization-controlled facilities?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict the possession and/or use of personally-owned Technology Assets, Applications and/or Services (TAAS) within organization-controlled facilities.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Rules of Behavior (RoB) / Acceptable Use", "small": "∙ Rules of Behavior (RoB) / Acceptable Use", "medium": "∙ Rules of Behavior (RoB) / Acceptable Use", "large": "∙ Rules of Behavior (RoB) / Acceptable Use", "enterprise": "∙ Rules of Behavior (RoB) / Acceptable Use" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-iso-27002-2022": [ "7.1", "8.1" ], "general-iso-27018-2025": [ "7.10", "8.1" ], "general-nist-800-171-r3": [ "03.01.18.a" ], "emea-isr-cmo-1-0": [ "12.6" ], "emea-sau-sacs-002-2022": [ "TPC-84" ], "americas-can-itsp-10-171-2025": [ "03.01.18.A" ] } }, { "control_id": "AST-13", "title": "Use of Third-Party Devices", "family": "AST", "description": "Mechanisms exist to reduce the risk associated with third-party assets that are attached to the network from harming organizational assets or exfiltrating organizational data.", "scf_question": "Does the organization reduce the risk associated with third-party assets that are attached to the network from harming organizational assets or exfiltrating organizational data?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to reduce the risk associated with third-party assets that are attached to the network from harming organizational assets or exfiltrating organizational data.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Rules of Behavior (RoB) / Acceptable Use", "small": "∙ Rules of Behavior (RoB) / Acceptable Use", "medium": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Network Access Control (NAC)", "large": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Network Access Control (NAC)", "enterprise": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Network Access Control (NAC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-nist-800-171-r3": [ "03.01.18.a" ], "emea-isr-cmo-1-0": [ "12.6" ], "emea-sau-sacs-002-2022": [ "TPC-84" ], "apac-nzl-ism-3-9": [ "16.2.3.C.01", "16.2.3.C.02" ], "americas-can-itsp-10-171-2025": [ "03.01.18.A" ] } }, { "control_id": "AST-14", "title": "Usage Parameters", "family": "AST", "description": "Mechanisms exist to monitor and enforce usage parameters that limit the potential damage caused from the unauthorized or unintentional alteration of system parameters.", "scf_question": "Does the organization monitor and enforce usage parameters that limit the potential damage caused from the unauthorized or unintentional alteration of system parameters?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to monitor and enforce usage parameters that limit the potential damage caused from the unauthorized or unintentional alteration of system parameters.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Centralized log collector\n∙ Manual event log reviews", "small": "∙ Centralized log collector\n∙ Manual event log reviews\n∙ Security Incident Event Manager (SIEM)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1011", "T1078", "T1078.004", "T1114.003", "T1613" ], "general-nist-800-53-r4": [ "SC-43" ], "general-nist-800-53-r5-2": [ "SC-43" ], "general-nist-800-82-r3": [ "SC-43" ], "general-nist-800-171-r3": [ "03.01.18.a" ], "general-swift-cscf-2025": [ "2.9" ], "americas-can-itsp-10-171-2025": [ "03.01.18.A" ] } }, { "control_id": "AST-14.1", "title": "Bluetooth & Wireless Devices", "family": "AST", "description": "Mechanisms exist to prevent the usage of Bluetooth and wireless devices (e.g., Near Field Communications (NFC)) in sensitive areas or unless used in a Radio Frequency (RF)-screened building.", "scf_question": "Does the organization prevent the usage of Bluetooth and wireless devices (e.g., Near Field Communications (NFC)) in sensitive areas or unless used in a Radio Frequency (RF)-screened building?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent the usage of Bluetooth and wireless devices (e.g., Near Field Communications (NFC)) in sensitive areas or unless used in a Radio Frequency (RF)-screened building.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "small": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "medium": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "large": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-csa-iot-2": [ "SWS-01", "SWS-03" ], "usa-federal-fbi-cjis-6-0": [ "5.20.1.3" ], "apac-aus-ism-2024-june": [ "ISM-0233", "ISM-1199", "ISM-1200" ], "apac-nzl-ism-3-9": [ "11.1.8.C.01", "11.1.10.C.01", "11.1.10.C.02", "11.1.10.C.03", "11.1.11.C.01", "11.1.11.C.02", "11.1.12.C.01", "11.1.13.C.01", "21.1.16.C.01", "21.1.16.C.02" ] } }, { "control_id": "AST-14.2", "title": "Infrared Communications", "family": "AST", "description": "Mechanisms exist to prevent line of sight and reflected infrared (IR) communications use in an unsecured space.", "scf_question": "Does the organization prevent line of sight and reflected infrared (IR) communications use in an unsecured space?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent line of sight and reflected infrared (IR) communications use in an unsecured space.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "small": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "medium": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "large": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-shared-assessments-sig-2025": [ "O.9" ], "apac-nzl-ism-3-9": [ "11.1.9.C.01", "11.1.9.C.02", "11.1.9.C.03" ] } }, { "control_id": "AST-15", "title": "Logical Tampering Protection", "family": "AST", "description": "Mechanisms exist to assess the integrity of critical Technology Assets, Applications and/or Services (TAAS) to detect evidence of tampering, where:\n(1)\tLogical assessments evaluate the integrity of critical components (e.g., configuration settings); and\n(2)\tPhysical assessments evaluate assets for evidence of unauthorized access and/or modifications.", "scf_question": "Does the organization assess the integrity of critical Technology Assets, Applications and/or Services (TAAS) to detect evidence of tampering, where:\n(1)\tLogical assessments evaluate the integrity of critical components (e.g., configuration settings); and\n(2)\tPhysical assessments evaluate assets for evidence of unauthorized access and/or modifications?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-25" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ Periodic physical inspections are performed to validate the integrity of unattended technology assets (e.g., kiosks, ATMs, point of sale devices, etc.).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to assess the integrity of critical Technology Assets, Applications and/or Services (TAAS) to detect evidence of tampering, where:\n(1)\tLogical assessments evaluate the integrity of critical components (e.g., configuration settings); and\n(2)\tPhysical assessments evaluate assets for evidence of unauthorized access and/or modifications.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Indicators of Compromise (IoC)\n∙ File Integrity Monitoring (FIM)", "small": "∙ Indicators of Compromise (IoC)\n∙ File Integrity Monitoring (FIM)", "medium": "∙ Indicators of Compromise (IoC)\n∙ File Integrity Monitoring (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)\n∙ Tripwire Enterprise (https://tripwire.com)", "large": "∙ Indicators of Compromise (IoC)\n∙ File Integrity Monitoring (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)\n∙ Tripwire Enterprise (https://tripwire.com)", "enterprise": "∙ Indicators of Compromise (IoC)\n∙ File Integrity Monitoring (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)\n∙ Tripwire Enterprise (https://tripwire.com)" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-csa-iot-2": [ "IOT-05" ], "general-iso-27002-2022": [ "7.9" ], "general-iso-27017-2015": [ "11.2.6" ], "general-iso-27018-2025": [ "7.9" ], "general-nist-800-53-r4": [ "SA-18" ], "general-nist-800-53-r5-2": [ "SR-09", "SR-09(01)" ], "general-nist-800-53-r5-2-high": [ "SR-09", "SR-09(01)" ], "general-nist-800-82-r3": [ "SR-09", "SR-09(01)" ], "general-nist-800-82-r3-high": [ "SR-09", "SR-09(01)" ], "general-nist-800-160-vol-2-r1": [ "SR-09", "SR-09(01)" ], "general-nist-800-161-r1": [ "SR-9" ], "general-nist-800-161-r1-level-2": [ "SR-9" ], "general-nist-800-161-r1-level-3": [ "SR-9" ], "general-nist-csf-2-0": [ "ID.RA-09" ], "general-pci-dss-4-0-1": [ "9.5.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.5.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.5.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.5.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.5.1" ], "general-sparta": [ "CM0028", "CM0057" ], "usa-federal-gsa-fedramp-5-high": [ "SR-09", "SR-09(01)" ], "emea-sau-cgiot-2024": [ "2-6-2" ] } }, { "control_id": "AST-15.1", "title": "Technology Asset Inspections", "family": "AST", "description": "Mechanisms exist to physically and logically inspect critical technology assets to detect evidence of tampering.", "scf_question": "Does the organization physically and logically inspect critical technology assets to detect evidence of tampering?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ Periodic physical inspections are performed to validate the integrity of unattended technology assets (e.g., kiosks, ATMs, point of sale devices, etc.).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to physically and logically inspect critical technology assets to detect evidence of tampering.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Tamper detection tape\n∙ Indicators of Compromise (IoC)\n∙ File Integrity Monitoring (FIM)", "small": "∙ Tamper detection tape\n∙ Indicators of Compromise (IoC)\n∙ File Integrity Monitoring (FIM)", "medium": "∙ Tamper detection tape\n∙ Indicators of Compromise (IoC)\n∙ File Integrity Monitoring (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)\n∙ Tripwire Enterprise (https://tripwire.com)", "large": "∙ Tamper detection tape\n∙ Indicators of Compromise (IoC)\n∙ File Integrity Monitoring (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)\n∙ Tripwire Enterprise (https://tripwire.com)", "enterprise": "∙ Tamper detection tape\n∙ Indicators of Compromise (IoC)\n∙ File Integrity Monitoring (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)\n∙ Tripwire Enterprise (https://tripwire.com)" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-nist-800-53-r4": [ "SA-18(2)" ], "general-nist-800-53-r5-2": [ "SR-10" ], "general-nist-800-53-r5-2-privacy": [ "SR-10" ], "general-nist-800-53-r5-2-low": [ "SR-10" ], "general-nist-800-82-r3": [ "SR-10" ], "general-nist-800-82-r3-low": [ "SR-10" ], "general-nist-800-82-r3-mod": [ "SR-10" ], "general-nist-800-82-r3-high": [ "SR-10" ], "general-nist-800-160-vol-2-r1": [ "SR-10" ], "general-nist-800-161-r1": [ "SR-10" ], "general-nist-800-161-r1-cscrm": [ "SR-10" ], "general-nist-800-161-r1-flowdown": [ "SR-10" ], "general-nist-800-161-r1-level-2": [ "SR-10" ], "general-nist-800-161-r1-level-3": [ "SR-10" ], "general-pci-dss-4-0-1": [ "9.5.1", "9.5.1.2" ], "general-pci-dss-4-0-1-saq-b": [ "9.5.1", "9.5.1.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.5.1", "9.5.1.2" ], "general-pci-dss-4-0-1-saq-c": [ "9.5.1", "9.5.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.5.1", "9.5.1.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.5.1", "9.5.1.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.5.1", "9.5.1.2" ], "usa-federal-fbi-cjis-6-0": [ "SR-10" ], "usa-federal-gsa-fedramp-5-low": [ "SR-10" ], "usa-federal-gsa-fedramp-5-mod": [ "SR-10" ], "usa-federal-gsa-fedramp-5-high": [ "SR-10" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SR-10" ], "usa-federal-irs-1075-2021": [ "SR-10" ] } }, { "control_id": "AST-16", "title": "Bring Your Own Device (BYOD) Usage", "family": "AST", "description": "Mechanisms exist to implement and govern a Bring Your Own Device (BYOD) program to reduce risk associated with personally-owned devices in the workplace.", "scf_question": "Does the organization implement and govern a Bring Your Own Device (BYOD) program to reduce risk associated with personally-owned devices in the workplace?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ The use of personal devices (e.g., Bring Your Own Device (BYOD), as part of acceptable and unacceptable behaviors are primarily administrative and preventative in nature.", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement and govern a Bring Your Own Device (BYOD) program to reduce risk associated with personally-owned devices in the workplace.", "4": "Asset Management (AST) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Mobile Device Management (MDM) solution (e.g., Microsoft Intune with M365 Business Premium)", "small": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Mobile Device Management (MDM) solution (e.g., Microsoft Intune, Jamf Now)\n∙ BYOD-specific security policy with enrollment requirements", "medium": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Mobile Device Management (MDM) solution (e.g., Microsoft Intune, Jamf, Mosyle)\n∙ Containerization / MAM (Mobile Application Management) for BYOD data separation", "large": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Enterprise MDM solution (e.g., Microsoft Intune, VMware Workspace ONE)\n∙ Mobile Application Management (MAM) with corporate data containerization\n∙ Conditional access policies for BYOD (e.g., Microsoft Entra Conditional Access)", "enterprise": "∙ Enterprise MDM/MAM solution (e.g., VMware Workspace ONE, Microsoft Intune, MobileIron)\n∙ Conditional Access policies enforcing compliance posture\n∙ BYOD security policy with attestation and enrollment controls\n∙ DLP policies applied to corporate data on personal devices" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-cis-csc-8-1": [ "4.11" ], "general-cis-csc-8-1-ig2": [ "4.11" ], "general-cis-csc-8-1-ig3": [ "4.11" ], "general-nist-800-171-r3": [ "03.01.18.a" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.4", "2.4.2" ], "emea-sau-cscc-1-2019": [ "2-5" ], "emea-sau-ecc-1-2018": [ "2-6-1", "2-6-2" ], "emea-sau-sama-csf-1-2017": [ "3.3.10" ], "emea-gbr-def-stan-05-138-2024": [ "2322" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2322" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2322" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2322" ], "apac-aus-ism-2024-june": [ "ISM-1297" ], "apac-nzl-ism-3-9": [ "8.1.12.C.01", "21.1.12.C.01", "21.4.7.C.01", "21.4.7.C.02", "21.4.8.C.01", "21.4.8.C.02", "21.4.9.C.01", "21.4.10.C.01", "21.4.10.C.02", "21.4.10.C.03", "21.4.10.C.04", "21.4.10.C.05", "21.4.10.C.06", "21.4.10.C.07", "21.4.10.C.08", "21.4.10.C.09", "21.4.10.C.10", "21.4.10.C.11", "21.4.10.C.12", "21.4.10.C.13", "21.4.10.C.14", "21.4.10.C.15", "21.4.10.C.16", "21.4.11.C.01", "21.4.11.C.02", "21.4.11.C.03", "21.4.11.C.04", "21.4.11.C.05", "21.4.11.C.06", "21.4.11.C.07", "21.4.11.C.08", "21.4.11.C.09", "21.4.11.C.10", "21.4.11.C.11", "21.4.11.C.12", "21.4.11.C.13", "21.4.11.C.14", "21.4.11.C.15", "21.4.11.C.16", "21.4.11.C.17", "21.4.11.C.18", "21.4.11.C.19", "21.4.11.C.20", "21.4.13.C.01", "21.4.13.C.02", "21.4.13.C.03", "21.4.13.C.04", "21.4.13.C.05", "21.4.13.C.06", "21.4.13.C.07", "21.4.13.C.08", "21.4.13.C.09", "21.4.13.C.10", "21.4.13.C.11", "21.4.14.C.01", "21.4.14.C.02", "21.4.14.C.03", "21.4.14.C.04" ], "apac-sgp-mas-trm-2021": [ "11.3.7" ], "americas-can-itsp-10-171-2025": [ "03.01.18.A" ] } }, { "control_id": "AST-17", "title": "Prohibited Equipment & Services", "family": "AST", "description": "Mechanisms exist to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain Technology Assets, Applications and/or Services (TAAS) that are designated as supply chain threats by a statutory or regulatory body.", "scf_question": "Does the organization govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain Technology Assets, Applications and/or Services (TAAS) that are designated as supply chain threats by a statutory or regulatory body?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-AST-10" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain Technology Assets, Applications and/or Services (TAAS) that are designated as supply chain threats by a statutory or regulatory body.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program", "small": "∙ IT Asset Management (ITAM) program", "medium": "∙ IT Asset Management (ITAM) program", "large": "∙ IT Asset Management (ITAM) program", "enterprise": "∙ IT Asset Management (ITAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-nist-800-171-r3": [ "03.11.01.a", "03.16.01" ], "usa-federal-far-52-204-25": [ "52.204-25(b)(1)", "52.204-25(b)(2)" ], "usa-federal-far-52-204-27": [ "52.204-27(b)" ], "americas-can-itsp-10-171-2025": [ "03.11.01.A", "03.16.01" ] } }, { "control_id": "AST-18", "title": "Roots of Trust Protection", "family": "AST", "description": "Mechanisms exist to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification.", "scf_question": "Does the organization provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-26" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "small": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "medium": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "large": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-csa-iot-2": [ "IOT-09" ], "general-iec-62443-4-2-2019": [ "EDR 3.12", "EDR 3.13(a)", "EDR 3.13(b)", "HDR 3.12", "HDR 3.13(a)", "NDR 3.12", "NDR 3.13(a)", "NDR 3.13(b)" ], "general-nist-800-172": [ "3.14.1e" ], "general-nist-csf-2-0": [ "ID.RA-09" ], "usa-federal-dow-cmmc-2-level-3": [ "SI.L3-3.14.1E" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "4.2" ], "emea-sau-cgiot-2024": [ "2-15-1" ], "apac-aus-cop-sitc-2020": [ "Principle 4", "Principle 7" ] } }, { "control_id": "AST-19", "title": "Telecommunications Equipment", "family": "AST", "description": "Mechanisms exist to establish usage restrictions and implementation guidance for telecommunication equipment to prevent potential damage or unauthorized modification and to prevent potential eavesdropping.", "scf_question": "Does the organization establish usage restrictions and implementation guidance for telecommunication equipment to prevent potential damage or unauthorized modification and to prevent potential eavesdropping?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish usage restrictions and implementation guidance for telecommunication equipment to prevent potential damage or unauthorized modification and to prevent potential eavesdropping.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "small": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "medium": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "large": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "emea-sau-sacs-002-2022": [ "TPC-13", "TPC-14", "TPC-15", "TPC-16", "TPC-17" ], "apac-aus-ism-2024-june": [ "ISM-0558" ], "apac-nzl-ism-3-9": [ "11.3.5.C.01", "11.3.6.C.01", "11.3.6.C.02", "11.3.7.C.01", "11.3.8.C.01", "11.3.9.C.01", "11.3.9.C.02", "11.3.10.C.01", "11.3.11.C.01", "11.3.12.C.01", "11.3.12.C.02", "11.3.12.C.03", "11.3.13.C.01", "11.3.13.C.02", "11.3.13.C.03" ] } }, { "control_id": "AST-20", "title": "Video Teleconference (VTC) Security", "family": "AST", "description": "Mechanisms exist to implement secure Video Teleconference (VTC) capabilities on endpoint devices and in designated conference rooms, to prevent potential eavesdropping.", "scf_question": "Does the organization implement secure Video Teleconference (VTC) capabilities on endpoint devices and in designated conference rooms, to prevent potential eavesdropping?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement secure Video Teleconference (VTC) capabilities on endpoint devices and in designated conference rooms, to prevent potential eavesdropping.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-shared-assessments-sig-2025": [ "M.1.1" ], "apac-aus-ism-2024-june": [ "ISM-0548", "ISM-0551", "ISM-0553", "ISM-0554", "ISM-0555", "ISM-1014", "ISM-1562" ], "apac-chn-pipl-2021": [ "26" ], "apac-nzl-ism-3-9": [ "18.3.14.C.01", "18.3.14.C.02" ] } }, { "control_id": "AST-21", "title": "Voice Over Internet Protocol (VoIP) Security", "family": "AST", "description": "Mechanisms exist to implement secure Internet Protocol Telephony (IPT) that logically or physically separates Voice Over Internet Protocol (VoIP) traffic from data networks.", "scf_question": "Does the organization implement secure Internet Protocol Telephony (IPT) that logically or physically separates Voice Over Internet Protocol (VoIP) traffic from data networks?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement secure Internet Protocol Telephony (IPT) that logically or physically separates Voice Over Internet Protocol (VoIP) traffic from data networks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "usa-federal-cms-marse-2-0": [ "SC-19", "SC-19.a", "SC-19.b" ], "emea-gbr-def-stan-05-138-2024": [ "2412" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2412" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2412" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2412" ], "apac-aus-ism-2024-june": [ "ISM-0549", "ISM-0551", "ISM-0555", "ISM-0556", "ISM-0558", "ISM-1014" ], "apac-nzl-ism-3-9": [ "18.3.8.C.01", "18.3.9.C.01", "18.3.9.C.02", "18.3.10.C.01", "18.3.11.C.01", "18.3.11.C.02", "18.3.12.C.01", "18.3.12.C.02", "18.3.13.C.01", "18.3.13.C.02", "18.3.13.C.03", "18.3.14.C.01", "18.3.14.C.02", "18.3.15.C.01", "18.3.15.C.02", "18.3.16.C.01", "18.3.16.C.02", "18.3.16.C.03", "18.3.17.C.01" ] } }, { "control_id": "AST-22", "title": "Microphones & Web Cameras", "family": "AST", "description": "Mechanisms exist to configure assets to prohibit the use of endpoint-based microphones and web cameras in secure areas or where sensitive/regulated information is discussed.", "scf_question": "Does the organization configure assets to prohibit the use of endpoint-based microphones and web cameras in secure areas or where sensitive/regulated information is discussed?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to configure assets to prohibit the use of endpoint-based microphones and web cameras in secure areas or where sensitive/regulated information is discussed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "small": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "medium": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "large": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-shared-assessments-sig-2025": [ "N.9" ], "apac-aus-ism-2024-june": [ "ISM-0559", "ISM-1450" ] } }, { "control_id": "AST-23", "title": "Multi-Function Devices (MFD)", "family": "AST", "description": "Mechanisms exist to securely configure Multi-Function Devices (MFD) according to industry-recognized secure practices for the type of device.", "scf_question": "Does the organization securely configure Multi-Function Devices (MFD) according to industry-recognized secure practices for the type of device?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-01" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to securely configure Multi-Function Devices (MFD) according to industry-recognized secure practices for the type of device.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "usa-federal-irs-1075-2021": [ "3.3.5", "3.3.5.a-1", "3.3.5.b-1", "3.3.5.a-2", "3.3.5.b-2", "3.3.5.c-2" ], "apac-aus-ism-2024-june": [ "ISM-0245", "ISM-0589", "ISM-0590", "ISM-1036" ], "apac-nzl-ism-3-9": [ "11.2.3.C.01", "11.2.4.C.01", "11.2.4.C.02", "11.2.5.C.01", "11.2.6.C.01", "11.2.7.C.01", "11.2.7.C.02", "11.2.8.C.01", "11.2.9.C.01", "11.2.10.C.01", "11.2.11.C.01", "11.2.11.C.02", "11.2.11.C.03", "11.2.11.C.04", "11.2.11.C.05", "11.2.12.C.01", "11.2.12.C.02", "11.2.13.C.01", "11.2.13.C.02" ], "apac-sgp-mas-trm-2021": [ "11.5.1" ] } }, { "control_id": "AST-24", "title": "Travel-Only Devices", "family": "AST", "description": "Mechanisms exist to issue personnel travelling overseas with temporary, loaner or \"travel-only\" end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.", "scf_question": "Does the organization issue personnel travelling overseas with temporary, loaner or \"travel-only\" end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to issue personnel travelling overseas with temporary, loaner or \"travel-only\" end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)", "small": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)", "medium": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)", "large": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-6", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-nist-800-171-r3": [ "03.04.12.a", "03.04.12.b" ], "general-nist-800-171a-r3": [ "A.03.04.12.a" ], "apac-aus-ism-2024-june": [ "ISM-1088", "ISM-1298", "ISM-1299", "ISM-1300", "ISM-1554", "ISM-1555", "ISM-1556" ], "americas-can-itsp-10-171-2025": [ "03.04.12.A", "03.04.12.B" ] } }, { "control_id": "AST-25", "title": "Re-Imaging Devices After Travel", "family": "AST", "description": "Mechanisms exist to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.", "scf_question": "Does the organization re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program", "small": "∙ IT Asset Management (ITAM) program", "medium": "∙ IT Asset Management (ITAM) program", "large": "∙ IT Asset Management (ITAM) program", "enterprise": "∙ IT Asset Management (ITAM) program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-6", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-nist-800-171-r3": [ "03.04.12.b" ], "general-nist-800-171a-r3": [ "A.03.04.12.b" ], "apac-aus-ism-2024-june": [ "ISM-1300", "ISM-1556" ], "americas-can-itsp-10-171-2025": [ "03.04.12.B" ] } }, { "control_id": "AST-26", "title": "System Administrative Processes", "family": "AST", "description": "Mechanisms exist to develop, implement and govern system administration processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization develop, implement and govern system administration processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop, implement and govern system administration processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Documented Standardized Operating Procedures (SOP)\n∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)", "small": "∙ Documented Standardized Operating Procedures (SOP)\n∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)", "medium": "∙ Documented Standardized Operating Procedures (SOP)\n∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)", "large": "∙ Documented Standardized Operating Procedures (SOP)\n∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)", "enterprise": "∙ Documented Standardized Operating Procedures (SOP)\n∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "apac-aus-ism-2024-june": [ "ISM-0042", "ISM-1380", "ISM-1385" ], "apac-nzl-ism-3-9": [ "3.4.10.C.01", "3.4.10.C.02", "5.1.11.C.01", "5.1.13.C.01", "5.5.3.C.01", "5.5.4.C.01", "5.5.5.C.01", "5.5.6.C.01", "18.6.10.C.01" ] } }, { "control_id": "AST-27", "title": "Jump Server", "family": "AST", "description": "Mechanisms exist to conduct remote system administrative functions via a \"jump box\" or \"jump server\" that is located in a separate network zone to user workstations.", "scf_question": "Does the organization conduct remote system administrative functions via a \"jump box\" or \"jump server\" that is located in a separate network zone to user workstations?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct remote system administrative functions via a \"jump box\" or \"jump server\" that is located in a separate network zone to user workstations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation", "small": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation", "medium": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation", "large": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-nist-800-171-r3": [ "03.01.12.a", "03.01.12.c" ], "general-swift-cscf-2025": [ "1.5", "2.6" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.F" ], "emea-sau-cscc-1-2019": [ "2-3-1-4" ], "emea-sau-sacs-002-2022": [ "TPC-41" ], "apac-aus-essential-8-2024": [ "ML2-P4", "ML3-P4" ], "apac-aus-ism-2024-june": [ "ISM-1385", "ISM-1387" ], "americas-can-itsp-10-171-2025": [ "03.01.12.A", "03.01.12.C" ] } }, { "control_id": "AST-28", "title": "Database Administrative Processes", "family": "AST", "description": "Mechanisms exist to develop, implement and govern database management processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining databases.", "scf_question": "Does the organization develop, implement and govern database management processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining databases?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ Databases containing sensitive/regulated data use a cryptographic mechanism to prevent the unauthorized disclosure of information in the database (e.g., column-level, Transparent Data Encryption (TDE), etc.).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop, implement and govern database management processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining databases.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Spreadsheet asset inventory", "small": "∙ Asset inventory spreadsheet\n∙ Asset ownership assignment", "medium": "∙ Asset management tool (e.g., Snipe-IT)\n∙ Asset classification policy", "large": "∙ Enterprise asset management platform (e.g., ServiceNow CMDB, Lansweeper)\n∙ Automated discovery", "enterprise": "∙ Enterprise CMDB (e.g., ServiceNow)\n∙ Automated network discovery\n∙ Asset lifecycle management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-swift-cscf-2025": [ "6.3" ], "emea-sau-cscc-1-2019": [ "2-2-1-8" ], "apac-aus-ism-2024-june": [ "ISM-0393", "ISM-1243", "ISM-1255", "ISM-1256", "ISM-1268", "ISM-1269", "ISM-1270", "ISM-1271", "ISM-1272", "ISM-1273", "ISM-1274", "ISM-1275", "ISM-1276", "ISM-1277", "ISM-1278" ], "apac-nzl-ism-3-9": [ "3.4.10.C.01", "3.4.10.C.02", "5.1.11.C.01", "5.1.13.C.01", "5.5.3.C.01", "5.5.4.C.01", "5.5.5.C.01", "5.5.6.C.01", "20.4.3.C.01", "20.4.3.C.02", "20.4.3.C.03", "20.4.3.C.04", "20.4.4.C.01", "20.4.4.C.02", "20.4.5.C.01", "20.4.5.C.02", "20.4.6.C.01", "20.4.6.C.02" ] } }, { "control_id": "AST-28.1", "title": "Database Management System (DBMS)", "family": "AST", "description": "Mechanisms exist to implement and maintain Database Management Systems (DBMSs), where applicable.", "scf_question": "Does the organization implement and maintain Database Management Systems (DBMSs), where applicable?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ Database administrators implement and maintain Database Management Systems (DBMSs), where applicable.", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement and maintain Database Management Systems (DBMSs), where applicable.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Database Management System (DBMS)", "small": "∙ Database Management System (DBMS)", "medium": "∙ Database Management System (DBMS)", "large": "∙ Database Management System (DBMS)", "enterprise": "∙ Database Management System (DBMS)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-swift-cscf-2025": [ "6.3" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.4.6" ], "apac-aus-ism-2024-june": [ "ISM-1245", "ISM-1246", "ISM-1247", "ISM-1249", "ISM-1250", "ISM-1260", "ISM-1263" ], "apac-nzl-ism-3-9": [ "20.4.3.C.01", "20.4.3.C.02", "20.4.3.C.03", "20.4.3.C.04", "20.4.4.C.01", "20.4.4.C.02", "20.4.5.C.01", "20.4.5.C.02", "20.4.6.C.01", "20.4.6.C.02" ] } }, { "control_id": "AST-29", "title": "Radio Frequency Identification (RFID) Security", "family": "AST", "description": "Mechanisms exist to securely govern Radio Frequency Identification (RFID) deployments to ensure RFID is used safely and securely to protect the confidentiality and integrity of data and prevent the compromise of secure spaces.", "scf_question": "Does the organization securely govern Radio Frequency Identification (RFID) deployments to ensure RFID is used safely and securely to protect the confidentiality and integrity of data and prevent the compromise of secure spaces?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ Enhanced security requirements for Bluetooth and wireless devices in sensitive/regulated areas are primarily administrative and preventative in nature.", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to securely govern Radio Frequency Identification (RFID) deployments to ensure RFID is used safely and securely to protect the confidentiality and integrity of data and prevent the compromise of secure spaces.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)", "small": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)", "medium": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)", "large": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "apac-nzl-ism-3-9": [ "11.6.59.C.01", "11.6.59.C.02", "11.6.60.C.01", "11.6.60.C.02", "11.6.60.C.03", "11.6.60.C.04", "11.6.61.C.01", "11.6.61.C.02", "11.6.62.C.01", "11.6.62.C.02", "11.6.62.C.03", "11.6.63.C.01", "11.6.63.C.02", "11.6.64.C.01", "11.6.65.C.01", "11.6.65.C.02", "11.6.65.C.03", "11.6.66.C.01", "11.6.67.C.01", "11.6.67.C.02", "11.6.68.C.01", "11.6.69.C.01", "11.6.70.C.01", "11.6.71.C.01", "11.6.72.C.01", "11.6.72.C.02", "11.6.72.C.03" ] } }, { "control_id": "AST-29.1", "title": "Contactless Access Control Systems", "family": "AST", "description": "Mechanisms exist to securely configure contactless access control systems incorporating contactless RFID or smart cards to protect the confidentiality and integrity of data and prevent the compromise of secure spaces.", "scf_question": "Does the organization securely configure contactless access control systems incorporating contactless RFID or smart cards to protect the confidentiality and integrity of data and prevent the compromise of secure spaces?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to securely configure contactless access control systems incorporating contactless RFID or smart cards to protect the confidentiality and integrity of data and prevent the compromise of secure spaces.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)", "small": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)", "medium": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)", "large": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "apac-nzl-ism-3-9": [ "11.7.29.C.01", "11.7.29.C.02", "11.7.30.C.01", "11.7.30.C.02", "11.7.30.C.03", "11.7.31.C.01", "11.7.31.C.02", "11.7.32.C.01", "11.7.32.C.02", "11.7.32.C.03", "11.7.32.C.04", "11.7.33.C.01", "11.7.33.C.02", "11.7.33.C.03", "11.7.34.C.01" ] } }, { "control_id": "AST-30", "title": "Decommissioning", "family": "AST", "description": "Mechanisms exist to ensure Technology Assets, Applications and/or Services (TAAS) are properly decommissioned so that data is properly transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.", "scf_question": "Does the organization ensure Technology Assets, Applications and/or Services (TAAS) are properly decommissioned so that data is properly transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations?", "relative_weight": 4, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).\n▪ IT personnel collect technology assets and media for destruction when it is no longer needed for business or legal reasons.\n▪ Asset decommissioning consists of mainly wiping hard drives.", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure Technology Assets, Applications and/or Services (TAAS) are properly decommissioned so that data is properly transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program", "small": "∙ IT Asset Management (ITAM) program", "medium": "∙ IT Asset Management (ITAM) program", "large": "∙ IT Asset Management (ITAM) program", "enterprise": "∙ IT Asset Management (ITAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-nist-100-1-ai-rmf": [ "GOVERN 1.7" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 1.7" ], "usa-federal-nerc-cip-2024": [ "CIP-011-3 2.2" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "11-3.a(5)(a)", "11-3.a(5)(b)" ], "emea-sau-otcc-1-2022": [ "2-6-1-3" ], "apac-nzl-ism-3-9": [ "2.3.30.C.01", "13.1.9.C.01", "13.1.10.C.01", "13.1.10.C.02", "13.1.10.C.03", "13.1.10.C.04", "13.1.11.C.01", "13.1.12.C.01", "13.1.12.C.02", "13.1.12.C.03", "13.1.13.C.01", "13.1.13.C.02", "13.1.13.C.03", "13.1.13.C.04", "13.1.14.C.01" ] } }, { "control_id": "AST-31", "title": "Asset Categorization", "family": "AST", "description": "Mechanisms exist to categorize Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization categorize Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-24" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to categorize Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification scheme\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "small": "∙ Data classification scheme\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "medium": "∙ Data classification scheme\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "large": "∙ Data classification scheme\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)", "enterprise": "∙ Data classification scheme\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MAP 2.0" ], "general-nist-800-171-r3": [ "03.01.03" ], "general-sparta": [ "CM0022" ], "usa-federal-dow-cert-rmm-1-2": [ "TM:SG1", "TM:SG1.SP1" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-2c", "ASSET-2d" ], "americas-can-itsp-10-171-2025": [ "03.01.03" ] } }, { "control_id": "AST-31.1", "title": "Categorize Artificial Intelligence (AI)-Related Technologies", "family": "AST", "description": "Mechanisms exist to categorize Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "scf_question": "Does the organization categorize Artificial Intelligence (AI) and Autonomous Technologies (AAT)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-24" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to categorize Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification scheme\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Data classification scheme\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Data classification scheme\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Data classification scheme\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Data classification scheme\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management Database (CMDB)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-nist-100-1-ai-rmf": [ "MAP 2.0" ], "general-shared-assessments-sig-2025": [ "R.9" ] } }, { "control_id": "AST-31.2", "title": "High-Risk Asset Categorization", "family": "AST", "description": "Mechanisms exist to categorize a system and/or service as \"High Risk\" if it poses a significant risk of harm to an individual's:\n(1) Health;\n(2) Safety; and/or \n(3) Fundamental human rights.", "scf_question": "Does the organization categorize a system and/or service as \"High Risk\" if it poses a significant risk of harm to an individual's:\n(1) Health;\n(2) Safety; and/or \n(3) Fundamental human rights?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to categorize a system and/or service as \"High Risk\" if it poses a significant risk of harm to an individual's:\n(1) Health;\n(2) Safety; and/or \n(3) Fundamental human rights.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Spreadsheet asset inventory", "small": "∙ Asset inventory spreadsheet\n∙ Asset ownership assignment", "medium": "∙ Asset management tool (e.g., Snipe-IT)\n∙ Asset classification policy", "large": "∙ Enterprise asset management platform (e.g., ServiceNow CMDB, Lansweeper)\n∙ Automated discovery", "enterprise": "∙ Enterprise CMDB (e.g., ServiceNow)\n∙ Automated network discovery\n∙ Asset lifecycle management" }, "risks": [ "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "general-csa-cmm-4-1-0": [ "I&S-08" ], "emea-eu-ai-act-2024": [ "Article 6.3" ] } }, { "control_id": "AST-31.3", "title": "Asset Attributes", "family": "AST", "description": "Mechanisms exist to dynamically associate asset-specific attributes to enable Attribute-Based Access Control (ABAC).", "scf_question": "Does the organization dynamically associate asset-specific attributes to enable Attribute-Based Access Control (ABAC)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to dynamically associate asset-specific attributes to enable Attribute-Based Access Control (ABAC).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Spreadsheet asset inventory", "small": "∙ Asset inventory spreadsheet\n∙ Asset ownership assignment", "medium": "∙ Asset management tool (e.g., Snipe-IT)\n∙ Asset classification policy", "large": "∙ Enterprise asset management platform (e.g., ServiceNow CMDB, Lansweeper)\n∙ Automated discovery", "enterprise": "∙ Enterprise CMDB (e.g., ServiceNow)\n∙ Automated network discovery\n∙ Asset lifecycle management" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "2.1", "3.4.6", "5.1.2" ] } }, { "control_id": "AST-32", "title": "Automated Network Asset Discovery", "family": "AST", "description": "Mechanisms exist to automate network asset discovery through Software Defined Networking (SDN), or similar technologies, that analyzes network traffic to:\n(1) Identify;\n(2) Document; and \n(3) Track devices.", "scf_question": "Does the organization automate network asset discovery through Software Defined Networking (SDN), or similar technologies, that analyzes network traffic to:\n(1) Identify;\n(2) Document; and \n(3) Track devices?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Asset Management (AST) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with AST domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Asset management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Asset Management (AST) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Asset management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The IT department establishes, maintains and updates an inventory that contains a listing of all organizational-owned TAASD, at a minimum covering common devices (e.g., laptops, workstations and servers).", "3": "Asset Management (AST) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with AST domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with AST domain capabilities are well-documented and kept current by process owners.\n▪ An IT Asset Management (ITAM) team, or similar function, is appropriately staffed and supported to implement and maintain AST domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of ITAM operations (e.g., ITAM platform, (e.g., Configuration Management Database (CMBD) Asset Management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with AST domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automate network asset discovery through Software Defined Networking (SDN), or similar technologies, that analyzes network traffic to:\n(1) Identify;\n(2) Document; and \n(3) Track devices.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Spreadsheet asset inventory", "small": "∙ Asset inventory spreadsheet\n∙ Asset ownership assignment", "medium": "∙ Asset management tool (e.g., Snipe-IT)\n∙ Asset classification policy", "large": "∙ Enterprise asset management platform (e.g., ServiceNow CMDB, Lansweeper)\n∙ Automated discovery", "enterprise": "∙ Enterprise CMDB (e.g., ServiceNow)\n∙ Automated network discovery\n∙ Asset lifecycle management" }, "risks": [ "R-AC-1", "R-AC-4", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-SA-1", "R-SA-2" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Asset Management", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "5.2.4", "7.2.4" ] } }, { "control_id": "BCD-01", "title": "Business Continuity Management System (BCMS)", "family": "BCD", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "scf_question": "Does the organization facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-01" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ IT and/or cybersecurity personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners identify business-critical TAASD and External Service Providers (ESPs).\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to identify single points of failure from a TAASD perspective.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to develop BC/DR plans to recover business-critical TAASD.\n▪ Data/process owners conduct a Business Impact Analysis (BIA) at least annually, or after any major technology or process change, to identify TAASD that are critical to the business, as well as single points of failure.\n▪ Business stakeholders and process owners designate alternative decision-makers if primary decision-makers are unavailable.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or BC/DR playbooks).", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Business Impact Analysis (BIA)\n∙ Criticality assessments", "small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Business Impact Analysis (BIA)\n∙ Criticality assessments", "medium": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Business Impact Analysis (BIA)\n∙ Criticality assessments", "large": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Business Impact Analysis (BIA)\n∙ Criticality assessments", "enterprise": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Business Impact Analysis (BIA)\n∙ Criticality assessments" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.4-POF1" ], "general-aicpa-tsc-2017": [ "A1.2", "A1.2-POF1", "A1.2-POF2", "A1.2-POF3", "A1.2-POF4", "A1.2-POF5", "A1.2-POF6", "A1.2-POF10", "A1.2-POF11", "CC7.4-POF5", "CC7.5", "CC7.5-POF1", "CC7.5-POF2", "CC7.5-POF4", "CC7.5-POF5", "CC8.1-POF15", "CC9.1", "CC9.1-POF1", "CC9.1-POF2" ], "general-cis-csc-8-1": [ "11.0", "11.1" ], "general-cis-csc-8-1-ig1": [ "11.1" ], "general-cis-csc-8-1-ig2": [ "11.1" ], "general-cis-csc-8-1-ig3": [ "11.1" ], "general-cobit-2019": [ "APO14.10", "DSS04.01", "DSS04.02", "DSS04.03", "DSS04.07" ], "general-csa-cmm-4-1-0": [ "BCR-01", "BCR-02", "BCR-03", "BCR-05", "BCR-09" ], "general-csa-iot-2": [ "GVN-03" ], "general-cr-cmm-2026": [ "CR5.1.1" ], "general-govramp": [ "CP-01", "CP-02", "CP-10", "IR-04(03)" ], "general-govramp-core": [ "CP-10" ], "general-govramp-low": [ "CP-01", "CP-02", "CP-10" ], "general-govramp-low-plus": [ "CP-01", "CP-02", "CP-10" ], "general-govramp-mod": [ "CP-01", "CP-02", "CP-10" ], "general-govramp-high": [ "CP-01", "CP-02", "CP-10", "IR-04(03)" ], "general-iec-62443-2-1-2024": [ "AVAIL 1.1" ], "general-iec-62443-4-2-2019": [ "CR 2.10(a)" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.1", "3.5.3", "3.5.5", "3.5.6", "3.5.6.1" ], "general-iso-22301-2019": [ "4.4", "6.1.1", "6.1.1(a)", "6.1.1(b)", "6.1.1(c)", "6.1.2", "6.1.2(a)", "6.1.2(b)", "6.1.2(b)(1)", "6.1.2(b)(2)", "6.2.1", "6.2.1(a)", "6.2.1(b)", "6.2.1(c)", "6.2.1(d)", "6.2.1(e)", "6.2.1(f)", "6.2.2", "6.2.2(a)", "6.2.2(b)", "6.2.2(c)", "6.2.2(d)", "6.2.2(e)", "7.4", "7.5.1", "7.5.1(a)", "7.5.1(b)", "7.5.2", "7.5.2(a)", "7.5.2(b)", "7.5.2(c)", "8.3.1", "8.3.2", "8.3.2(a)", "8.3.2(b)", "8.3.2(c)", "8.3.2(d)", "8.3.2(e)", "8.3.2(f)", "8.3.3", "8.3.3(a)", "8.3.3(b)", "8.3.3(c)", "8.3.5", "8.4.1", "8.4.1(a)", "8.4.1(b)", "8.4.1(c)", "8.4.1(d)", "8.4.1(e)", "8.4.3", "8.4.3.1", "8.4.3.1(a)", "8.4.3.1(b)", "8.4.3.1(c)", "8.4.3.1(d)", "8.4.3.1(e)", "8.4.3.1(f)", "8.4.3.2", "8.4.3.2(a)", "8.4.3.2(b)", "8.4.4.1", "8.4.4.2", "8.4.4.2(a)", "8.4.4.2(a)(1)", "8.4.4.2(a)(2)", "8.4.4.2(b)", "8.4.4.2(c)", "8.4.4.2(d)", "8.4.4.2(d)(1)", "8.4.4.2(d)(2)", "8.4.4.2(d)(3)", "8.4.4.3", "8.4.4.3(a)", "8.4.4.3(b)", "8.4.4.3(c)", "8.4.4.3(d)", "8.4.4.3(e)", "8.4.4.3(f)", "8.4.4.3(g)", "8.4.4.3(h)" ], "general-iso-27002-2022": [ "5.29", "5.3" ], "general-iso-27017-2015": [ "17.1.1", "17.1.2" ], "general-iso-27018-2025": [ "5.29", "5.30", "8.13(a)" ], "general-mitre-att&ck-16-1": [ "T1485", "T1486", "T1490", "T1491", "T1491.001", "T1491.002", "T1561", "T1561.001", "T1561.002" ], "general-mpa-csbp-5-3-1": [ "OR-1.2", "OR-1.3" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(4)(c)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 6.2" ], "general-nist-600-1-gen-ai-profile": [ "MG-2.3-001" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P7" ], "general-nist-800-53-r4": [ "CP-1", "CP-2", "IR-4(3)", "PM-8", "CP-10" ], "general-nist-800-53-r5-2": [ "CP-01", "CP-02", "CP-10", "IR-04(03)", "PM-08" ], "general-nist-800-53-r5-2-privacy": [ "CP-01", "CP-02", "CP-10", "IR-04(03)", "PM-08" ], "general-nist-800-53-r5-2-low": [ "CP-01", "CP-02", "CP-10" ], "general-nist-800-66-r2": [ "164.308(a)(7)" ], "general-nist-800-82-r3": [ "CP-01", "CP-02", "CP-10", "IR-04(03)", "PM-08" ], "general-nist-800-82-r3-low": [ "CP-01", "CP-02", "CP-10", "PM-08" ], "general-nist-800-82-r3-mod": [ "CP-01", "CP-02", "CP-10", "PM-08" ], "general-nist-800-82-r3-high": [ "CP-01", "CP-02", "CP-10", "PM-08" ], "general-nist-800-160-vol-2-r1": [ "IR-04(03)" ], "general-nist-800-161-r1": [ "CP-1", "CP-2", "PM-8" ], "general-nist-800-161-r1-cscrm": [ "CP-1", "CP-2" ], "general-nist-800-161-r1-level-1": [ "CP-1", "PM-8" ], "general-nist-800-161-r1-level-2": [ "CP-1", "CP-2" ], "general-nist-800-161-r1-level-3": [ "CP-1", "CP-2" ], "general-nist-csf-2-0": [ "GV.SC-08", "ID.IM-04", "PR.IR-02", "PR.IR-03", "RS.MA-05", "RC", "RC.RP", "RC.RP-02", "RC.RP-04" ], "general-shared-assessments-sig-2025": [ "K.4" ], "general-tisax-6-0-3": [ "5.2.8" ], "usa-federal-dow-cert-rmm-1-2": [ "COMM:SG1", "COMM:SG1.SP1", "COMM:SG1.SP2", "COMM:SG1.SP3", "COMM:SG2", "COMM:SG2.SP1", "COMM:SG2.SP2", "COMM:SG2.SP3", "COMM:SG3", "COMM:SG3.SP1", "COMM:SG3.SP2", "COMM:GG1.GP1", "COMM:GG2", "COMM:GG2.GP2", "EC:SG1", "EC:SG4.SP1", "EC:SG4.SP3", "EC:SG4.SP4", "SC:SG3.SP2", "SC:SG3.SP3", "SC:SG3.SP4", "SC:SG3.SP5", "SC:SG4", "SC:SG4.SP1", "SC:SG4.SP2", "SC:SG5", "SC:SG5.SP1", "SC:SG5.SP2", "SC:SG5.SP3", "SC:SG5.SP4", "SC:SG6", "SC:SG6.SP1", "SC:SG6.SP2", "SC:SG7", "SC:SG7.SP1", "SC:SG7.SP2", "SC:GG1.GP1", "SC:GG2", "SC:GG2.GP2", "TM:SG5", "TM:SG5.SP1", "TM:SG5.SP2", "TM:SG5.SP3", "TM:SG5.SP4", "TM:GG1.GP1", "TM:GG2.GP2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.IRPIH", "3.UNI.RESIL" ], "usa-federal-dhs-cisa-cpg-2-0": [ "5.A" ], "usa-federal-fbi-cjis-6-0": [ "CP-1", "CP-2", "CP-10" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-4d" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(3)(iii)" ], "usa-federal-gsa-fedramp-5-low": [ "CP-01", "CP-02", "CP-10", "IR-04(03)", "PM-08" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-01", "CP-02", "CP-10", "IR-04(03)", "PM-08" ], "usa-federal-gsa-fedramp-5-high": [ "CP-01", "CP-02", "CP-10", "IR-04(03)", "PM-08" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CP-01", "CP-02", "CP-10", "IR-04(03)", "PM-08" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(7)(i)", "164.308(a)(7)(ii)(C)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(7)(i)", "164.308(a)(7)(ii)(C)" ], "usa-federal-irs-1075-2021": [ "CP-1", "CP-2", "CP-10" ], "usa-federal-cms-marse-2-0": [ "CP-1", "CP-2", "CP-2.a.1", "CP-2.a.2", "CP-2.a.3", "CP-2.a.4", "CP-2.a.5", "CP-2.a.6", "CP-2.b", "CP-2.c", "CP-2.d", "CP-2.e", "CP-2.f", "CP-2.g", "CP-2-IS.1", "CP-10", "PM-8" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.6", "CIP-009-6 R1", "CIP-009-6 R2", "CIP-009-6 R3" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(18)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(b)(5)", "500.3(e)", "500.16(a)(2)", "500.16(a)(2)(i)", "500.16(a)(2)(ii)", "500.16(a)(2)(iii)", "500.16(a)(2)(iv)", "500.16(a)(2)(v)", "500.16(a)(2)(vi)", "500.16(b)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-01", "CP-02", "CP-10" ], "usa-state-tx-txramp-2-0-level-1": [ "CP-01", "CP-02", "CP-10" ], "usa-state-tx-txramp-2-0-level-2": [ "CP-01", "CP-02", "CP-10" ], "emea-eu-eba-ict-srm-2025": [ "3.7(77)", "3.7.1(78)", "3.7.1(79)", "3.7.2(80)", "3.7.2(81)", "3.7.2(82)", "3.7.3(83)", "3.7.3(84)(a)", "3.7.3(84)(b)", "3.7.3(84)(c)", "3.7.3(85)", "3.7.3(86)" ], "emea-eu-dora-2023": [ "Article 11.1", "Article 11.2", "Article 11.2(a)", "Article 11.2(b)", "Article 11.2(c)", "Article 11.2(d)", "Article 11.2(e)", "Article 11.3", "Article 11.4", "Article 11.5", "Article 11.6(a)", "Article 11.6(b)", "Article 11.7", "Article 11.8", "Article 11.9", "Article 11.10", "Article 11.11", "Article 12.1", "Article 12.1(a)", "Article 12.1(b)" ], "emea-eu-gdpr-2016": [ "Article 32.1(c)" ], "emea-eu-nis2-2022": [ "Article 21.2(c)" ], "emea-eu-nis2-annex-2024": [ "3.1.2", "4.1.1", "4.1.2", "4.1.2(a)", "4.1.2(b)", "4.1.2(c)", "4.1.2(d)", "4.1.2(e)", "4.1.2(f)", "4.1.2(g)", "4.1.2(h)", "4.2.2", "4.2.5", "4.3.1", "12.1.2(c)", "13.2.2(a)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "10.1", "10.2", "10.3", "10.5" ], "emea-deu-c5-2020": [ "BCM-01", "BCM-02", "BCM-03" ], "emea-isr-cmo-1-0": [ "11.7", "25.1" ], "emea-sau-cscc-1-2019": [ "2-8", "3-1", "3-1-1-1", "3-1-1-2" ], "emea-sau-cgiot-2024": [ "2-8-1", "2-12-2", "3-1-1" ], "emea-sau-ecc-1-2018": [ "2-4-4", "2-9-1", "2-9-2", "2-9-3", "2-9-3-1", "2-9-4", "3-1-1", "3-1-2", "3-1-3", "3-1-3-1", "3-1-3-2", "3-1-3-3", "3-1-4" ], "emea-sau-otcc-1-2022": [ "3-1", "3-1-1", "3-1-1-1", "3-1-1-2", "3-1-1-3", "3-1-1-4", "3-1-1-5", "3-1-1-6", "3-1-2" ], "emea-sau-sacs-002-2022": [ "TPC-67", "TPC-68", "TPC-69" ], "emea-zaf-popia-2013": [ "19.1", "19.2" ], "emea-esp-boe-a-2022-7191": [ "Article 26" ], "emea-esp-decree-311-2022": [ "26" ], "emea-esp-ccn-stic-825-2023": [ "7.5.1 [OP.CONT.1]", "7.5.2 [OP.CONT.2]" ], "emea-uae-niaf-2023": [ "3.4", "3.4.1", "3.4.2", "3.4.3" ], "emea-gbr-caf-4-0": [ "B5.a" ], "emea-gbr-cap-1850-2020": [ "D1" ], "emea-gbr-def-stan-05-138-2024": [ "2501", "2502", "4100" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2501", "2502", "4100" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2501", "4100" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2501", "4100" ], "apac-aus-ism-2024-june": [ "ISM-0734" ], "apac-aus-ps-cps-230-2023": [ "12(b)", "14", "34(a)", "34(b)", "34(c)", "34(d)", "34(e)", "40(a)", "40(b)", "40(c)", "40(d)", "40(e)", "41" ], "apac-chn-cybersecurity-law-2017": [ "Article 33", "Article 34(4)" ], "apac-ind-sebi-2024": [ "PR.IP.S11", "RC.RP.S1", "RC.RP.S4", "RS.MA.S3" ], "apac-jpn-ismap": [ "5.1.1.13", "17", "17.1", "17.1.1", "17.1.1.1", "17.1.1.2", "17.1.1.3", "17.1.1.4", "17.1.3", "17.1.3.1", "17.1.3.4" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP08", "HHSP24", "HHSP56", "HHSP61", "HML08", "HML24", "HML61" ], "apac-nzl-hisf-microsmall-2023": [ "HMS21" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP08", "HSUP22", "HSUP53" ], "apac-nzl-ism-3-9": [ "6.4.5.C.01", "6.4.7.C.01", "6.4.8.C.01", "23.4.12.C.01", "23.4.12.C.02" ], "apac-sgp-mas-trm-2021": [ "8.1.1", "8.1.2", "8.1.3", "8.1.4", "8.2.1", "8.2.2", "8.2.3", "8.2.4", "8.5.1", "8.5.2", "8.5.2(a)", "8.5.2(b)", "8.5.2(c)" ], "americas-bmu-mba-coc-2020": [ "6.14", "7.1" ], "amaericas-can-osfi-self-assessment": [ "2.9" ], "americas-can-osfi-b13-2022": [ "2.9", "2.9.1" ] } }, { "control_id": "BCD-01.1", "title": "Coordinate with Related Plans", "family": "BCD", "description": "Mechanisms exist to coordinate contingency plan development with internal and external elements responsible for related plans.", "scf_question": "Does the organization coordinate contingency plan development with internal and external elements responsible for related plans?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-01" ], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ IT and/or cybersecurity personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners identify business-critical TAASD and External Service Providers (ESPs).\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to identify single points of failure from a TAASD perspective.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to coordinate contingency plan development with internal and external elements responsible for related plans.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Incident Response Plan (IRP)", "small": "∙ Incident Response Plan (IRP)", "medium": "∙ Incident Response Plan (IRP)", "large": "∙ Incident Response Plan (IRP)", "enterprise": "∙ Incident Response Plan (IRP)" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-csa-cmm-4-1-0": [ "BCR-06" ], "general-cr-cmm-2026": [ "CR5.2.1" ], "general-govramp": [ "CP-02(01)" ], "general-govramp-mod": [ "CP-02(01)" ], "general-govramp-high": [ "CP-02(01)" ], "general-iso-27002-2022": [ "5.29", "5.3" ], "general-iso-27018-2025": [ "5.29", "5.30" ], "general-nist-800-53-r4": [ "CP-2(1)" ], "general-nist-800-53-r5-2": [ "CP-02(01)" ], "general-nist-800-53-r5-2-mod": [ "CP-02(01)" ], "general-nist-800-82-r3": [ "CP-02(01)" ], "general-nist-800-82-r3-mod": [ "CP-02(01)" ], "general-nist-800-82-r3-high": [ "CP-02(01)" ], "general-nist-800-160-vol-2-r1": [ "CP-02(01)" ], "general-nist-800-161-r1": [ "CP-2(1)" ], "general-nist-800-161-r1-level-2": [ "CP-2(1)" ], "general-nist-800-161-r1-level-3": [ "CP-2(1)" ], "general-nist-csf-2-0": [ "RC.CO" ], "usa-federal-fbi-cjis-6-0": [ "CP-2(1)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-02(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-02(01)" ], "usa-federal-irs-1075-2021": [ "CP-2(CE-1)" ], "usa-federal-cms-marse-2-0": [ "CP-2(1)" ], "emea-eu-nis2-annex-2024": [ "4.3.3" ], "emea-isr-cmo-1-0": [ "25.2" ], "emea-sau-ecc-1-2018": [ "3-1-3-2" ] } }, { "control_id": "BCD-01.2", "title": "Coordinate With External Service Providers", "family": "BCD", "description": "Mechanisms exist to coordinate internal contingency plans with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.", "scf_question": "Does the organization coordinate internal contingency plans with the contingency plans of external service providers to ensure that contingency requirements can be satisfied?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-01" ], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners identify business-critical TAASD and External Service Providers (ESPs).\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to identify single points of failure from a TAASD perspective.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to coordinate internal contingency plans with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "medium": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "large": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "enterprise": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-csa-cmm-4-1-0": [ "BCR-06" ], "general-csa-iot-2": [ "OPA-05" ], "general-iso-27002-2022": [ "5.29", "5.3" ], "general-iso-27018-2025": [ "5.29", "5.30" ], "general-nist-800-53-r4": [ "CP-2(7)" ], "general-nist-800-53-r5-2": [ "CP-02(07)" ], "general-nist-800-82-r3": [ "CP-02(07)" ], "general-nist-800-161-r1": [ "CP-2(7)" ], "general-nist-800-161-r1-flowdown": [ "CP-2(7)" ], "general-nist-800-161-r1-level-3": [ "CP-2(7)" ], "general-nist-csf-2-0": [ "GV.SC-08", "RC.CO" ], "emea-sau-ecc-1-2018": [ "3-1-3-2" ], "apac-ind-sebi-2024": [ "GV.SC.S6" ], "amaericas-can-osfi-self-assessment": [ "2.9" ] } }, { "control_id": "BCD-01.3", "title": "Transfer to Alternate Processing / Storage Site", "family": "BCD", "description": "Mechanisms exist to redeploy personnel to other roles during a disruptive event or in the execution of a continuity plan.", "scf_question": "Does the organization redeploy personnel to other roles during a disruptive event or in the execution of a continuity plan?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-DCH-13" ], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to redeploy personnel to other roles during a disruptive event or in the execution of a continuity plan.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "medium": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "large": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "enterprise": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-nist-800-53-r4": [ "CP-2(6)" ], "general-nist-800-53-r5-2": [ "CP-02(06)" ], "general-nist-800-82-r3": [ "CP-02(06)" ] } }, { "control_id": "BCD-01.4", "title": "Recovery Time / Point Objectives (RTO / RPO)", "family": "BCD", "description": "Mechanisms exist to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "scf_question": "Does the organization facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-02", "E-BCM-03" ], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "medium": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "large": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "enterprise": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-csa-cmm-4-1-0": [ "BCR-03" ], "general-govramp": [ "CP-06(02)", "CP-10" ], "general-govramp-core": [ "CP-10" ], "general-govramp-low": [ "CP-10" ], "general-govramp-low-plus": [ "CP-10" ], "general-govramp-mod": [ "CP-10" ], "general-govramp-high": [ "CP-06(02)", "CP-10" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.6.1" ], "general-iso-22301-2019": [ "8.4.5" ], "general-nist-800-53-r4": [ "CP-6(2)", "CP-10" ], "general-nist-800-53-r5-2": [ "CP-06(02)", "CP-10" ], "general-nist-800-53-r5-2-privacy": [ "CP-10" ], "general-nist-800-53-r5-2-low": [ "CP-10" ], "general-nist-800-53-r5-2-high": [ "CP-06(02)" ], "general-nist-800-82-r3": [ "CP-06(02)", "CP-10" ], "general-nist-800-82-r3-low": [ "CP-10" ], "general-nist-800-82-r3-mod": [ "CP-10" ], "general-nist-800-82-r3-high": [ "CP-06(02)", "CP-10" ], "general-nist-csf-2-0": [ "RC.RP", "RC.RP-02", "RC.RP-04" ], "usa-federal-fbi-cjis-6-0": [ "CP-10" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-4g" ], "usa-federal-gsa-fedramp-5-low": [ "CP-10" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-10" ], "usa-federal-gsa-fedramp-5-high": [ "CP-06(02)", "CP-10" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CP-10" ], "usa-federal-irs-1075-2021": [ "CP-10" ], "usa-federal-cms-marse-2-0": [ "CP-10" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(a)(2)(v)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-10" ], "usa-state-tx-txramp-2-0-level-1": [ "CP-10" ], "usa-state-tx-txramp-2-0-level-2": [ "CP-10" ], "emea-eu-dora-2023": [ "Article 12.6" ], "emea-eu-nis2-annex-2024": [ "4.1.2(f)", "4.2.2(a)" ], "emea-deu-c5-2020": [ "OPS-06", "OPS-08", "OPS-09" ], "emea-sau-ecc-1-2018": [ "2-9-3-2" ], "apac-aus-essential-8-2024": [ "ML1-P8", "ML2-P8", "ML3-P8" ], "apac-aus-ism-2024-june": [ "ISM-1810" ], "apac-aus-ps-cps-230-2023": [ "38(a)", "38(b)", "38(c)", "39" ], "apac-ind-sebi-2024": [ "RC.RP.S2" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP24", "HML24" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP22" ], "apac-sgp-mas-trm-2021": [ "8.1.4", "8.2.1" ], "americas-can-osfi-b13-2022": [ "2.9", "2.9.1" ] } }, { "control_id": "BCD-01.5", "title": "Recovery Operations Criteria", "family": "BCD", "description": "Mechanisms exist to define specific criteria that must be met to initiate Business Continuity / Disaster Recover (BC/DR) plans that facilitate business continuity operations capable of meeting applicable Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "scf_question": "Does the organization define specific criteria that must be met to initiate Business Continuity / Disaster Recover (BC/DR) plans that facilitate business continuity operations capable of meeting applicable Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-14" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ IT and/or cybersecurity personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services.\n▪ Recovery Time Objectives (RTOs) and/or Recovery Point Objectives (RPOs) are not formally planned for or resourced to meet.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define specific criteria that must be met to initiate Business Continuity / Disaster Recover (BC/DR) plans that facilitate business continuity operations capable of meeting applicable Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "medium": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "large": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "enterprise": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-7", "MT-8", "MT-12", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-csa-cmm-4-1-0": [ "BCR-03" ], "general-nist-csf-2-0": [ "RS.MA-05", "RC.RP-01" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-4h" ], "usa-federal-nerc-cip-2024": [ "CIP-009-6 1.1" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(a)(2)(ii)" ], "emea-uae-niaf-2023": [ "3.4.2" ], "apac-ind-sebi-2024": [ "RC.RP.S1" ], "americas-can-osfi-b13-2022": [ "2.9.1" ] } }, { "control_id": "BCD-01.6", "title": "Recovery Operations Communications", "family": "BCD", "description": "Mechanisms exist to communicate the status of recovery activities and progress in restoring operational capabilities to designated internal and external stakeholders.", "scf_question": "Does the organization communicate the status of recovery activities and progress in restoring operational capabilities to designated internal and external stakeholders?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-01" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ IT and/or cybersecurity personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners identify business-critical TAASD and External Service Providers (ESPs).\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to identify single points of failure from a TAASD perspective.\n▪ Within the BC/DR plans, alternate communications channels are defined if primary means of communication are unavailable.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to communicate the status of recovery activities and progress in restoring operational capabilities to designated internal and external stakeholders.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "medium": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "large": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "enterprise": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.5-POF2" ], "general-csa-cmm-4-1-0": [ "BCR-07" ], "general-nist-csf-2-0": [ "RC.CO-03" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(a)(2)(iii)" ], "emea-eu-nis2-annex-2024": [ "4.1.2(c)" ] } }, { "control_id": "BCD-01.7", "title": "Business Continuity & Disaster Recovery (BC/DR) Plans", "family": "BCD", "description": "Mechanisms exist for process owners to establish and maintain formal Business Continuity & Disaster Recovery (BC/DR) plans to ensure information is detailed enough, accurate and representative of current operations in order to sustain and/or restore operations under adverse conditions.", "scf_question": "Does the organization process owners to establish and maintain formal Business Continuity & Disaster Recovery (BC/DR) plans to ensure information is detailed enough, accurate and representative of current operations in order to sustain and/or restore operations under adverse conditions?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-BCM-01" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ IT and/or cybersecurity personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners identify business-critical TAASD and External Service Providers (ESPs).\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to develop BC/DR plans to recover business-critical TAASD.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to for process owners to establish and maintain formal Business Continuity & Disaster Recovery (BC/DR) plans to ensure information is detailed enough, accurate and representative of current operations in order to sustain and/or restore operations under adverse conditions.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic business continuity plan\n∙ Regular data backup", "small": "∙ Business continuity plan\n∙ Tested backup and restore procedures", "medium": "∙ Formal BCP/DRP program\n∙ Regular backup testing\n∙ Alternate processing capability", "large": "∙ Enterprise BCP/DRP program\n∙ DR site\n∙ Annual exercises\n∙ RTO/RPO targets", "enterprise": "∙ Enterprise BC/DR platform (e.g., Zerto, Veeam Enterprise)\n∙ Dedicated DR site\n∙ Automated failover\n∙ Annual DR exercises" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-24", "MT-27" ], "errata": "- new control (C2M2)", "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-cr-cmm-2026": [ "CR5.1.2" ], "usa-federal-dow-cert-rmm-1-2": [ "EC:SG1.SP1", "PM:SG3.SP3", "PM:SG3.SP4", "PM:SG3.SP5" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-4a", "RESPONSE-4e", "RESPONSE-4f", "RESPONSE-4g", "RESPONSE-4m" ], "usa-federal-cms-marse-2-0": [ "CP-2", "CP-2.a" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-02-SID" ], "apac-jpn-ismap": [ "12.2.1.10", "12.2.1.11", "17.1.2", "17.1.2.1", "17.1.2.2", "17.1.2.3", "17.1.2.4", "17.1.2.5", "17.1.2.6" ] } }, { "control_id": "BCD-02", "title": "Identify Critical Assets", "family": "BCD", "description": "Mechanisms exist to identify and document the critical Technology Assets, Applications, Services and/or Data (TAASD) that support essential missions and business functions.", "scf_question": "Does the organization identify and document the critical Technology Assets, Applications, Services and/or Data (TAASD) that support essential missions and business functions?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-08" ], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ IT and/or cybersecurity personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners identify business-critical TAASD and External Service Providers (ESPs).\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to identify single points of failure from a TAASD perspective.\n▪ Production TAASD support business-critical application and services failover.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to develop BC/DR plans to recover business-critical TAASD.\n▪ Data/process owners conduct a Business Impact Analysis (BIA) at least annually, or after any major technology or process change, to identify TAASD that are critical to the business, as well as single points of failure.\n▪ Business stakeholders and process owners define Recovery Time Objectives (RTOs) for business-critical TAASD.\n▪ Business stakeholders and process owners define Recovery Point Objectives (RPOs) for business-critical TAASD.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and document the critical TAASD that support essential missions and business functions.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Business Impact Analysis (BIA)\n∙ Criticality assessments", "small": "∙ Business Impact Analysis (BIA)\n∙ Criticality assessments", "medium": "∙ Business Impact Analysis (BIA)\n∙ Criticality assessments", "large": "∙ Business Impact Analysis (BIA)\n∙ Criticality assessments", "enterprise": "∙ Business Impact Analysis (BIA)\n∙ Criticality assessments" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.5" ], "general-cobit-2019": [ "APO09.01", "BAI04.02", "BAI09.02" ], "general-csa-cmm-4-1-0": [ "BCR-02" ], "general-cr-cmm-2026": [ "CR1.1.5" ], "general-govramp": [ "CP-02(08)" ], "general-govramp-low-plus": [ "CP-02(08)" ], "general-govramp-mod": [ "CP-02(08)" ], "general-govramp-high": [ "CP-02(08)" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.2.1", "3.5.3.7", "3.5.6" ], "general-iso-21434-2021": [ "RQ-15-02" ], "general-iso-22301-2019": [ "6.1.1" ], "general-mpa-csbp-5-3-1": [ "OR-1.2" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.6" ], "general-nist-privacy-framework-1-0": [ "ID.BE-P3" ], "general-nist-800-37-r2": [ "TASK P-6", "TASK P-8" ], "general-nist-800-53-r4": [ "CP-2(8)" ], "general-nist-800-53-r5-2": [ "CP-02(08)" ], "general-nist-800-53-r5-2-mod": [ "CP-02(08)" ], "general-nist-800-66-r2": [ "164.308(a)(7)" ], "general-nist-800-82-r3": [ "CP-02(08)" ], "general-nist-800-82-r3-mod": [ "CP-02(08)" ], "general-nist-800-82-r3-high": [ "CP-02(08)" ], "general-nist-800-160-vol-2-r1": [ "CP-02(08)" ], "general-nist-800-161-r1": [ "CP-2(8)" ], "general-nist-800-161-r1-level-3": [ "CP-2(8)" ], "general-nist-csf-2-0": [ "GV.OC-04", "GV.OC-05", "ID.AM-05", "RC.RP", "RC.RP-02", "RC.RP-04" ], "general-scf-dpmp-2025": [ "11.7" ], "general-swift-cscf-2025": [ "2.8" ], "general-tisax-6-0-3": [ "5.2.8" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG2.SP2", "EC:SG1.SP2", "TM:SG1.SP2" ], "usa-federal-fbi-cjis-6-0": [ "CP-2(8)" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-1c", "ASSET-2c", "RISK-2h", "RISK-2m", "THIRD-PARTIES-1a" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-02(08)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-02(08)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(7)(ii)(E)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(7)(ii)(E)" ], "usa-federal-irs-1075-2021": [ "CP-2(CE-8)" ], "usa-federal-cms-marse-2-0": [ "CP-2(8)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(a)(2)(i)", "500.16(a)(2)(vi)" ], "emea-eu-eba-ict-srm-2025": [ "3.7.1(78)", "3.7.3(83)" ], "emea-eu-dora-2023": [ "Article 8.4" ], "emea-deu-bsrit-2017": [ "12.2" ], "emea-deu-c5-2020": [ "BCM-02" ], "emea-sau-cscc-1-2019": [ "2-8-1-1", "3-1-1-2" ], "emea-sau-ecc-1-2018": [ "2-9-3-2" ], "emea-sau-otcc-1-2022": [ "2-1-1-5" ], "emea-sau-sacs-002-2022": [ "TPC-24" ], "emea-uae-niaf-2023": [ "3.4" ], "emea-gbr-caf-4-0": [ "A3.a (point 3)" ], "emea-gbr-cap-1850-2020": [ "A4" ], "apac-aus-ps-cps-230-2023": [ "34(a)", "35", "36(a)", "36(b)", "36(c)", "36(d)", "37" ], "apac-aus-ps-cps-234-2019": [ "21(b)" ], "apac-ind-sebi-2024": [ "ID.AM.S4" ], "apac-sgp-mas-trm-2021": [ "8.1.2" ], "americas-can-osfi-b13-2022": [ "2.2.2", "2.9.2" ] } }, { "control_id": "BCD-02.1", "title": "Resume All Missions & Business Functions", "family": "BCD", "description": "Mechanisms exist to resume all missions and business functions within Recovery Time Objectives (RTOs) of the contingency plan's activation.", "scf_question": "Does the organization resume all missions and business functions within Recovery Time Objectives (RTOs) of the contingency plan's activation?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-01" ], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ IT and/or cybersecurity personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services.\n▪ Recovery Time Objectives (RTOs) and/or Recovery Point Objectives (RPOs) are not formally planned for or resourced to meet.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners identify business-critical TAASD and External Service Providers (ESPs).\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to identify single points of failure from a TAASD perspective.\n▪ Production TAASD support business-critical application and services failover.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to develop BC/DR plans to recover business-critical TAASD.\n▪ Business stakeholders and process owners define Recovery Time Objectives (RTOs) for business-critical TAASD.\n▪ Business stakeholders and process owners define Recovery Point Objectives (RPOs) for business-critical TAASD.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to resume all missions and business functions within Recovery Time Objectives (RTOs) of the contingency plan's activation.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "medium": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "large": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "enterprise": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.5", "CC7.5-POF1" ], "general-csa-cmm-4-1-0": [ "BCR-03" ], "general-govramp": [ "CP-02(03)" ], "general-govramp-mod": [ "CP-02(03)" ], "general-govramp-high": [ "CP-02(03)" ], "general-mpa-csbp-5-3-1": [ "OR-1.2" ], "general-nist-800-53-r4": [ "CP-2(4)" ], "general-nist-800-53-r5-2": [ "CP-02(03)" ], "general-nist-800-53-r5-2-privacy": [ "CP-02(03)" ], "general-nist-800-53-r5-2-mod": [ "CP-02(03)" ], "general-nist-800-82-r3": [ "CP-02(03)" ], "general-nist-800-82-r3-mod": [ "CP-02(03)" ], "general-nist-800-82-r3-high": [ "CP-02(03)" ], "general-nist-csf-2-0": [ "RC.RP", "RC.RP-02", "RC.RP-04" ], "usa-federal-dhs-cisa-cpg-2-0": [ "5.A" ], "usa-federal-fbi-cjis-6-0": [ "CP-2(3)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(3)(iii)" ], "usa-federal-gsa-fedramp-5-low": [ "CP-02(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-02(03)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-02(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CP-02(03)" ], "usa-federal-irs-1075-2021": [ "CP-2(CE-3)" ], "usa-federal-cms-marse-2-0": [ "CP-2(3)" ], "emea-eu-nis2-annex-2024": [ "4.1.2(h)" ], "emea-isr-cmo-1-0": [ "21.15", "21.16" ], "emea-sau-ecc-1-2018": [ "2-9-3-2" ], "emea-uae-niaf-2023": [ "3.4.3" ], "apac-aus-ps-cps-230-2023": [ "34(e)" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP35", "HML35" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP31" ], "amaericas-can-osfi-self-assessment": [ "2.9" ] } }, { "control_id": "BCD-02.2", "title": "Continue Essential Mission & Business Functions", "family": "BCD", "description": "Mechanisms exist to continue essential missions and business functions with little or no loss of operational continuity and sustain that continuity until full system restoration at primary processing and/or storage sites.", "scf_question": "Does the organization continue essential missions and business functions with little or no loss of operational continuity and sustain that continuity until full system restoration at primary processing and/or storage sites?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ IT and/or cybersecurity personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners identify business-critical TAASD and External Service Providers (ESPs).\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to identify single points of failure from a TAASD perspective.\n▪ Production TAASD support business-critical application and services failover.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to develop BC/DR plans to recover business-critical TAASD.\n▪ Business stakeholders and process owners define Recovery Time Objectives (RTOs) for business-critical TAASD.\n▪ Business stakeholders and process owners define Recovery Point Objectives (RPOs) for business-critical TAASD.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to continue essential missions and business functions with little or no loss of operational continuity and sustain that continuity until full system restoration at primary processing and/or storage sites.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "medium": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "large": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "enterprise": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.5", "CC7.5-POF1" ], "general-csa-cmm-4-1-0": [ "BCR-03" ], "general-csa-iot-2": [ "OPA-05" ], "general-cr-cmm-2026": [ "CR10.1.1" ], "general-govramp": [ "CP-02(05)" ], "general-govramp-high": [ "CP-02(05)" ], "general-mpa-csbp-5-3-1": [ "OR-1.2" ], "general-nist-800-53-r4": [ "CP-2(5)" ], "general-nist-800-53-r5-2": [ "CP-02(05)" ], "general-nist-800-53-r5-2-high": [ "CP-02(05)" ], "general-nist-800-66-r2": [ "164.308(a)(7)" ], "general-nist-800-82-r3": [ "CP-02(05)" ], "general-nist-800-82-r3-high": [ "CP-02(05)" ], "general-nist-800-160-vol-2-r1": [ "CP-02(05)" ], "general-shared-assessments-sig-2025": [ "K.4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "5.A" ], "usa-federal-gsa-fedramp-5-high": [ "CP-02(05)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(7)(ii)(C)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(7)(ii)(C)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(a)(2)(iv)" ], "emea-isr-cmo-1-0": [ "18.15", "25.23" ], "emea-sau-ecc-1-2018": [ "2-9-3-2" ], "apac-aus-ps-cps-230-2023": [ "34(e)" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP35", "HML35" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP31" ], "amaericas-can-osfi-self-assessment": [ "2.9" ] } }, { "control_id": "BCD-02.3", "title": "Resume Essential Missions & Business Functions", "family": "BCD", "description": "Mechanisms exist to resume essential missions and business functions within an organization-defined time period of contingency plan activation.", "scf_question": "Does the organization resume essential missions and business functions within an organization-defined time period of contingency plan activation?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners identify business-critical TAASD and External Service Providers (ESPs).\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to identify single points of failure from a TAASD perspective.\n▪ Business stakeholders and process owners define Recovery Time Objectives (RTOs) for business-critical TAASD.\n▪ Business stakeholders and process owners define Recovery Point Objectives (RPOs) for business-critical TAASD.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to resume essential missions and business functions within an organization-defined time period of contingency plan activation.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "small": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "medium": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "large": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)", "enterprise": "∙ Continuity of Operations Plan (COOP)\n∙ Business Continuity Plan (BCP)\n∙ Disaster Recovery Plan (DRP)" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.5", "CC7.5-POF1" ], "general-csa-cmm-4-1-0": [ "BCR-03" ], "general-govramp": [ "CP-02(03)" ], "general-govramp-mod": [ "CP-02(03)" ], "general-govramp-high": [ "CP-02(03)" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.6.1" ], "general-mpa-csbp-5-3-1": [ "OR-1.2" ], "general-nist-800-53-r4": [ "CP-2(3)" ], "general-nist-800-53-r5-2": [ "CP-02(03)" ], "general-nist-800-53-r5-2-privacy": [ "CP-02(03)" ], "general-nist-800-53-r5-2-mod": [ "CP-02(03)" ], "general-nist-800-82-r3": [ "CP-02(03)" ], "general-nist-800-82-r3-mod": [ "CP-02(03)" ], "general-nist-800-82-r3-high": [ "CP-02(03)" ], "usa-federal-fbi-cjis-6-0": [ "CP-2(3)" ], "usa-federal-gsa-fedramp-5-low": [ "CP-02(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-02(03)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-02(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CP-02(03)" ], "usa-federal-irs-1075-2021": [ "CP-2(CE-3)" ], "emea-eu-nis2-annex-2024": [ "4.1.2(h)" ], "emea-isr-cmo-1-0": [ "21.15", "21.16" ], "emea-sau-ecc-1-2018": [ "2-9-3-2" ], "apac-aus-ps-cps-230-2023": [ "34(e)" ], "amaericas-can-osfi-self-assessment": [ "2.9" ] } }, { "control_id": "BCD-02.4", "title": "Data Storage Location Reviews", "family": "BCD", "description": "Mechanisms exist to perform periodic security reviews of storage locations that contain sensitive/regulated data.", "scf_question": "Does the organization perform periodic security reviews of storage locations that contain sensitive/regulated data?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-23" ], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners identify business-critical TAASD and External Service Providers (ESPs).\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to identify single points of failure from a TAASD perspective.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform periodic security reviews of storage locations that contain sensitive/regulated data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Business Impact Analysis (BIA)\n∙ Criticality assessments", "small": "∙ Business Impact Analysis (BIA)\n∙ Criticality assessments", "medium": "∙ Business Impact Analysis (BIA)\n∙ Criticality assessments", "large": "∙ Business Impact Analysis (BIA)\n∙ Criticality assessments", "enterprise": "∙ Business Impact Analysis (BIA)\n∙ Criticality assessments" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF9" ], "general-nist-800-172": [ "3.14.5e" ], "general-pci-dss-4-0-1": [ "9.4.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.1.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.1.2" ], "general-shared-assessments-sig-2025": [ "F.1" ] } }, { "control_id": "BCD-03", "title": "Contingency Training", "family": "BCD", "description": "Mechanisms exist to adequately train contingency personnel and applicable stakeholders in their contingency roles and responsibilities.", "scf_question": "Does the organization adequately train contingency personnel and applicable stakeholders in their contingency roles and responsibilities?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-07" ], "pptdf": "People", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to adequately train contingency personnel and applicable stakeholders in their contingency roles and responsibilities.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ NIST NICE Framework\n∙ Tabletop exercises", "small": "∙ NIST NICE Framework\n∙ Tabletop exercises", "medium": "∙ NIST NICE Framework\n∙ Tabletop exercises", "large": "∙ NIST NICE Framework\n∙ Tabletop exercises\n∙ Simulated events", "enterprise": "∙ NIST NICE Framework\n∙ Tabletop exercises\n∙ Simulated events" }, "risks": [ "R-AM-3", "R-EX-2", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-3", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-cobit-2019": [ "DSS04.06" ], "general-govramp": [ "CP-03" ], "general-govramp-low": [ "CP-03" ], "general-govramp-low-plus": [ "CP-03" ], "general-govramp-mod": [ "CP-03" ], "general-govramp-high": [ "CP-03" ], "general-nist-800-53-r4": [ "CP-3" ], "general-nist-800-53-r5-2": [ "CP-03" ], "general-nist-800-53-r5-2-low": [ "CP-03" ], "general-nist-800-82-r3": [ "CP-03" ], "general-nist-800-82-r3-low": [ "CP-03" ], "general-nist-800-82-r3-mod": [ "CP-03" ], "general-nist-800-82-r3-high": [ "CP-03" ], "general-nist-800-161-r1": [ "CP-3" ], "general-nist-800-161-r1-cscrm": [ "CP-3" ], "general-nist-800-161-r1-flowdown": [ "CP-3" ], "general-nist-800-161-r1-level-2": [ "CP-3" ], "general-nist-800-161-r1-level-3": [ "CP-3" ], "usa-federal-fbi-cjis-6-0": [ "CP-3" ], "usa-federal-gsa-fedramp-5-low": [ "CP-03" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-03" ], "usa-federal-gsa-fedramp-5-high": [ "CP-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CP-03" ], "usa-federal-irs-1075-2021": [ "CP-3" ], "usa-federal-cms-marse-2-0": [ "CP-3", "CP-3.a", "CP-3.b", "CP-3.c" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(c)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-03" ], "usa-state-tx-txramp-2-0-level-1": [ "CP-03" ], "usa-state-tx-txramp-2-0-level-2": [ "CP-03" ], "emea-isr-cmo-1-0": [ "25.3" ] } }, { "control_id": "BCD-03.1", "title": "Simulated Events", "family": "BCD", "description": "Mechanisms exist to incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.", "scf_question": "Does the organization incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-06" ], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Tabletop exercises", "small": "∙ Tabletop exercises", "medium": "∙ Tabletop exercises", "large": "∙ Tabletop exercises\n∙ Simulated events", "enterprise": "∙ Tabletop exercises\n∙ Simulated events" }, "risks": [ "R-AM-3", "R-EX-2", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-3", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.3" ], "general-cr-cmm-2026": [ "CR6.3.1" ], "general-govramp": [ "CP-03(01)" ], "general-govramp-mod": [ "CP-03(01)" ], "general-govramp-high": [ "CP-03(01)" ], "general-nist-800-53-r4": [ "CP-3(1)" ], "general-nist-800-53-r5-2": [ "CP-03(01)" ], "general-nist-800-53-r5-2-high": [ "CP-03(01)" ], "general-nist-800-82-r3": [ "CP-03(01)" ], "general-nist-800-82-r3-high": [ "CP-03(01)" ], "general-nist-800-161-r1": [ "CP-3(1)" ], "general-nist-800-161-r1-level-2": [ "CP-3(1)" ], "general-nist-800-161-r1-level-3": [ "CP-3(1)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-03(01)" ], "emea-isr-cmo-1-0": [ "25.4", "25.5" ], "emea-sau-cscc-1-2019": [ "3-1-1-4" ], "emea-sau-otcc-1-2022": [ "3-1-1-6" ], "amaericas-can-osfi-self-assessment": [ "2.8" ] } }, { "control_id": "BCD-03.2", "title": "Automated Training Environments", "family": "BCD", "description": "Automated mechanisms exist to provide a more thorough and realistic contingency training environment.", "scf_question": "Does the organization use automated mechanisms to provide a more thorough and realistic contingency training environment?", "relative_weight": 1, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ IT and/or cybersecurity personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically provide a more thorough and realistic contingency training environment.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic business continuity plan\n∙ Regular data backup", "small": "∙ Business continuity plan\n∙ Tested backup and restore procedures", "medium": "∙ Formal BCP/DRP program\n∙ Regular backup testing\n∙ Alternate processing capability", "large": "∙ Enterprise BCP/DRP program\n∙ DR site\n∙ Annual exercises\n∙ RTO/RPO targets", "enterprise": "∙ Enterprise BC/DR platform (e.g., Zerto, Veeam Enterprise)\n∙ Dedicated DR site\n∙ Automated failover\n∙ Annual DR exercises" }, "risks": [ "R-AM-3", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-3", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-cr-cmm-2026": [ "CR7.2.1" ], "general-nist-800-53-r4": [ "CP-3(2)" ], "general-nist-800-53-r5-2": [ "CP-03(02)" ], "general-nist-800-82-r3": [ "CP-03(02)" ], "emea-isr-cmo-1-0": [ "25.8" ] } }, { "control_id": "BCD-04", "title": "Contingency Plan Testing & Exercises", "family": "BCD", "description": "Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization's readiness to execute the plan.", "scf_question": "Does the organization conduct tests and/or exercises to evaluate the contingency plan's effectiveness and its readiness to execute the plan?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-06", "E-BCM-07" ], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ IT and/or cybersecurity personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization's readiness to execute the plan.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Tabletop exercises", "small": "∙ Tabletop exercises", "medium": "∙ Tabletop exercises", "large": "∙ Tabletop exercises\n∙ Simulated events", "enterprise": "∙ Tabletop exercises\n∙ Simulated events" }, "risks": [ "R-AM-3", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-3", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.5-POF3" ], "general-aicpa-tsc-2017": [ "A1.3", "A1.3-POF1", "A1.3-POF2", "CC7.5", "CC7.5-POF6" ], "general-cobit-2019": [ "DSS04.04" ], "general-csa-cmm-4-1-0": [ "BCR-06", "BCR-10", "DCS-15" ], "general-csa-iot-2": [ "OPA-03", "OPA-06" ], "general-cr-cmm-2026": [ "CR7.2.2" ], "general-govramp": [ "CP-04" ], "general-govramp-low": [ "CP-04" ], "general-govramp-low-plus": [ "CP-04" ], "general-govramp-mod": [ "CP-04" ], "general-govramp-high": [ "CP-04" ], "general-iso-22301-2019": [ "8.5", "8.5(a)", "8.5(b)", "8.5(c)", "8.5(d)", "8.5(e)", "8.5(f)", "8.5(g)" ], "general-iso-27002-2022": [ "5.29", "5.3" ], "general-iso-27017-2015": [ "17.1.3" ], "general-iso-27018-2025": [ "5.29", "5.30" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P8" ], "general-nist-800-53-r4": [ "CP-4" ], "general-nist-800-53-r5-2": [ "CP-04" ], "general-nist-800-53-r5-2-privacy": [ "CP-04" ], "general-nist-800-53-r5-2-low": [ "CP-04" ], "general-nist-800-66-r2": [ "164.308(a)(7)" ], "general-nist-800-82-r3": [ "CP-04" ], "general-nist-800-82-r3-low": [ "CP-04" ], "general-nist-800-82-r3-mod": [ "CP-04" ], "general-nist-800-82-r3-high": [ "CP-04" ], "general-nist-800-161-r1": [ "CP-4" ], "general-nist-800-161-r1-cscrm": [ "CP-4" ], "general-nist-800-161-r1-level-2": [ "CP-4" ], "general-nist-800-161-r1-level-3": [ "CP-4" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNL.STEXE" ], "usa-federal-fbi-cjis-6-0": [ "CP-4" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-4i", "RESPONSE-4n" ], "usa-federal-gsa-fedramp-5-low": [ "CP-04" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-04" ], "usa-federal-gsa-fedramp-5-high": [ "CP-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CP-04" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(7)(ii)(D)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(7)(ii)(D)" ], "usa-federal-irs-1075-2021": [ "CP-4" ], "usa-federal-cms-marse-2-0": [ "CP-4", "CP-4.a", "CP-4.b", "CP-4.c", "CP-4-IS.1" ], "usa-federal-nerc-cip-2024": [ "CIP-009-6 2.1", "CIP-009-6 2.3", "CIP-009-6 3.1" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(d)(1)", "500.16(d)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-04", "CP-04-SID" ], "usa-state-tx-txramp-2-0-level-1": [ "CP-04" ], "usa-state-tx-txramp-2-0-level-2": [ "CP-04" ], "emea-eu-eba-ict-srm-2025": [ "3.7.4(87)", "3.7.4(89)", "3.7.4(89)(a)", "3.7.4(89)(b)", "3.7.4(89)(c)", "3.7.4(90)" ], "emea-eu-dora-2023": [ "Article 11.4", "Article 11.6(a)", "Article 11.6(b)", "Article 11.6 (end)", "Article 24.1", "Article 24.2", "Article 24.3", "Article 24.4", "Article 24.5", "Article 24.6" ], "emea-eu-nis2-annex-2024": [ "4.1.4", "4.2.6", "4.3.4" ], "emea-deu-bsrit-2017": [ "10.4" ], "emea-deu-c5-2020": [ "PS-02", "PS-06", "BCM-04" ], "emea-isr-cmo-1-0": [ "25.4", "25.6", "25.7", "25.9", "25.23" ], "emea-sau-otcc-1-2022": [ "3-1-1-6" ], "emea-sau-sacs-002-2022": [ "TPC-70" ], "emea-esp-ccn-stic-825-2023": [ "7.5.3 [OP.CONT.3]" ], "emea-uae-niaf-2023": [ "3.4.1" ], "emea-gbr-def-stan-05-138-2024": [ "2503" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2503" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2503" ], "apac-aus-ps-cps-230-2023": [ "43", "44", "45", "46" ], "apac-chn-cybersecurity-law-2017": [ "Article 34(4)" ], "apac-ind-sebi-2024": [ "GV.RM.S3", "PR.IP.S11", "RC.IM.S2", "RC.RP.S3" ], "apac-jpn-ismap": [ "17.1.3.2", "17.1.3.3" ], "apac-sgp-mas-trm-2021": [ "8.2.3", "8.3.1", "8.3.2", "8.3.3(a)", "8.3.3(b)", "8.3.4" ], "amaericas-can-osfi-self-assessment": [ "2.8" ], "americas-can-osfi-b13-2022": [ "2.9.3" ] } }, { "control_id": "BCD-04.1", "title": "Coordinated Testing with Related Plans", "family": "BCD", "description": "Mechanisms exist to coordinate contingency plan testing with internal and external elements responsible for related plans.", "scf_question": "Does the organization coordinate contingency plan testing with internal and external elements responsible for related plans?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to coordinate contingency plan testing with internal and external elements responsible for related plans.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Tabletop exercises", "small": "∙ Tabletop exercises", "medium": "∙ Tabletop exercises\n∙ Red Team testing\n∙ Penetration testing", "large": "∙ Tabletop exercises\n∙ Red Team testing\n∙ Penetration testing", "enterprise": "∙ Tabletop exercises\n∙ Red Team testing\n∙ Penetration testing" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-cr-cmm-2026": [ "CR7.2.8" ], "general-govramp": [ "CP-04(01)" ], "general-govramp-mod": [ "CP-04(01)" ], "general-govramp-high": [ "CP-04(01)" ], "general-nist-800-53-r4": [ "CP-4(1)" ], "general-nist-800-53-r5-2": [ "CP-04(01)" ], "general-nist-800-53-r5-2-mod": [ "CP-04(01)" ], "general-nist-800-82-r3": [ "CP-04(01)" ], "general-nist-800-82-r3-mod": [ "CP-04(01)" ], "general-nist-800-82-r3-high": [ "CP-04(01)" ], "usa-federal-fbi-cjis-6-0": [ "CP-4(1)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-04(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-04(01)" ], "usa-federal-irs-1075-2021": [ "CP-4(CE-1)" ], "usa-federal-cms-marse-2-0": [ "CP-4(1)" ], "emea-isr-cmo-1-0": [ "25.6", "25.7" ], "apac-sgp-mas-trm-2021": [ "8.3.4" ], "amaericas-can-osfi-self-assessment": [ "2.8" ] } }, { "control_id": "BCD-04.2", "title": "Alternate Storage & Processing Sites", "family": "BCD", "description": "Mechanisms exist to test contingency plans at alternate storage & processing sites to both familiarize contingency personnel with the facility and evaluate the capabilities of the alternate processing site to support contingency operations.", "scf_question": "Does the organization test contingency plans at alternate storage & processing sites to both familiarize contingency personnel with the facility and evaluate the capabilities of the alternate processing site to support contingency operations?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ IT and/or cybersecurity personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A dedicated alternate site(s) is/are equipped to be compatible with the production network's processing, storage, connectivity and other infrastructure needs.\n▪ Alternate sites are given priority of service to meet applicable RTOs and/or RPOs.\n▪ RTOs are used to identify business-critical TAASD, which are given priority of service in alternate processing and storage sites.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to test contingency plans at alternate storage & processing sites to both familiarize contingency personnel with the facility and evaluate the capabilities of the alternate processing site to support contingency operations.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Failover testing\n∙ On-site visit to alternate site(s)", "small": "∙ Failover testing\n∙ On-site visit to alternate site(s)", "medium": "∙ Failover testing\n∙ On-site visit to alternate site(s)", "large": "∙ Failover testing\n∙ On-site visit to alternate site(s)", "enterprise": "∙ Failover testing\n∙ On-site visit to alternate site(s)" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-govramp": [ "CP-04(02)" ], "general-govramp-high": [ "CP-04(02)" ], "general-mpa-csbp-5-3-1": [ "OP-2.1" ], "general-nist-800-53-r4": [ "CP-4(2)" ], "general-nist-800-53-r5-2": [ "CP-04(02)" ], "general-nist-800-53-r5-2-high": [ "CP-04(02)" ], "general-nist-800-82-r3": [ "CP-04(02)" ], "general-nist-800-82-r3-high": [ "CP-04(02)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-04(02)" ], "emea-eu-nis2-annex-2024": [ "4.2.2(c)" ], "emea-sau-cscc-1-2019": [ "3-1-1-1" ], "apac-sgp-mas-trm-2021": [ "8.2.4" ] } }, { "control_id": "BCD-05", "title": "Contingency Plan Root Cause Analysis (RCA) & Lessons Learned", "family": "BCD", "description": "Mechanisms exist to conduct a Root Cause Analysis (RCA) and \"lessons learned\" activity every time the contingency plan is activated.", "scf_question": "Does the organization conduct a Root Cause Analysis (RCA) and \"lessons learned\" activity every time the contingency plan is activated?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-04" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct a Root Cause Analysis (RCA) and \"lessons learned\" activity every time the contingency plan is activated.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Root Cause Analysis (RCA) (After Action Review (AAR), lessons learned, etc.)", "small": "∙ Root Cause Analysis (RCA) (After Action Review (AAR), lessons learned, etc.)", "medium": "∙ Root Cause Analysis (RCA) (After Action Review (AAR), lessons learned, etc.)", "large": "∙ Root Cause Analysis (RCA) (After Action Review (AAR), lessons learned, etc.)", "enterprise": "∙ Root Cause Analysis (RCA) (After Action Review (AAR), lessons learned, etc.)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.4-POF10", "CC7.5", "CC7.5-POF3" ], "general-cobit-2019": [ "DSS04.08" ], "general-govramp": [ "CP-04" ], "general-govramp-low": [ "CP-04" ], "general-govramp-low-plus": [ "CP-04" ], "general-govramp-mod": [ "CP-04" ], "general-govramp-high": [ "CP-04" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.6.3" ], "general-nist-800-53-r4": [ "CP-4" ], "general-nist-800-53-r5-2": [ "CP-04" ], "general-nist-800-53-r5-2-privacy": [ "CP-04" ], "general-nist-800-53-r5-2-low": [ "CP-04" ], "general-nist-800-66-r2": [ "164.308(a)(7)" ], "general-nist-800-82-r3": [ "CP-04" ], "general-nist-800-82-r3-low": [ "CP-04" ], "general-nist-800-82-r3-mod": [ "CP-04" ], "general-nist-800-82-r3-high": [ "CP-04" ], "general-nist-800-161-r1": [ "CP-4" ], "general-nist-800-161-r1-cscrm": [ "CP-4" ], "general-nist-800-161-r1-level-2": [ "CP-4" ], "general-nist-800-161-r1-level-3": [ "CP-4" ], "general-nist-csf-2-0": [ "ID.IM-02", "ID.IM-03" ], "usa-federal-fbi-cjis-6-0": [ "CP-4" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-4o" ], "usa-federal-gsa-fedramp-5-low": [ "CP-04" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-04" ], "usa-federal-gsa-fedramp-5-high": [ "CP-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CP-04" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(7)(ii)(D)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(7)(ii)(D)" ], "usa-federal-irs-1075-2021": [ "CP-4" ], "usa-federal-cms-marse-2-0": [ "CP-4" ], "usa-federal-nerc-cip-2024": [ "CIP-009-6 3.1.1", "CIP-009-6 3.1.2" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-04" ], "usa-state-tx-txramp-2-0-level-1": [ "CP-04" ], "usa-state-tx-txramp-2-0-level-2": [ "CP-04" ], "emea-eu-eba-ict-srm-2025": [ "3.7.4(88)", "3.7.4(90)" ], "emea-eu-dora-2023": [ "Article 13.2", "Article 13.2(a)", "Article 13.2(b)", "Article 13.2(c)", "Article 13.2(d)", "Article 13.3" ], "emea-eu-nis2-annex-2024": [ "4.1.4" ], "emea-deu-c5-2020": [ "BCM-04" ], "emea-gbr-cap-1850-2020": [ "D2" ], "apac-ind-sebi-2024": [ "RC.IM.S1", "RC.IM.S2", "RS.AN.S4", "RS.AN.S4a", "RS.AN.S4b", "RS.IM.S1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP64", "HML63" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP56" ], "apac-sgp-mas-trm-2021": [ "7.8.1", "7.8.2", "7.8.3" ], "amaericas-can-osfi-self-assessment": [ "5.9" ] } }, { "control_id": "BCD-06", "title": "Ongoing Contingency Planning", "family": "BCD", "description": "Mechanisms exist to update contingency plans due to changes affecting:\n(1) People (e.g., personnel changes);\n(2) Processes (e.g., new, altered or decommissioned business practices, including third-party services)\n(3) Technologies (e.g., new, altered or decommissioned technologies);\n(4) Data (e.g., changes to data flows and/or data repositories);\n(5) Facilities (e.g., new, altered or decommissioned physical infrastructure); and/or\n(6) Feedback from contingency plan testing activities.", "scf_question": "Does the organization update contingency plans due to changes affecting:\n(1) People (e.g., personnel changes);\n(2) Processes (e.g., new, altered or decommissioned business practices, including third-party services)\n(3) Technologies (e.g., new, altered or decommissioned technologies);\n(4) Data (e.g., changes to data flows and/or data repositories);\n(5) Facilities (e.g., new, altered or decommissioned physical infrastructure); and/or\n(6) Feedback from contingency plan testing activities?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-05" ], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Production TAASD support business-critical application and services failover.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to develop BC/DR plans to recover business-critical TAASD.\n▪ Data/process owners conduct a Business Impact Analysis (BIA) at least annually, or after any major technology or process change, to identify TAASD that are critical to the business, as well as single points of failure.\n▪ Business stakeholders and process owners designate alternative decision-makers if primary decision-makers are unavailable.\n▪ Within the BC/DR plans, alternate communications channels are defined if primary means of communication are unavailable.\n▪ RTOs are used to identify business-critical TAASD, which are given priority of service in alternate processing and storage sites.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to update contingency plans due to changes affecting:\n(1) People (e.g., personnel changes);\n(2) Processes (e.g., new, altered or decommissioned business practices, including third-party services)\n(3) Technologies (e.g., new, altered or decommissioned technologies);\n(4) Data (e.g., changes to data flows and/or data repositories);\n(5) Facilities (e.g., new, altered or decommissioned physical infrastructure); and/or\n(6) Feedback from contingency plan testing activities.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Documentation change control", "small": "∙ Documentation change control", "medium": "∙ Documentation change control", "large": "∙ Documentation change control", "enterprise": "∙ Documentation change control" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.5", "CC7.5-POF4", "CC7.5-POF5" ], "general-cobit-2019": [ "DSS04.05" ], "general-csa-cmm-4-1-0": [ "BCR-04", "BCR-09" ], "general-cr-cmm-2026": [ "CR7.2.13" ], "general-govramp": [ "CP-02" ], "general-govramp-low": [ "CP-02" ], "general-govramp-low-plus": [ "CP-02" ], "general-govramp-mod": [ "CP-02" ], "general-govramp-high": [ "CP-02" ], "general-iso-22301-2019": [ "6.3", "6.3(a)", "6.3(b)", "8.6", "8.6(a)", "8.6(b)", "8.6(c)", "8.6(d)", "8.6(e)", "10.2" ], "general-nist-800-53-r4": [ "CP-2" ], "general-nist-800-53-r5-2": [ "CP-02" ], "general-nist-800-53-r5-2-privacy": [ "CP-02" ], "general-nist-800-53-r5-2-low": [ "CP-02" ], "general-nist-800-82-r3": [ "CP-02" ], "general-nist-800-82-r3-low": [ "CP-02" ], "general-nist-800-82-r3-mod": [ "CP-02" ], "general-nist-800-82-r3-high": [ "CP-02" ], "general-nist-800-161-r1": [ "CP-2" ], "general-nist-800-161-r1-cscrm": [ "CP-2" ], "general-nist-800-161-r1-level-2": [ "CP-2" ], "general-nist-800-161-r1-level-3": [ "CP-2" ], "general-nist-csf-2-0": [ "ID.IM-04" ], "usa-federal-fbi-cjis-6-0": [ "CP-2" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-4p" ], "usa-federal-gsa-fedramp-5-low": [ "CP-02" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-02" ], "usa-federal-gsa-fedramp-5-high": [ "CP-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CP-02" ], "usa-federal-irs-1075-2021": [ "CP-2" ], "usa-federal-cms-marse-2-0": [ "CP-2", "CP-2.e" ], "usa-federal-nerc-cip-2024": [ "CIP-009-6 3.1.3", "CIP-009-6 3.2.1" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-02" ], "usa-state-tx-txramp-2-0-level-1": [ "CP-02" ], "usa-state-tx-txramp-2-0-level-2": [ "CP-02" ], "emea-eu-eba-ict-srm-2025": [ "3.7.4(88)", "3.7.4(90)" ], "emea-deu-c5-2020": [ "BCM-04" ], "emea-sau-ecc-1-2018": [ "3-1-4" ] } }, { "control_id": "BCD-06.1", "title": "Contingency Planning Components", "family": "BCD", "description": "Mechanisms exist to identify components that potentially impact the organization's ability to execute contingency plans, including changes to:\n(1) Personnel roles;\n(2) Business processes (including the use of third-party services);\n(3) Deployed technologies; \n(4) Data repositories and/or data flows; and/or\n(5) Physical infrastructure.", "scf_question": "Does the organization identify components that potentially impacts the organization's ability to execute contingency plans, including changes to:\n(1) Personnel roles;\n(2) Business processes (including the use of third-party services);\n(3) Deployed technologies; \n(4) Data repositories and/or data flows; and/or\n(5) Physical infrastructure?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-17" ], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify components that potentially impacts the organization's ability to execute contingency plans, including changes to:\n(1) Personnel roles;\n(2) Business processes (including the use of third-party services);\n(3) Deployed technologies; \n(4) Data repositories and/or data flows; and/or\n(5) Physical infrastructure.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic business continuity plan\n∙ Regular data backup", "small": "∙ Business continuity plan\n∙ Tested backup and restore procedures", "medium": "∙ Formal BCP/DRP program\n∙ Regular backup testing\n∙ Alternate processing capability", "large": "∙ Enterprise BCP/DRP program\n∙ DR site\n∙ Annual exercises\n∙ RTO/RPO targets", "enterprise": "∙ Enterprise BC/DR platform (e.g., Zerto, Veeam Enterprise)\n∙ Dedicated DR site\n∙ Automated failover\n∙ Annual DR exercises" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-cobit-2019": [ "DSS04.05" ], "general-csa-cmm-4-1-0": [ "BCR-04", "BCR-09" ], "usa-federal-nerc-cip-2024": [ "CIP-009-6 3.2" ] } }, { "control_id": "BCD-06.2", "title": "Contingency Plan Update Notifications", "family": "BCD", "description": "Mechanisms exist to keep stakeholders informed of changes to contingency plans.", "scf_question": "Does the organization keep stakeholders informed of changes to contingency plans?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to keep stakeholders informed of changes to contingency plans.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic business continuity plan\n∙ Regular data backup", "small": "∙ Business continuity plan\n∙ Tested backup and restore procedures", "medium": "∙ Formal BCP/DRP program\n∙ Regular backup testing\n∙ Alternate processing capability", "large": "∙ Enterprise BCP/DRP program\n∙ DR site\n∙ Annual exercises\n∙ RTO/RPO targets", "enterprise": "∙ Enterprise BC/DR platform (e.g., Zerto, Veeam Enterprise)\n∙ Dedicated DR site\n∙ Automated failover\n∙ Annual DR exercises" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-csa-cmm-4-1-0": [ "BCR-09" ], "usa-federal-nerc-cip-2024": [ "CIP-009-6 3.2.2" ] } }, { "control_id": "BCD-07", "title": "Alternative Security Measures", "family": "BCD", "description": "Mechanisms exist to implement alternative or compensating controls to satisfy security functions when the primary means of implementing the security function is unavailable or compromised.", "scf_question": "Does the organization implement alternative or compensating controls to satisfy security functions when the primary means of implementing the security function is unavailable or compromised?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement alternative or compensating controls to satisfy security functions when the primary means of implementing the security function is unavailable or compromised.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Compensating controls\n∙ Configuration management practices", "small": "∙ Compensating controls\n∙ Configuration management practices", "medium": "∙ Compensating controls\n∙ Configuration management practices", "large": "∙ Compensating controls\n∙ Configuration management practices", "enterprise": "∙ Compensating controls\n∙ Configuration management practices" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-2", "R-IR-3" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "CC9.1" ], "general-cr-cmm-2026": [ "CR5.1.9" ], "general-nist-800-53-r4": [ "CP-13" ], "general-nist-800-53-r5-2": [ "CP-13" ], "general-nist-800-82-r3": [ "CP-13" ], "general-nist-800-160-vol-2-r1": [ "CP-13" ] } }, { "control_id": "BCD-08", "title": "Alternate Storage Site", "family": "BCD", "description": "Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information.", "scf_question": "Does the organization establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cloud-based backup storage: AWS S3, Azure Blob Storage, or Backblaze B2\n∙ Off-site backup media storage (e.g., Iron Mountain)", "small": "∙ Cloud-based backup storage: AWS S3, Azure Blob Storage, or Backblaze B2\n∙ Off-site backup media storage (e.g., Iron Mountain)", "medium": "∙ AWS S3 / Azure Blob / Google Cloud Storage\n∙ Managed backup service (e.g., Veeam Cloud Connect, Acronis Cloud Backup)\n∙ Geographically separated alternate storage site", "large": "∙ AWS / Azure / Google Cloud alternate storage region\n∙ Enterprise backup solution with cloud tiering (e.g., Veeam, Commvault)\n∙ Geographically separated alternate storage site with tested recovery", "enterprise": "∙ Multi-region cloud storage (AWS, Azure, or Google Cloud)\n∙ Enterprise backup and DR platform (e.g., Commvault, Veeam Enterprise, Zerto)\n∙ Alternate storage site with defined SLAs and tested failover\n∙ NIST SP 800-34 contingency planning alignment" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-IR-4" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2", "A1.2-POF9" ], "general-govramp": [ "CP-06" ], "general-govramp-low-plus": [ "CP-06" ], "general-govramp-mod": [ "CP-06" ], "general-govramp-high": [ "CP-06" ], "general-iso-27002-2022": [ "8.14" ], "general-iso-27017-2015": [ "17.2.1" ], "general-iso-27018-2025": [ "8.14" ], "general-mitre-att&ck-16-1": [ "T1070", "T1070.001", "T1070.002", "T1070.008", "T1119", "T1486", "T1565", "T1565.001" ], "general-mpa-csbp-5-3-1": [ "OP-2.1" ], "general-nist-800-53-r4": [ "CP-6" ], "general-nist-800-53-r5-2": [ "CP-06", "PE-23" ], "general-nist-800-53-r5-2-privacy": [ "PE-23" ], "general-nist-800-53-r5-2-mod": [ "CP-06" ], "general-nist-800-82-r3": [ "CP-06", "PE-23" ], "general-nist-800-82-r3-mod": [ "CP-06" ], "general-nist-800-82-r3-high": [ "CP-06" ], "general-nist-800-161-r1": [ "CP-6", "PE-23" ], "general-nist-800-161-r1-flowdown": [ "PE-23" ], "general-nist-800-161-r1-level-2": [ "CP-6", "PE-23" ], "general-nist-800-161-r1-level-3": [ "CP-6", "PE-23" ], "usa-federal-fbi-cjis-6-0": [ "CP-6" ], "usa-federal-gsa-fedramp-5-low": [ "PE-23" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-06", "PE-23" ], "usa-federal-gsa-fedramp-5-high": [ "CP-06", "PE-23" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-23" ], "usa-federal-cms-marse-2-0": [ "CP-6", "CP-6.a", "CP-6.b" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-06" ], "usa-state-tx-txramp-2-0-level-2": [ "CP-06" ], "emea-deu-bsrit-2017": [ "10.5" ], "emea-deu-c5-2020": [ "PSS-12" ], "emea-isr-cmo-1-0": [ "11.7", "25.7", "25.10" ], "emea-sau-cscc-1-2019": [ "3-1-1-1" ], "emea-esp-ccn-stic-825-2023": [ "8.1.8 [MP.IF.8]", "8.3.4 [MP.EQ.4]", "8.4.4 [MP.COM.4]", "8.8.4 [MP.S.4]" ] } }, { "control_id": "BCD-08.1", "title": "Separation from Primary Storage Site", "family": "BCD", "description": "Mechanisms exist to separate the alternate storage site from the primary storage site to reduce susceptibility to similar threats.", "scf_question": "Does the organization separate the alternate storage site from the primary storage site to reduce susceptibility to similar threats?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to separate the alternate storage site from the primary storage site to reduce susceptibility to similar threats.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)", "small": "∙ Continuity of Operations Plan (COOP)", "medium": "∙ Continuity of Operations Plan (COOP)", "large": "∙ Continuity of Operations Plan (COOP)", "enterprise": "∙ Continuity of Operations Plan (COOP)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed", "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-govramp": [ "CP-06(01)" ], "general-govramp-mod": [ "CP-06(01)" ], "general-govramp-high": [ "CP-06(01)" ], "general-nist-800-53-r4": [ "CP-6(1)" ], "general-nist-800-53-r5-2": [ "CP-06(01)" ], "general-nist-800-53-r5-2-mod": [ "CP-06(01)" ], "general-nist-800-82-r3": [ "CP-06(01)" ], "general-nist-800-82-r3-mod": [ "CP-06(01)" ], "general-nist-800-82-r3-high": [ "CP-06(01)" ], "general-nist-800-161-r1": [ "CP-6(1)" ], "general-nist-800-161-r1-level-2": [ "CP-6(1)" ], "general-nist-800-161-r1-level-3": [ "CP-6(1)" ], "usa-federal-fbi-cjis-6-0": [ "CP-6(1)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-06(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-06(01)" ], "usa-federal-cms-marse-2-0": [ "CP-6(1)" ], "emea-deu-c5-2020": [ "OPS-09" ], "emea-isr-cmo-1-0": [ "25.11" ] } }, { "control_id": "BCD-08.2", "title": "Primary Storage Site Accessibility", "family": "BCD", "description": "Mechanisms exist to identify and mitigate potential accessibility problems to the alternate storage sites in the event of an area-wide disruption or disaster.", "scf_question": "Does the organization identify and mitigate potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and mitigate potential accessibility problems to the alternate storage sites in the event of an area-wide disruption or disaster.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)", "small": "∙ Continuity of Operations Plan (COOP)", "medium": "∙ Continuity of Operations Plan (COOP)", "large": "∙ Continuity of Operations Plan (COOP)", "enterprise": "∙ Continuity of Operations Plan (COOP)" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-govramp": [ "CP-06(03)" ], "general-govramp-mod": [ "CP-06(03)" ], "general-govramp-high": [ "CP-06(03)" ], "general-nist-800-53-r4": [ "CP-6(3)" ], "general-nist-800-53-r5-2": [ "CP-06(03)" ], "general-nist-800-53-r5-2-mod": [ "CP-06(03)" ], "general-nist-800-82-r3": [ "CP-06(03)" ], "general-nist-800-82-r3-mod": [ "CP-06(03)" ], "general-nist-800-82-r3-high": [ "CP-06(03)" ], "usa-federal-fbi-cjis-6-0": [ "CP-6(3)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-06(03)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-06(03)" ], "usa-federal-cms-marse-2-0": [ "CP-6(3)" ], "emea-isr-cmo-1-0": [ "25.13" ] } }, { "control_id": "BCD-09", "title": "Alternate Processing Site", "family": "BCD", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "scf_question": "Does the organization establish an alternate processing site that provides security measures equivalent to that of the primary site?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cloud-based alternate processing (AWS, Azure, or Google Cloud)\n∙ Documented recovery procedures to cloud fallback", "small": "∙ Cloud-based alternate processing (AWS, Azure, or Google Cloud)\n∙ Basic DR runbooks and cloud failover procedures", "medium": "∙ Cloud-based warm/hot site (AWS, Azure, GCP)\n∙ Managed DR service (e.g., AWS Elastic Disaster Recovery, Azure Site Recovery)\n∙ Documented and tested failover procedures", "large": "∙ AWS Elastic Disaster Recovery or Azure Site Recovery\n∙ Cloud-based or colocation alternate processing site\n∙ Regular failover testing with documented RTO/RPO validation", "enterprise": "∙ Enterprise DR platform with automated failover (e.g., Zerto, Veeam Replication, AWS DRS)\n∙ Geographically separate alternate processing site (cloud or colocation)\n∙ Regularly tested failover with RTO/RPO compliance verification\n∙ NIST SP 800-34 contingency planning alignment" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-IR-4" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2", "A1.2-POF10" ], "general-cr-cmm-2026": [ "CR10.2.5" ], "general-govramp": [ "CP-07" ], "general-govramp-core": [ "CP-07" ], "general-govramp-low-plus": [ "CP-07" ], "general-govramp-mod": [ "CP-07" ], "general-govramp-high": [ "CP-07" ], "general-iso-27002-2022": [ "8.14" ], "general-iso-27017-2015": [ "17.2.1" ], "general-iso-27018-2025": [ "8.14" ], "general-mitre-att&ck-16-1": [ "T1070", "T1070.001", "T1070.002", "T1070.008", "T1119", "T1485", "T1486", "T1490", "T1491", "T1491.001", "T1491.002", "T1561", "T1561.001", "T1561.002", "T1565", "T1565.001" ], "general-mpa-csbp-5-3-1": [ "OP-2.1" ], "general-nist-800-53-r4": [ "CP-7" ], "general-nist-800-53-r5-2": [ "CP-07", "PE-23" ], "general-nist-800-53-r5-2-privacy": [ "PE-23" ], "general-nist-800-53-r5-2-mod": [ "CP-07" ], "general-nist-800-82-r3": [ "CP-07", "PE-23" ], "general-nist-800-82-r3-mod": [ "CP-07" ], "general-nist-800-82-r3-high": [ "CP-07" ], "general-nist-800-161-r1": [ "CP-7", "PE-23" ], "general-nist-800-161-r1-flowdown": [ "PE-23" ], "general-nist-800-161-r1-level-2": [ "CP-7", "PE-23" ], "general-nist-800-161-r1-level-3": [ "CP-7", "PE-23" ], "usa-federal-fbi-cjis-6-0": [ "CP-7" ], "usa-federal-gsa-fedramp-5-low": [ "PE-23" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-07", "PE-23" ], "usa-federal-gsa-fedramp-5-high": [ "CP-07", "PE-23" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-23" ], "usa-federal-cms-marse-2-0": [ "CP-7", "CP-7.a", "CP-7.b", "CP-7.c", "CP-7-IS.1" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-07" ], "usa-state-tx-txramp-2-0-level-2": [ "CP-07" ], "emea-eu-dora-2023": [ "Article 12.5", "Article 12.5(a)", "Article 12.5(b)", "Article 12.5(c)" ], "emea-deu-bsrit-2017": [ "10.5" ], "emea-deu-c5-2020": [ "PSS-12" ], "emea-isr-cmo-1-0": [ "11.7", "25.7", "25.10" ], "emea-sau-cscc-1-2019": [ "3-1-1-1" ], "emea-esp-ccn-stic-825-2023": [ "8.1.8 [MP.IF.8]", "8.3.4 [MP.EQ.4]", "8.8.4 [MP.S.4]" ], "apac-jpn-ismap": [ "17.2", "17.2.1", "17.2.1.1", "17.2.1.2", "17.2.1.3" ] } }, { "control_id": "BCD-09.1", "title": "Separation from Primary Processing Site", "family": "BCD", "description": "Mechanisms exist to separate the alternate processing site from the primary processing site to reduce susceptibility to similar threats.", "scf_question": "Does the organization separate the alternate processing site from the primary processing site to reduce susceptibility to similar threats?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to separate the alternate processing site from the primary processing site to reduce susceptibility to similar threats.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)", "small": "∙ Continuity of Operations Plan (COOP)", "medium": "∙ Continuity of Operations Plan (COOP)", "large": "∙ Continuity of Operations Plan (COOP)", "enterprise": "∙ Continuity of Operations Plan (COOP)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed", "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-govramp": [ "CP-07(01)" ], "general-govramp-mod": [ "CP-07(01)" ], "general-govramp-high": [ "CP-07(01)" ], "general-nist-800-53-r4": [ "CP-7(1)" ], "general-nist-800-53-r5-2": [ "CP-07(01)" ], "general-nist-800-53-r5-2-mod": [ "CP-07(01)" ], "general-nist-800-82-r3": [ "CP-07(01)" ], "general-nist-800-82-r3-mod": [ "CP-07(01)" ], "general-nist-800-82-r3-high": [ "CP-07(01)" ], "usa-federal-fbi-cjis-6-0": [ "CP-7(1)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-07(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-07(01)" ], "usa-federal-cms-marse-2-0": [ "CP-7(1)" ], "emea-eu-dora-2023": [ "Article 12.5(a)" ], "emea-deu-c5-2020": [ "OPS-09" ], "emea-isr-cmo-1-0": [ "25.11" ] } }, { "control_id": "BCD-09.2", "title": "Alternate Processing Site Accessibility", "family": "BCD", "description": "Mechanisms exist to identify and mitigate potential accessibility problems to the alternate processing sites and possible mitigation actions, in the event of an area-wide disruption or disaster.", "scf_question": "Does the organization identify and mitigate potential accessibility problems to the alternate processing site and possible mitigation actions, in the event of an area-wide disruption or disaster?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and mitigate potential accessibility problems to the alternate processing sites and possible mitigation actions, in the event of an area-wide disruption or disaster.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)", "small": "∙ Continuity of Operations Plan (COOP)", "medium": "∙ Continuity of Operations Plan (COOP)", "large": "∙ Continuity of Operations Plan (COOP)", "enterprise": "∙ Continuity of Operations Plan (COOP)" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-govramp": [ "CP-07(02)" ], "general-govramp-mod": [ "CP-07(02)" ], "general-govramp-high": [ "CP-07(02)" ], "general-nist-800-53-r4": [ "CP-7(2)" ], "general-nist-800-53-r5-2": [ "CP-07(02)" ], "general-nist-800-53-r5-2-mod": [ "CP-07(02)" ], "general-nist-800-66-r2": [ "164.310(a)" ], "general-nist-800-82-r3": [ "CP-07(02)" ], "general-nist-800-82-r3-mod": [ "CP-07(02)" ], "general-nist-800-82-r3-high": [ "CP-07(02)" ], "usa-federal-fbi-cjis-6-0": [ "CP-7(2)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-07(02)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-07(02)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(a)(2)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(a)(2)(i)" ], "usa-federal-cms-marse-2-0": [ "CP-7(2)" ], "emea-eu-dora-2023": [ "Article 12.5(c)" ], "emea-isr-cmo-1-0": [ "25.13" ] } }, { "control_id": "BCD-09.3", "title": "Alternate Site Priority of Service", "family": "BCD", "description": "Mechanisms exist to address priority-of-service provisions in alternate processing and storage sites that support availability requirements, including Recovery Time Objectives (RTOs).", "scf_question": "Does the organization address priority-of-service provisions in alternate processing and storage sites that support availability requirements, including Recovery Time Objectives (RTOs)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-04" ], "pptdf": "Facility", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to address priority-of-service provisions in alternate processing and storage sites that support availability requirements, including Recovery Time Objectives (RTOs).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Priority-of-service contract provisions for hot / warm / cold sites.", "small": "∙ Priority-of-service contract provisions for hot / warm / cold sites.", "medium": "∙ Priority-of-service contract provisions for hot / warm / cold sites.", "large": "∙ Priority-of-service contract provisions for hot / warm / cold sites.", "enterprise": "∙ Priority-of-service contract provisions for hot / warm / cold sites." }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-govramp": [ "CP-07(03)" ], "general-govramp-mod": [ "CP-07(03)" ], "general-govramp-high": [ "CP-07(03)" ], "general-nist-800-53-r4": [ "CP-7(3)" ], "general-nist-800-53-r5-2": [ "CP-07(03)" ], "general-nist-800-53-r5-2-mod": [ "CP-07(03)" ], "general-nist-800-82-r3": [ "CP-07(03)" ], "general-nist-800-82-r3-mod": [ "CP-07(03)" ], "general-nist-800-82-r3-high": [ "CP-07(03)" ], "usa-federal-fbi-cjis-6-0": [ "CP-7(3)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-07(03)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-07(03)" ], "usa-federal-cms-marse-2-0": [ "CP-7(3)" ], "emea-isr-cmo-1-0": [ "25.12", "21.14" ] } }, { "control_id": "BCD-09.4", "title": "Preparation for Use", "family": "BCD", "description": "Mechanisms exist to prepare the alternate processing alternate to support essential missions and business functions so that the alternate site is capable of being used as the primary site.", "scf_question": "Does the organization prepare the alternate processing alternate to support essential missions and business functions so that the alternate site is capable of being used as the primary site?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prepare the alternate processing alternate to support essential missions and business functions so that the alternate site is capable of being used as the primary site.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)", "small": "∙ Continuity of Operations Plan (COOP)", "medium": "∙ Continuity of Operations Plan (COOP)", "large": "∙ Continuity of Operations Plan (COOP)", "enterprise": "∙ Continuity of Operations Plan (COOP)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-govramp": [ "CP-07(04)" ], "general-govramp-high": [ "CP-07(04)" ], "general-nist-800-53-r4": [ "CP-7(4)" ], "general-nist-800-53-r5-2": [ "CP-07(04)" ], "general-nist-800-53-r5-2-high": [ "CP-07(04)" ], "general-nist-800-82-r3": [ "CP-07(04)" ], "general-nist-800-82-r3-high": [ "CP-07(04)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-07(04)" ] } }, { "control_id": "BCD-09.5", "title": "Inability to Return to Primary Site", "family": "BCD", "description": "Mechanisms exist to plan and prepare for both natural and manmade circumstances that preclude returning to the primary site.", "scf_question": "Does the organization plan and prepare for both natural and manmade circumstances that preclude returning to the primary processing site?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to plan and prepare for both natural and manmade circumstances that preclude returning to the primary site.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)", "small": "∙ Continuity of Operations Plan (COOP)", "medium": "∙ Continuity of Operations Plan (COOP)", "large": "∙ Continuity of Operations Plan (COOP)", "enterprise": "∙ Continuity of Operations Plan (COOP)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-nist-800-53-r4": [ "CP-7(6)" ], "general-nist-800-53-r5-2": [ "CP-07(06)" ], "general-nist-800-82-r3": [ "CP-07(06)" ] } }, { "control_id": "BCD-10", "title": "Telecommunications Services Availability", "family": "BCD", "description": "Mechanisms exist to reduce the likelihood of a single point of failure with primary telecommunications services.", "scf_question": "Does the organization reduce the likelihood of a single point of failure with primary telecommunications services?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to reduce the likelihood of a single point of failure with primary telecommunications services.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Alternate / redundant telecommunications services are maintained with more than one telecom / Internet provider.", "small": "∙ Alternate / redundant telecommunications services are maintained with more than one telecom / Internet provider.", "medium": "∙ Alternate / redundant telecommunications services are maintained with more than one telecom / Internet provider.", "large": "∙ Alternate / redundant telecommunications services are maintained with more than one telecom / Internet provider.", "enterprise": "∙ Alternate / redundant telecommunications services are maintained with more than one telecom / Internet provider." }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-govramp": [ "CP-08", "CP-08(02)" ], "general-govramp-core": [ "CP-08", "CP-08(02)" ], "general-govramp-low-plus": [ "CP-08" ], "general-govramp-mod": [ "CP-08", "CP-08(02)" ], "general-govramp-high": [ "CP-08", "CP-08(02)" ], "general-nist-800-53-r4": [ "CP-8", "CP-8(2)", "CP-11" ], "general-nist-800-53-r5-2": [ "CP-08", "CP-08(02)", "CP-11" ], "general-nist-800-53-r5-2-mod": [ "CP-08", "CP-08(02)" ], "general-nist-800-82-r3": [ "CP-08", "CP-08(02)", "CP-11" ], "general-nist-800-82-r3-mod": [ "CP-08", "CP-08(02)" ], "general-nist-800-82-r3-high": [ "CP-08", "CP-08(02)" ], "general-nist-800-160-vol-2-r1": [ "CP-11" ], "general-nist-800-161-r1": [ "CP-8", "CP-11" ], "general-nist-800-161-r1-level-2": [ "CP-8", "CP-11" ], "general-nist-800-161-r1-level-3": [ "CP-8", "CP-11" ], "usa-federal-fbi-cjis-6-0": [ "CP-8", "CP-8(2)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-08", "CP-08(02)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-08", "CP-08(02)" ], "usa-federal-cms-marse-2-0": [ "CP-8", "CP-8-IS.a", "CP-8-IS.b", "CP-8(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-08", "CP-11" ], "usa-state-tx-txramp-2-0-level-2": [ "CP-08" ], "emea-eu-eba-ict-srm-2025": [ "3.7.5(91)" ], "emea-isr-cmo-1-0": [ "21.14", "25.16" ] } }, { "control_id": "BCD-10.1", "title": "Telecommunications Priority of Service Provisions", "family": "BCD", "description": "Mechanisms exist to formalize primary and alternate telecommunications service agreements contain priority-of-service provisions that support availability requirements, including Recovery Time Objectives (RTOs).", "scf_question": "Does the organization formalize primary and alternate telecommunications service agreements contain priority-of-service provisions that support availability requirements, including Recovery Time Objectives (RTOs)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-04" ], "pptdf": "Facility", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to formalize primary and alternate telecommunications service agreements contain priority-of-service provisions that support availability requirements, including Recovery Time Objectives (RTOs).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Priority-of-service contract provisions for hot / warm / cold sites.", "small": "∙ Priority-of-service contract provisions for hot / warm / cold sites.", "medium": "∙ Priority-of-service contract provisions for hot / warm / cold sites.", "large": "∙ Priority-of-service contract provisions for hot / warm / cold sites.", "enterprise": "∙ Priority-of-service contract provisions for hot / warm / cold sites." }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-govramp": [ "CP-08(01)" ], "general-govramp-core": [ "CP-08(01)" ], "general-govramp-mod": [ "CP-08(01)" ], "general-govramp-high": [ "CP-08(01)" ], "general-nist-800-53-r4": [ "CP-8(1)" ], "general-nist-800-53-r5-2": [ "CP-08(01)" ], "general-nist-800-53-r5-2-mod": [ "CP-08(01)" ], "general-nist-800-82-r3": [ "CP-08(01)" ], "general-nist-800-82-r3-mod": [ "CP-08(01)" ], "general-nist-800-82-r3-high": [ "CP-08(01)" ], "usa-federal-fbi-cjis-6-0": [ "CP-8(1)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-08(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-08(01)" ], "usa-federal-cms-marse-2-0": [ "CP-8(1)", "CP-8(1).a", "CP-8(1).b" ], "emea-isr-cmo-1-0": [ "21.14", "25.17" ] } }, { "control_id": "BCD-10.2", "title": "Separation of Primary / Alternate Providers", "family": "BCD", "description": "Mechanisms exist to obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.", "scf_question": "Does the organization obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)", "small": "∙ Continuity of Operations Plan (COOP)", "medium": "∙ Continuity of Operations Plan (COOP)", "large": "∙ Continuity of Operations Plan (COOP)", "enterprise": "∙ Continuity of Operations Plan (COOP)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-govramp": [ "CP-08(03)" ], "general-govramp-high": [ "CP-08(03)" ], "general-nist-800-53-r4": [ "CP-8(3)" ], "general-nist-800-53-r5-2": [ "CP-08(03)" ], "general-nist-800-53-r5-2-high": [ "CP-08(03)" ], "general-nist-800-82-r3": [ "CP-08(03)" ], "general-nist-800-82-r3-high": [ "CP-08(03)" ], "general-nist-800-160-vol-2-r1": [ "CP-08(03)" ], "general-nist-800-161-r1": [ "CP-8(3)" ], "general-nist-800-161-r1-level-2": [ "CP-8(3)" ], "general-nist-800-161-r1-level-3": [ "CP-8(3)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-08(03)" ] } }, { "control_id": "BCD-10.3", "title": "Provider Contingency Plan", "family": "BCD", "description": "Mechanisms exist to contractually-require external service providers to have contingency plans that meet organizational contingency requirements.", "scf_question": "Does the organization contractually-require external service providers to have contingency plans that meet organizational contingency requirements?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to contractually-require external service providers to have contingency plans that meet organizational contingency requirements.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-csa-cmm-4-1-0": [ "BCR-03" ], "general-govramp": [ "CP-08(04)" ], "general-govramp-high": [ "CP-08(04)" ], "general-nist-800-53-r4": [ "CP-8(4)" ], "general-nist-800-53-r5-2": [ "CP-08(04)" ], "general-nist-800-53-r5-2-high": [ "CP-08(04)" ], "general-nist-800-82-r3": [ "CP-08(04)" ], "general-nist-800-82-r3-high": [ "CP-08(04)" ], "general-nist-800-161-r1": [ "CP-8(4)" ], "general-nist-800-161-r1-level-2": [ "CP-8(4)" ], "general-nist-800-161-r1-level-3": [ "CP-8(4)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-08(04)" ], "emea-eu-eba-ict-srm-2025": [ "3.7.3(86)" ] } }, { "control_id": "BCD-10.4", "title": "Alternate Communications Channels", "family": "BCD", "description": "Mechanisms exist to maintain command and control capabilities via alternate communications channels and designating alternative decision makers if primary decision makers are unavailable.", "scf_question": "Does the organization maintain command and control capabilities via alternate communications channels and designating alternative decision makers if primary decision makers are unavailable?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain command and control capabilities via alternate communications channels and designating alternative decision makers if primary decision makers are unavailable.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)", "small": "∙ Continuity of Operations Plan (COOP)", "medium": "∙ Continuity of Operations Plan (COOP)", "large": "∙ Continuity of Operations Plan (COOP)", "enterprise": "∙ Continuity of Operations Plan (COOP)" }, "risks": [ "R-AM-3", "R-BC-1", "R-EX-1", "R-GV-1", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-cr-cmm-2026": [ "CR5.2.6" ], "general-nist-800-53-r5-2": [ "SC-47" ], "general-nist-800-82-r3": [ "SC-47" ], "general-nist-800-82-r3-high": [ "SC-47" ], "general-nist-800-160-vol-2-r1": [ "SC-47" ], "general-nist-800-161-r1": [ "SC-47" ], "general-nist-800-161-r1-level-1": [ "SC-47" ], "general-nist-800-161-r1-level-2": [ "SC-47" ], "general-nist-800-161-r1-level-3": [ "SC-47" ], "general-shared-assessments-sig-2025": [ "K.4" ], "general-sparta": [ "CM0070" ], "emea-eu-eba-ict-srm-2025": [ "3.7.5(91)" ], "emea-eu-nis2-annex-2024": [ "4.3.2(b)" ] } }, { "control_id": "BCD-11", "title": "Data Backups", "family": "BCD", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "scf_question": "Does the organization create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)?", "relative_weight": 10, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-BCM-10", "E-BCM-11", "E-BCM-12", "E-BCM-13" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ Backups are performed ad-hoc and focus on business-critical Technology Assets, Applications, Services and/or Data (TAASD).\n▪ IT and/or cybersecurity personnel use a backup methodology (e.g., grandfather, father & son rotation) to create backups to support business needs (e.g., Recovery Time Objectives).\n▪ Limited technologies exist to conduct full, incremental or differential backups (e.g., tape/disk, hybrid cloud or direct-to-cloud).\n▪ Backups of sensitive/regulated data are cryptographically protected to prevent the unauthorized disclosure and modification of backup information.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Appropriate TAASD exist to conduct full, incremental and/or differential backups (e.g., tape/disk, hybrid cloud or direct-to-cloud).\n▪ IT personnel configure business-critical Technology Assets, Applications and/or Services to transfer backup data to the alternate site(s) at a rate that is capable of meeting RTOs and RPOs.\n▪ The backup methodology is sufficient to support RTOs and RPOs for critical business functions.\n▪ IT personnel store backups in a secondary location, separate from the primary storage site (e.g., cloud-based storage).", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Disaster Recovery Plan (DRP)\n∙ 3-2-1 backup rule (3 copies, 2 media types, 1 offsite)\n∙ Cloud backup service (e.g., Backblaze B2, iDrive, Veeam Agent Free)", "small": "∙ Disaster Recovery Plan (DRP)\n∙ 3-2-1 backup strategy (on-site + off-site/cloud)\n∙ Cloud backup service (e.g., Acronis, Veeam, Azure Backup)", "medium": "∙ Disaster Recovery Plan (DRP)\n∙ 3-2-1-1 backup strategy (including immutable/offsite copy)\n∙ Enterprise backup solution (e.g., Veeam Backup & Replication, Acronis Cyber Backup)", "large": "∙ Disaster Recovery Plan (DRP)\n∙ Immutable backup copies (air-gapped or object-locked S3/Azure Blob)\n∙ Enterprise backup platform (e.g., Veeam, Commvault, Cohesity)\n∙ Automated backup testing and alerting", "enterprise": "∙ Disaster Recovery Plan (DRP)\n∙ Enterprise backup platform with immutable storage (e.g., Commvault, Veeam, Rubrik)\n∙ Ransomware-resilient backup architecture (air-gap or immutable)\n∙ Automated backup validation and recovery testing\n∙ Backup data encrypted at rest and in transit" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2", "A1.2-POF7", "A1.2-POF8", "CC7.5" ], "general-cis-csc-8-1": [ "11.2" ], "general-cis-csc-8-1-ig1": [ "11.2" ], "general-cis-csc-8-1-ig2": [ "11.2" ], "general-cis-csc-8-1-ig3": [ "11.2" ], "general-cobit-2019": [ "APO14.10", "DSS04.07" ], "general-csa-cmm-4-1-0": [ "BCR-08" ], "general-govramp": [ "CP-09" ], "general-govramp-core": [ "CP-09" ], "general-govramp-low": [ "CP-09" ], "general-govramp-low-plus": [ "CP-09" ], "general-govramp-mod": [ "CP-09" ], "general-govramp-high": [ "CP-09" ], "general-iec-62443-2-1-2024": [ "AVAIL 2.1", "AVAIL 2.2" ], "general-iec-62443-3-3-2013": [ "SR 7.3 RE 2" ], "general-iec-62443-4-2-2019": [ "CR 7.3" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.1", "3.5.3.7" ], "general-iso-27002-2022": [ "8.13" ], "general-iso-27017-2015": [ "12.3.1" ], "general-iso-27018-2025": [ "8.13" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.003", "T1005", "T1025", "T1070", "T1070.001", "T1070.002", "T1070.008", "T1119", "T1485", "T1485.001", "T1486", "T1490", "T1491", "T1491.001", "T1491.002", "T1561", "T1561.001", "T1561.002", "T1565", "T1565.001", "T1565.003" ], "general-mpa-csbp-5-3-1": [ "OR-1.3" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P3" ], "general-nist-800-53-r4": [ "CP-9", "SC-28(2)" ], "general-nist-800-53-r5-2": [ "CP-09", "SC-28(02)" ], "general-nist-800-53-r5-2-privacy": [ "SC-28(02)" ], "general-nist-800-53-r5-2-low": [ "CP-09" ], "general-nist-800-66-r2": [ "164.308(a)(7)", "164.310(d)" ], "general-nist-800-82-r3": [ "CP-09", "SC-28(02)" ], "general-nist-800-82-r3-low": [ "CP-09" ], "general-nist-800-82-r3-mod": [ "CP-09" ], "general-nist-800-82-r3-high": [ "CP-09" ], "general-nist-800-160-vol-2-r1": [ "CP-09" ], "general-nist-800-171-r2": [ "3.8.9" ], "general-nist-800-171-r3": [ "03.08.09.a" ], "general-nist-800-171a": [ "3.8.9" ], "general-nist-csf-2-0": [ "PR.DS-11" ], "general-pci-dss-4-0-1": [ "9.4.1.1", "9.4.1.2", "12.10.1" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.1.1", "12.10.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.1.1", "12.10.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.1.1", "12.10.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.1.1", "12.10.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.1.1", "12.10.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.1.1", "12.10.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.1.1", "9.4.1.2", "12.10.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.1.1", "9.4.1.2", "12.10.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.4.1.1", "12.10.1" ], "general-shared-assessments-sig-2025": [ "K.1" ], "general-sparta": [ "CM0056" ], "general-tisax-6-0-3": [ "5.2.9" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.BRECO" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.R" ], "usa-federal-fbi-cjis-6-0": [ "CP-9" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-4b", "RESPONSE-4j" ], "usa-federal-dow-cmmc-2-level-2": [ "MPL2.-3.8.9" ], "usa-federal-gsa-fedramp-5-low": [ "CP-09", "SC-28(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-09", "SC-28(02)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-09", "SC-28(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CP-09", "SC-28(02)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(7)(ii)(A)", "164.310(d)(2)(iv)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(7)(ii)(A)", "164.310(d)(2)(iv)" ], "usa-federal-irs-1075-2021": [ "CP-9" ], "usa-federal-cms-marse-2-0": [ "CP-9", "CP-9.a", "CP-9.b", "CP-9.c", "CP-9.d", "CP-9-IS.1", "CP-9-IS.2", "CP-9-IS.3", "CP-9-IS.4" ], "usa-federal-nerc-cip-2024": [ "CIP-009-6 1.3", "CIP-009-6 1.4" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(a)(2)(v)", "500.16(e)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-06-SID", "CP-09" ], "usa-state-tx-txramp-2-0-level-1": [ "CP-09" ], "usa-state-tx-txramp-2-0-level-2": [ "CP-09" ], "emea-eu-eba-ict-srm-2025": [ "3.5(57)" ], "emea-eu-dora-2023": [ "Article 12.1", "Article 12.1(a)", "Article 12.1(b)", "Article 12.2" ], "emea-eu-nis2-2022": [ "Article 21.2(c)" ], "emea-eu-nis2-annex-2024": [ "4.1.2(g)", "4.2.1", "4.2.2(b)", "4.2.2(c)", "4.2.2(f)" ], "emea-deu-bsrit-2017": [ "8.7" ], "emea-deu-c5-2020": [ "OPS-06" ], "emea-isr-cmo-1-0": [ "25.9" ], "emea-sau-cscc-1-2019": [ "2-8-1-2", "2-8-1-3" ], "emea-sau-cgiot-2024": [ "2-8-1", "2-8-2" ], "emea-sau-ecc-1-2018": [ "2-9-3" ], "emea-sau-otcc-1-2022": [ "2-8", "2-8-1", "2-8-1-1", "2-8-1-2", "2-8-1-3", "2-8-1-4", "2-8-2" ], "emea-sau-sacs-002-2022": [ "TPC-64" ], "emea-esp-boe-a-2022-7191": [ "Article 26" ], "emea-esp-decree-311-2022": [ "26" ], "emea-esp-ccn-stic-825-2023": [ "8.7.7 [MP.INFO.7]" ], "emea-gbr-caf-4-0": [ "B5.c" ], "emea-gbr-def-stan-05-138-2024": [ "2504", "2505" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2504" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2505" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2505" ], "apac-aus-essential-8-2024": [ "ML1-P8", "ML2-P8", "ML3-P8" ], "apac-aus-ism-2024-june": [ "ISM-0859", "ISM-0991", "ISM-1511", "ISM-1547", "ISM-1548", "ISM-1810", "ISM-1811" ], "apac-chn-cybersecurity-law-2017": [ "Article 34(3)" ], "apac-ind-sebi-2024": [ "PR.IP.S7", "PR.IP.S8", "RC.RP.S4" ], "apac-jpn-ismap": [ "12.3", "12.3.1", "12.3.1.1", "12.3.1.2", "12.3.1.3", "12.3.1.4", "12.3.1.5", "12.3.1.11", "12.3.1.12", "12.3.1.13", "12.3.1.14", "12.3.1.16.P", "12.3.1.17.P", "12.3.1.18.P", "12.3.1.21.P", "12.3.1.24.P" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP17", "HHSP56", "HHSP69", "HML17", "HML56", "HML68" ], "apac-nzl-hisf-microsmall-2023": [ "HMS11" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP15", "HSUP48", "HSUP60" ], "apac-nzl-ism-3-9": [ "6.4.6.C.01" ], "apac-sgp-mas-trm-2021": [ "8.4.1", "8.4.2" ], "americas-bmu-mba-coc-2020": [ "6.14" ], "americas-can-osfi-b13-2022": [ "2.9.1" ], "americas-can-itsp-10-171-2025": [ "03.08.09.A" ] } }, { "control_id": "BCD-11.1", "title": "Testing for Reliability & Integrity", "family": "BCD", "description": "Mechanisms exist to routinely test backups that verify the reliability of the backup process, as well as the integrity and availability of the data.", "scf_question": "Does the organization routinely test backups that verify the reliability of the backup process, as well as the integrity and availability of the data?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-10" ], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ A random sampling of backups is tested at least annually to verify integrity and recoverability of backed up data.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel perform a random sampling of backups is tested at least semi-annually to verify integrity and recoverability of backed up data.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to routinely test backups that verify the reliability of the backup process, as well as the integrity and availability of the data.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Randomized data recovery testing", "small": "∙ Randomized data recovery testing", "medium": "∙ Randomized data recovery testing", "large": "∙ Randomized data recovery testing", "enterprise": "∙ Randomized data recovery testing" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.5-POF4" ], "general-aicpa-tsc-2017": [ "A1.2", "A1.3-POF2", "CC7.5" ], "general-cis-csc-8-1": [ "11.3", "11.5" ], "general-cis-csc-8-1-ig1": [ "11.3" ], "general-cis-csc-8-1-ig2": [ "11.3", "11.5" ], "general-cis-csc-8-1-ig3": [ "11.3", "11.5" ], "general-csa-cmm-4-1-0": [ "BCR-08" ], "general-cr-cmm-2026": [ "CR10.4.4" ], "general-govramp": [ "CP-09(01)" ], "general-govramp-low-plus": [ "CP-09(01)" ], "general-govramp-mod": [ "CP-09(01)" ], "general-govramp-high": [ "CP-09(01)" ], "general-iec-62443-4-2-2019": [ "CR 7.3(1)" ], "general-iso-27002-2022": [ "8.13" ], "general-iso-27017-2015": [ "12.3.1" ], "general-iso-27018-2025": [ "8.13" ], "general-nist-800-53-r4": [ "CP-9(1)" ], "general-nist-800-53-r5-2": [ "CP-09(01)" ], "general-nist-800-53-r5-2-mod": [ "CP-09(01)" ], "general-nist-800-82-r3": [ "CP-09(01)" ], "general-nist-800-82-r3-mod": [ "CP-09(01)" ], "general-nist-800-82-r3-high": [ "CP-09(01)" ], "general-nist-800-160-vol-2-r1": [ "CP-09(01)" ], "general-nist-csf-2-0": [ "PR.DS-11" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.R" ], "usa-federal-fbi-cjis-6-0": [ "CP-9(1)" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-4b" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-09(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-09(01)" ], "usa-federal-cms-marse-2-0": [ "CP-9(1)", "CP-9(1)-IS.1" ], "usa-federal-nerc-cip-2024": [ "CIP-009-6 1.4", "CIP-009-6 2.2" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(e)" ], "usa-state-tx-txramp-2-0-level-2": [ "CP-09 (01)" ], "emea-eu-dora-2023": [ "Article 12.2", "Article 12.7" ], "emea-eu-nis2-annex-2024": [ "4.2.2(b)" ], "emea-deu-c5-2020": [ "OPS-06", "OPS-07", "OPS-08" ], "emea-isr-cmo-1-0": [ "25.9", "25.19" ], "emea-sau-cscc-1-2019": [ "2-8-2" ], "emea-sau-cgiot-2024": [ "2-8-2" ], "emea-sau-ecc-1-2018": [ "2-9-3-3" ], "emea-gbr-def-stan-05-138-2024": [ "2504", "2505" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2504" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2505" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2505" ], "apac-aus-ism-2024-june": [ "ISM-1515" ], "apac-ind-sebi-2024": [ "PR.IP.S8" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP57", "HHSP69", "HML57", "HML68" ], "apac-nzl-hisf-microsmall-2023": [ "HMS11" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP49", "HSUP60" ], "apac-sgp-mas-trm-2021": [ "8.4.3" ] } }, { "control_id": "BCD-11.2", "title": "Separate Storage for Critical Information", "family": "BCD", "description": "Mechanisms exist to store backup copies of critical software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the system being backed up.", "scf_question": "Does the organization store backup copies of critical software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the system being backed up?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-08", "E-BCM-11", "E-BCM-12", "E-BCM-13" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ Backup copies of software or licenses/product keys are stored locally in a fire-rated container.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to store backup copies of critical software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the system being backed up.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Disaster Recovery Plan (DRP)\n∙ On-site data backup solution\n∙ Off-site data backup service", "small": "∙ Disaster Recovery Plan (DRP)\n∙ On-site data backup solution\n∙ Off-site data backup service", "medium": "∙ Disaster Recovery Plan (DRP)\n∙ On-site data backup solution\n∙ Off-site data backup service", "large": "∙ Disaster Recovery Plan (DRP)\n∙ On-site data backup solution\n∙ Off-site data backup service", "enterprise": "∙ Disaster Recovery Plan (DRP)\n∙ On-site data backup solution\n∙ Off-site data backup service" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2", "A1.2-POF9" ], "general-govramp": [ "CP-09(03)" ], "general-govramp-mod": [ "CP-09(03)" ], "general-govramp-high": [ "CP-09(03)" ], "general-iec-62443-2-1-2024": [ "AVAIL 2.4" ], "general-iec-62443-3-3-2013": [ "SR 7.3" ], "general-iso-27002-2022": [ "8.13" ], "general-iso-27017-2015": [ "12.3.1" ], "general-iso-27018-2025": [ "8.13" ], "general-nist-800-53-r4": [ "CP-9(3)" ], "general-nist-800-53-r5-2": [ "CP-09(03)" ], "general-nist-800-53-r5-2-high": [ "CP-09(03)" ], "general-nist-800-82-r3": [ "CP-09(03)" ], "general-nist-800-82-r3-high": [ "CP-09(03)" ], "general-pci-dss-4-0-1": [ "9.4.1.1" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.1.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.1.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.1.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.1.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.4.1.1" ], "general-shared-assessments-sig-2025": [ "K.4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.R" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-4k" ], "usa-federal-gsa-fedramp-5-high": [ "CP-09(03)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-09(3)" ], "emea-eu-eba-ict-srm-2025": [ "3.5(58)" ], "emea-eu-dora-2023": [ "Article 12.3" ], "emea-deu-c5-2020": [ "OPS-06", "PSS-12" ], "emea-isr-cmo-1-0": [ "25.20" ], "emea-sau-otcc-1-2022": [ "2-8-1-4" ], "emea-sau-sacs-002-2022": [ "TPC-38" ], "emea-gbr-def-stan-05-138-2024": [ "2505" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2505" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2505" ], "apac-aus-essential-8-2024": [ "ML1-P8", "ML2-P8", "ML3-P8" ], "apac-aus-ism-2024-june": [ "ISM-1811" ], "apac-jpn-ismap": [ "8.3.1.7", "12.3.1.6", "12.3.1.7", "12.3.1.23.P" ] } }, { "control_id": "BCD-11.3", "title": "Recovery Images", "family": "BCD", "description": "Mechanisms exist to reimage assets from configuration-controlled and integrity-protected images that represent a secure, operational state.", "scf_question": "Does the organization reimage assets from configuration-controlled and integrity-protected images that represent a secure, operational state?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Recover", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to reimage assets from configuration-controlled and integrity-protected images that represent a secure, operational state.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Virtual machine snapshots\n∙ Acronis (https://acronis.com)\n∙ Veeam Agent Free (https://veeam.com)", "small": "∙ Virtual machine snapshots\n∙ Acronis (https://acronis.com)\n∙ Veeam Backup & Replication (https://veeam.com)", "medium": "∙ Virtual machine snapshots\n∙ Acronis Cyber Backup (https://acronis.com)\n∙ Docker container images (https://docker.com)\n∙ Veeam (https://veeam.com)", "large": "∙ Virtual machine / container image management\n∙ Acronis (https://acronis.com)\n∙ Docker / Kubernetes image management\n∙ Veeam (https://veeam.com)\n∙ Golden image management and hardening process", "enterprise": "∙ Enterprise VM/container image management (e.g., Commvault, Veeam, Rubrik)\n∙ Infrastructure as Code (IaC) for rapid environment rebuild (Terraform, Ansible)\n∙ Immutable golden image pipeline with automated build and testing\n∙ Container image registry with vulnerability scanning (e.g., Harbor, AWS ECR)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-cr-cmm-2026": [ "CR10.2.6" ], "emea-deu-c5-2020": [ "OPS-09" ], "emea-isr-cmo-1-0": [ "25.12", "25.22" ] } }, { "control_id": "BCD-11.4", "title": "Cryptographic Protection", "family": "BCD", "description": "Cryptographic mechanisms exist to prevent the unauthorized disclosure and/or modification of backup information.", "scf_question": "Are cryptographic mechanisms utilized to prevent the unauthorized disclosure and/or modification of backup information?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-16" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Backups for sensitive/regulated data are cryptographically protected (encrypted and integrity checked) to prevent the unauthorized disclosure and modification of backup information.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational cryptographic capability exists to prevent the unauthorized disclosure and/or modification of backup information.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Data-at-rest cryptography", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Data-at-rest cryptography", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Data-at-rest cryptography", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Data-at-rest cryptography", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Data-at-rest cryptography" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-cis-csc-8-1": [ "11.3" ], "general-cis-csc-8-1-ig1": [ "11.3" ], "general-cis-csc-8-1-ig2": [ "11.3" ], "general-cis-csc-8-1-ig3": [ "11.3" ], "general-csa-cmm-4-1-0": [ "BCR-08" ], "general-govramp": [ "SC-28(01)" ], "general-govramp-mod": [ "SC-28(01)" ], "general-govramp-high": [ "SC-28(01)" ], "general-iec-62443-2-1-2024": [ "AVAIL 2.4" ], "general-iso-27002-2022": [ "8.13" ], "general-iso-27017-2015": [ "12.3.1" ], "general-iso-27018-2025": [ "8.13" ], "general-mpa-csbp-5-3-1": [ "OR-1.3" ], "general-nist-800-53-r5-2": [ "CP-09(08)", "SC-28(01)" ], "general-nist-800-53-r5-2-privacy": [ "SC-28(01)" ], "general-nist-800-53-r5-2-mod": [ "CP-09(08)", "SC-28(01)" ], "general-nist-800-82-r3": [ "CP-09(08)", "SC-28(01)" ], "general-nist-800-82-r3-mod": [ "CP-09(08)", "SC-28(01)" ], "general-nist-800-82-r3-high": [ "CP-09(08)", "SC-28(01)" ], "general-nist-800-160-vol-2-r1": [ "CP-09(08)", "SC-28(01)" ], "general-nist-800-171-r2": [ "3.8.9" ], "general-nist-800-171-r3": [ "03.08.09.a", "03.08.09.b" ], "general-nist-800-171a": [ "3.8.9" ], "general-nist-800-171a-r3": [ "A.03.08.09.a", "A.03.08.09.b" ], "usa-federal-fbi-cjis-6-0": [ "CP-9(8)", "SC-28(1)" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-4j" ], "usa-federal-dow-cmmc-2-level-2": [ "MPL2.-3.8.9" ], "usa-federal-gsa-fedramp-5-low": [ "SC-28(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-09(08)", "SC-28(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-09(08)", "SC-28(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-28(01)" ], "usa-federal-irs-1075-2021": [ "CP-9(CE-8)", "SC-28(CE-1)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(e)" ], "usa-state-tx-txramp-2-0-level-2": [ "CP-09 (08)", "SC-28 (01)" ], "emea-isr-cmo-1-0": [ "25.18" ], "emea-sau-cscc-1-2019": [ "2-8-1-3" ], "emea-sau-otcc-1-2022": [ "2-8-1-4" ], "emea-sau-sacs-002-2022": [ "TPC-65" ], "emea-gbr-def-stan-05-138-2024": [ "2506" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2506" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2506" ], "apac-nzl-hisf-microsmall-2023": [ "HMS11" ], "apac-sgp-mas-trm-2021": [ "8.4.4" ], "americas-can-itsp-10-171-2025": [ "03.08.09.A", "03.08.09.B" ] } }, { "control_id": "BCD-11.5", "title": "Test Restoration Using Sampling", "family": "BCD", "description": "Mechanisms exist to utilize sampling of available backups to test recovery capabilities as part of business continuity plan testing.", "scf_question": "Does the organization utilize sampling of available backups to test recovery capabilities as part of business continuity plan testing?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-15" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel perform a random sampling of backups is tested at least semi-annually to verify integrity and recoverability of backed up data.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize sampling of available backups to test recovery capabilities as part of business continuity plan testing.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Randomized data recovery testing", "small": "∙ Randomized data recovery testing", "medium": "∙ Randomized data recovery testing", "large": "∙ Randomized data recovery testing", "enterprise": "∙ Randomized data recovery testing" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.5-POF4" ], "general-aicpa-tsc-2017": [ "A1.3-POF2" ], "general-cis-csc-8-1": [ "11.5" ], "general-cis-csc-8-1-ig2": [ "11.5" ], "general-cis-csc-8-1-ig3": [ "11.5" ], "general-csa-cmm-4-1-0": [ "BCR-06", "BCR-08" ], "general-govramp": [ "CP-09(02)" ], "general-govramp-high": [ "CP-09(02)" ], "general-iec-62443-2-1-2024": [ "AVAIL 2.3" ], "general-iec-62443-3-3-2013": [ "SR 7.3 RE 1" ], "general-nist-800-53-r4": [ "CP-9(2)" ], "general-nist-800-53-r5-2": [ "CP-09(02)" ], "general-nist-800-53-r5-2-high": [ "CP-09(02)" ], "general-nist-800-82-r3": [ "CP-09(02)" ], "general-nist-800-82-r3-high": [ "CP-09(02)" ], "general-nist-csf-2-0": [ "PR.DS-11" ], "usa-federal-gsa-fedramp-5-high": [ "CP-09(02)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-09(2)" ], "emea-eu-dora-2023": [ "Article 12.2", "Article 12.7" ], "emea-sau-cscc-1-2019": [ "3-1-1-3" ], "emea-sau-cgiot-2024": [ "2-8-3" ], "emea-gbr-def-stan-05-138-2024": [ "2505" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2505" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2505" ], "apac-aus-essential-8-2024": [ "ML1-P8", "ML2-P8", "ML3-P8" ], "apac-jpn-ismap": [ "12.3.1.8", "12.3.1.9", "12.3.1.10", "12.3.1.20.P", "12.3.1.22.P" ] } }, { "control_id": "BCD-11.6", "title": "Transfer to Alternate Storage Site", "family": "BCD", "description": "Mechanisms exist to transfer backup data to the alternate storage site at a rate that is capable of meeting both Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "scf_question": "Does the organization transfer backup data to the alternate storage site at a rate that is capable of meeting both Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-12" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to transfer backup data to the alternate storage site at a rate that is capable of meeting both Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "small": "∙ Continuity of Operations Plan (COOP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "medium": "∙ Continuity of Operations Plan (COOP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "large": "∙ Continuity of Operations Plan (COOP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "enterprise": "∙ Continuity of Operations Plan (COOP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2-POF9" ], "general-csa-cmm-4-1-0": [ "DCS-03" ], "general-govramp": [ "CP-09(05)" ], "general-govramp-high": [ "CP-09(05)" ], "general-nist-800-53-r4": [ "CP-9(5)" ], "general-nist-800-53-r5-2": [ "CP-09(05)" ], "general-nist-800-53-r5-2-high": [ "CP-09(05)" ], "general-nist-800-82-r3": [ "CP-09(05)" ], "general-nist-800-82-r3-high": [ "CP-09(05)" ], "general-nist-csf-2-0": [ "PR.DS-11" ], "usa-federal-gsa-fedramp-5-high": [ "CP-09(05)" ], "emea-eu-dora-2023": [ "Article 12.3" ], "emea-sau-otcc-1-2022": [ "2-8-1-4" ], "emea-gbr-def-stan-05-138-2024": [ "2506" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2506" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2506" ] } }, { "control_id": "BCD-11.7", "title": "Redundant Secondary System", "family": "BCD", "description": "Mechanisms exist to maintain a failover capability, which is not collocated with the primary Technology Asset, Application and/or Service (TAAS), which can be activated with little-to-no loss of information or disruption to operations.", "scf_question": "Does the organization maintain a failover capability, which is not collocated with the primary Technology Asset, Application and/or Service (TAAS), which can be activated with little-to-no loss of information or disruption to operations?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a failover capability, which is not collocated with the primary Technology Asset, Application and/or Service (TAAS), which can be activated with little-to-no loss of information or disruption to operations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Continuity of Operations Plan (COOP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "small": "∙ Continuity of Operations Plan (COOP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "medium": "∙ Continuity of Operations Plan (COOP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "large": "∙ Continuity of Operations Plan (COOP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)", "enterprise": "∙ Continuity of Operations Plan (COOP)\n∙ Recovery Time Objectives (RTOs) \n∙ Recovery Point Objectives (RPOs)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-csa-cmm-4-1-0": [ "BCR-03", "BCR-11" ], "general-iso-27002-2022": [ "8.14" ], "general-iso-27017-2015": [ "17.2.1" ], "general-iso-27018-2025": [ "8.14" ], "general-nist-800-53-r4": [ "CP-9(6)" ], "general-nist-800-53-r5-2": [ "CP-09(06)" ], "general-nist-800-82-r3": [ "CP-09(06)" ], "general-nist-800-160-vol-2-r1": [ "CP-09(06)" ], "emea-eu-dora-2023": [ "Article 12.4" ], "emea-eu-nis2-annex-2024": [ "4.1.2(g)", "4.2.1", "4.2.4(a)", "4.2.4(b)", "4.2.4(d)", "13.1.2(b)" ], "emea-deu-c5-2020": [ "PS-02" ], "emea-sau-otcc-1-2022": [ "3-1-1-2" ] } }, { "control_id": "BCD-11.8", "title": "Dual Authorization For Backup Media Destruction", "family": "BCD", "description": "Mechanisms exist to implement and enforce dual authorization for the deletion or destruction of sensitive backup media and data.", "scf_question": "Does the organization implement and enforce dual authorization for the deletion or destruction of sensitive backup media and data?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce dual authorization for the deletion or destruction of sensitive backup media and data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "medium": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "large": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "enterprise": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-2", "R-GV-3", "R-GV-6", "R-GV-7", "R-IR-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-cr-cmm-2026": [ "CR10.2.4" ], "general-nist-800-53-r4": [ "CP-9(7)" ], "general-nist-800-53-r5-2": [ "CP-09(07)" ], "general-nist-800-82-r3": [ "CP-09(07)" ], "general-nist-800-160-vol-2-r1": [ "CP-09(07)" ] } }, { "control_id": "BCD-11.9", "title": "Backup Access", "family": "BCD", "description": "Mechanisms exist to restrict access to backups to privileged users with assigned roles for data backup and recovery operations.", "scf_question": "Does the organization restrict access to backups to privileged users with assigned roles for data backup and recovery operations?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict access to backups to privileged users with assigned roles for data backup and recovery operations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "medium": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "large": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "enterprise": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-6", "R-GV-7", "R-GV-8", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-mpa-csbp-5-3-1": [ "OR-1.3" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-4j" ], "emea-eu-nis2-annex-2024": [ "4.2.2(d)" ], "emea-sau-sacs-002-2022": [ "TPC-50" ], "apac-aus-essential-8-2024": [ "ML1-P8", "ML2-P8", "ML3-P8" ] } }, { "control_id": "BCD-11.10", "title": "Backup Modification and/or Destruction", "family": "BCD", "description": "Mechanisms exist to restrict access to modify and/or delete backups to privileged users with assigned data backup and recovery operations roles.", "scf_question": "Does the organization restrict access to modify and/or delete backups to privileged users with assigned data backup and recovery operations roles?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict access to modify and/or delete backups to privileged users with assigned data backup and recovery operations roles.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "medium": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "large": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "enterprise": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-6", "R-GV-7", "R-GV-8", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "apac-aus-essential-8-2024": [ "ML1-P8", "ML2-P8", "ML3-P8" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP56", "HML56" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP48" ] } }, { "control_id": "BCD-12", "title": "Technology Assets, Applications and/or Services (TAAS) Recovery & Reconstitution", "family": "BCD", "description": "Mechanisms exist to ensure the secure recovery and reconstitution of Technology Assets, Applications and/or Services (TAAS) to a known state after a disruption, compromise or failure.", "scf_question": "Does the organization ensure the secure recovery and reconstitution of Technology Assets, Applications and/or Services (TAAS) to a known state after a disruption, compromise or failure?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-15" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the secure recovery and reconstitution of Technology Assets, Applications and/or Services (TAAS) to a known state after a disruption, compromise or failure.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Virtual machines\n∙ Acronis (https://acronis.com)\n∙ Documented system recovery runbooks", "small": "∙ Virtual machines\n∙ Acronis (https://acronis.com)\n∙ Docker (https://docker.com)\n∙ Documented system recovery runbooks and checklists", "medium": "∙ Virtual machines\n∙ Docker (https://docker.com)\n∙ Acronis Cyber Backup (https://acronis.com)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Documented and tested recovery runbooks", "large": "∙ Enterprise DR platform (e.g., Veeam, Zerto, AWS DRS)\n∙ Docker (https://docker.com)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Tested recovery runbooks with RTO/RPO validation", "enterprise": "∙ Enterprise recovery and reconstitution platform (e.g., Commvault, Veeam Enterprise, Rubrik)\n∙ Automated recovery orchestration (e.g., Zerto, AWS DRS)\n∙ IaC-based reconstitution (Terraform, Ansible)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Regularly tested recovery with documented evidence" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2", "CC7.5", "CC7.5-POF1" ], "general-cis-csc-8-1": [ "11.3" ], "general-cis-csc-8-1-ig1": [ "11.3" ], "general-cis-csc-8-1-ig2": [ "11.3" ], "general-cis-csc-8-1-ig3": [ "11.3" ], "general-cobit-2019": [ "APO14.10", "DSS04.07" ], "general-csa-iot-2": [ "OPA-06" ], "general-cr-cmm-2026": [ "CR10.2.6" ], "general-govramp": [ "CP-10" ], "general-govramp-core": [ "CP-10" ], "general-govramp-low": [ "CP-10" ], "general-govramp-low-plus": [ "CP-10" ], "general-govramp-mod": [ "CP-10" ], "general-govramp-high": [ "CP-10" ], "general-iec-62443-2-1-2024": [ "AVAIL 1.3", "AVAIL 2.5" ], "general-iec-62443-3-3-2013": [ "SR 7.4" ], "general-iec-62443-4-2-2019": [ "CR 7.4" ], "general-mitre-att&ck-16-1": [ "T1485", "T1485.001", "T1486", "T1490", "T1491", "T1491.001", "T1491.002", "T1561", "T1561.001", "T1561.002", "T1565", "T1565.001" ], "general-nist-800-53-r4": [ "CP-10" ], "general-nist-800-53-r5-2": [ "CP-10" ], "general-nist-800-53-r5-2-privacy": [ "CP-10" ], "general-nist-800-53-r5-2-low": [ "CP-10" ], "general-nist-800-66-r2": [ "164.308(a)(7)" ], "general-nist-800-82-r3": [ "CP-10" ], "general-nist-800-82-r3-low": [ "CP-10" ], "general-nist-800-82-r3-mod": [ "CP-10" ], "general-nist-800-82-r3-high": [ "CP-10" ], "general-nist-csf-2-0": [ "RC", "RC.RP-01", "RC.RP-05" ], "usa-federal-fbi-cjis-6-0": [ "CP-10" ], "usa-federal-gsa-fedramp-5-low": [ "CP-10" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-10" ], "usa-federal-gsa-fedramp-5-high": [ "CP-10" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CP-10" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(7)(ii)(B)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(7)(ii)(B)" ], "usa-federal-irs-1075-2021": [ "CP-10" ], "usa-federal-cms-marse-2-0": [ "CP-10", "CP-10-IS.1", "CP-10-IS.1.a", "CP-10-IS.1.b", "CP-10-IS.1.c", "CP-10-IS.1.d", "CP-10-IS.1.e" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CP-10" ], "usa-state-tx-txramp-2-0-level-1": [ "CP-10" ], "usa-state-tx-txramp-2-0-level-2": [ "CP-10" ], "emea-eu-eba-ict-srm-2025": [ "3.7.3(83)" ], "emea-eu-nis2-2022": [ "Article 21.2(c)" ], "emea-eu-nis2-annex-2024": [ "4.2.2(e)" ], "emea-isr-cmo-1-0": [ "25.9", "25.12", "25.22" ], "emea-sau-cscc-1-2019": [ "2-8-2" ], "emea-sau-cgiot-2024": [ "2-12-2" ], "emea-sau-ecc-1-2018": [ "2-4-3-3" ], "emea-gbr-def-stan-05-138-2024": [ "4202" ], "emea-gbr-def-stan-05-138-l3-2024": [ "4202" ], "apac-ind-sebi-2024": [ "PR.IP.S7" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP17", "HML17" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP15" ] } }, { "control_id": "BCD-12.1", "title": "Transaction Recovery", "family": "BCD", "description": "Mechanisms exist to utilize specialized backup mechanisms that will allow transaction recovery for transaction-based Technology Assets, Applications and/or Services (TAAS) in accordance with Recovery Point Objectives (RPOs).", "scf_question": "Does the organization utilize specialized backup mechanisms that will allow transaction recovery for transaction-based Technology Assets, Applications and/or Services (TAAS) in accordance with Recovery Point Objectives (RPOs)?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Recover", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ Backups are performed ad-hoc and focus on business-critical Technology Assets, Applications, Services and/or Data (TAASD).\n▪ IT and/or cybersecurity personnel use a backup methodology (e.g., grandfather, father & son rotation) to create backups to support business needs (e.g., Recovery Time Objectives).", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize specialized backup mechanisms that will allow transaction recovery for transaction-based Technology Assets, Applications and/or Services (TAAS) in accordance with Recovery Point Objectives (RPOs).", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic business continuity plan\n∙ Regular data backup", "small": "∙ Business continuity plan\n∙ Tested backup and restore procedures", "medium": "∙ Formal BCP/DRP program\n∙ Regular backup testing\n∙ Alternate processing capability", "large": "∙ Enterprise BCP/DRP program\n∙ DR site\n∙ Annual exercises\n∙ RTO/RPO targets", "enterprise": "∙ Enterprise BC/DR platform (e.g., Zerto, Veeam Enterprise)\n∙ Dedicated DR site\n∙ Automated failover\n∙ Annual DR exercises" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-govramp": [ "CP-10(02)" ], "general-govramp-low-plus": [ "CP-10(02)" ], "general-govramp-mod": [ "CP-10(02)" ], "general-govramp-high": [ "CP-10(02)" ], "general-nist-800-53-r4": [ "CP-10(2)" ], "general-nist-800-53-r5-2": [ "CP-10(02)" ], "general-nist-800-53-r5-2-mod": [ "CP-10(02)" ], "general-nist-800-82-r3": [ "CP-10(02)" ], "general-nist-800-82-r3-mod": [ "CP-10(02)" ], "general-nist-800-82-r3-high": [ "CP-10(02)" ], "usa-federal-fbi-cjis-6-0": [ "CP-10(2)" ], "usa-federal-gsa-fedramp-5-mod": [ "CP-10(02)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-10(02)" ], "usa-federal-irs-1075-2021": [ "CP-10(CE-2)" ], "emea-isr-cmo-1-0": [ "25.9", "25.21" ], "emea-sau-ecc-1-2018": [ "2-4-3-3" ] } }, { "control_id": "BCD-12.2", "title": "Failover Capability", "family": "BCD", "description": "Mechanisms exist to implement real-time or near-real-time failover capability to maintain availability of critical Technology Assets, Applications, Services and/or Data (TAASD).", "scf_question": "Does the organization implement real-time or near-real-time failover capability to maintain availability of critical Technology Assets, Applications, Services and/or Data (TAASD)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Recover", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ Backups are performed ad-hoc and focus on business-critical Technology Assets, Applications, Services and/or Data (TAASD).\n▪ IT and/or cybersecurity personnel use a backup methodology (e.g., grandfather, father & son rotation) to create backups to support business needs (e.g., Recovery Time Objectives).", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement real-time or near-real-time failover capability to maintain availability of critical TAASD.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Load balancers\n∙ High Availability (HA) network appliances (e.g., firewalls, routers, switches, etc.)", "small": "∙ Load balancers\n∙ High Availability (HA) network appliances (e.g., firewalls, routers, switches, etc.)", "medium": "∙ Load balancers\n∙ High Availability (HA) network appliances (e.g., firewalls, routers, switches, etc.)", "large": "∙ Load balancers\n∙ High Availability (HA) network appliances (e.g., firewalls, routers, switches, etc.)", "enterprise": "∙ Load balancers\n∙ High Availability (HA) network appliances (e.g., firewalls, routers, switches, etc.)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-csa-cmm-4-1-0": [ "BCR-03", "BCR-11" ], "general-csa-iot-2": [ "OPA-03", "OPA-06" ], "general-iec-62443-4-2-2019": [ "CR 2.10(b)", "CR 7.1" ], "general-nist-privacy-framework-1-0": [ "PR.PT-P4" ], "general-nist-800-53-r4": [ "CP-10(5)" ], "general-nist-800-53-r5-2": [ "SI-13" ], "general-nist-800-53-r5-2-privacy": [ "SI-13" ], "general-nist-800-82-r3": [ "SI-13" ], "general-nist-800-82-r3-high": [ "SI-13" ], "usa-federal-gsa-fedramp-5-low": [ "SI-13" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-13" ], "usa-federal-gsa-fedramp-5-high": [ "SI-13" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-13" ], "emea-eu-dora-2023": [ "Article 12.4" ], "emea-isr-cmo-1-0": [ "12.26", "25.12" ], "emea-sau-sacs-002-2022": [ "TPC-43" ], "emea-gbr-def-stan-05-138-2024": [ "4202" ], "emea-gbr-def-stan-05-138-l3-2024": [ "4202" ] } }, { "control_id": "BCD-12.3", "title": "Electronic Discovery (eDiscovery)", "family": "BCD", "description": "Mechanisms exist to utilize electronic discovery (eDiscovery) that covers current and archived communication transactions.", "scf_question": "Does the organization utilize electronic discovery (eDiscovery) that covers current and archived communication transactions?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Respond", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize electronic discovery (eDiscovery) that covers current and archived communication transactions.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Purview", "small": "∙ Microsoft Purview", "medium": "∙ Microsoft Purview\n∙ OpenText (https://opentext.com)", "large": "∙ Microsoft Purview\n∙ OpenText (https://opentext.com)", "enterprise": "∙ Microsoft Purview\n∙ OpenText (https://opentext.com)" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-5", "R-GV-1", "R-GV-2", "R-IR-1", "R-IR-2", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.MCQUE" ], "apac-nzl-ism-3-9": [ "11.3.13.C.01", "11.3.13.C.02", "11.3.13.C.03" ] } }, { "control_id": "BCD-12.4", "title": "Restore Within Time Period", "family": "BCD", "description": "Mechanisms exist to restore Technology Assets, Applications, Services and/or Data (TAASD) within organization-defined restoration time-periods from configuration-controlled and integrity-protected information; representing a known, operational state for the asset.", "scf_question": "Does the organization restore Technology Assets, Applications, Services and/or Data (TAASD) within organization-defined restoration time-periods from configuration-controlled and integrity-protected information; representing a known, operational state for the asset?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Respond", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).\n▪ Backups are performed ad-hoc and focus on business-critical Technology Assets, Applications, Services and/or Data (TAASD).\n▪ IT and/or cybersecurity personnel use a backup methodology (e.g., grandfather, father & son rotation) to create backups to support business needs (e.g., Recovery Time Objectives).", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restore TAASD within organization-defined restoration time-periods from configuration-controlled and integrity-protected information; representing a known, operational state for the asset.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Virtual machines\n∙ Acronis (https://acronis.com)", "small": "∙ Virtual machines\n∙ Docker (https://docker.com)\n∙ Acronis (https://acronis.com)", "medium": "∙ Virtual machines\n∙ Docker (https://docker.com)\n∙ Acronis (https://acronis.com)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Docker (https://docker.com)", "large": "∙ Virtual machines\n∙ Docker (https://docker.com)\n∙ Acronis (https://acronis.com)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Docker (https://docker.com)", "enterprise": "∙ Virtual machines\n∙ Docker (https://docker.com)\n∙ Acronis (https://acronis.com)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Docker (https://docker.com)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-2", "R-IR-3", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-csa-cmm-4-1-0": [ "BCR-03" ], "general-govramp": [ "CP-10(04)" ], "general-govramp-high": [ "CP-10(04)" ], "general-iec-62443-2-1-2024": [ "AVAIL 1.3" ], "general-nist-800-53-r4": [ "CP-10(4)" ], "general-nist-800-53-r5-2": [ "CP-10(04)" ], "general-nist-800-53-r5-2-high": [ "CP-10(04)" ], "general-nist-800-82-r3": [ "CP-10(04)" ], "general-nist-800-82-r3-high": [ "CP-10(04)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-10(04)" ] } }, { "control_id": "BCD-13", "title": "Backup & Restoration Hardware Protection", "family": "BCD", "description": "Mechanisms exist to protect backup and restoration hardware and software.", "scf_question": "Does the organization protect backup and restoration hardware and software?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-10", "E-GOV-11" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect backup and restoration hardware and software.", "4": "Business Continuity & Disaster Recovery (BCD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "medium": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "large": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "enterprise": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.5" ], "general-cis-csc-8-1": [ "11.3" ], "general-cis-csc-8-1-ig1": [ "11.3" ], "general-cis-csc-8-1-ig2": [ "11.3" ], "general-cis-csc-8-1-ig3": [ "11.3" ], "general-nist-800-53-r4": [ "CP-10(6)" ], "general-nist-800-53-r5-2": [ "CP-10(06)" ], "general-nist-800-82-r3": [ "CP-10(06)" ], "general-nist-800-82-r3-mod": [ "CP-10(06)" ], "general-nist-800-82-r3-high": [ "CP-10(06)" ], "general-nist-csf-2-0": [ "RC.RP-03" ], "general-shared-assessments-sig-2025": [ "K.4" ], "emea-eu-nis2-annex-2024": [ "4.2.2(e)", "4.2.3" ], "emea-isr-cmo-1-0": [ "25.12", "25.18" ] } }, { "control_id": "BCD-13.1", "title": "Restoration Integrity Verification", "family": "BCD", "description": "Mechanisms exist to verify the integrity of backups and other restoration assets prior to using them for restoration.", "scf_question": "Does the organization verify the integrity of backups and other restoration assets prior to using them for restoration?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-10", "E-GOV-11" ], "pptdf": "Technology", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to verify the integrity of backups and other restoration assets prior to using them for restoration.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Basic business continuity plan\n∙ Regular data backup", "small": "∙ Business continuity plan\n∙ Tested backup and restore procedures", "medium": "∙ Formal BCP/DRP program\n∙ Regular backup testing\n∙ Alternate processing capability", "large": "∙ Enterprise BCP/DRP program\n∙ DR site\n∙ Annual exercises\n∙ RTO/RPO targets", "enterprise": "∙ Enterprise BC/DR platform (e.g., Zerto, Veeam Enterprise)\n∙ Dedicated DR site\n∙ Automated failover\n∙ Annual DR exercises" }, "risks": [ "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-5" ], "threats": [ "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-cr-cmm-2026": [ "CR10.4.4" ], "general-nist-csf-2-0": [ "RC.RP-03" ], "emea-eu-nis2-annex-2024": [ "4.2.3" ] } }, { "control_id": "BCD-14", "title": "Isolated Recovery Environment", "family": "BCD", "description": "Mechanisms exist to utilize an isolated, non-production environment to perform data backup and recovery operations through offline, cloud or off-site capabilities.", "scf_question": "Does the organization utilize an isolated, non-production environment to perform data backup and recovery operations through offline, cloud or off-site capabilities?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Business Continuity & Disaster Recovery (BCD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Business Continuity / Disaster Recovery (BC/DR)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ BC/DR may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize an isolated, non-production environment to perform data backup and recovery operations through offline, cloud or off-site capabilities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic business continuity plan\n∙ Regular data backup", "small": "∙ Business continuity plan\n∙ Tested backup and restore procedures", "medium": "∙ Dedicated recovery environment", "large": "∙ Dedicated recovery environment", "enterprise": "∙ Dedicated recovery environment" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-cis-csc-8-1": [ "11.4" ], "general-cis-csc-8-1-ig1": [ "11.4" ], "general-cis-csc-8-1-ig2": [ "11.4" ], "general-cis-csc-8-1-ig3": [ "11.4" ], "general-cr-cmm-2026": [ "CR10.2.4" ], "general-shared-assessments-sig-2025": [ "K.1" ] } }, { "control_id": "BCD-15", "title": "Reserve Hardware", "family": "BCD", "description": "Mechanisms exist to purchase and maintain a sufficient reserve of spare hardware to ensure essential missions and business functions can be maintained in the event of a supply chain disruption.", "scf_question": "Does the organization purchase and maintain a sufficient reserve of spare hardware to ensure essential missions and business functions can be maintained in the event of a supply chain disruption?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Recover", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to purchase and maintain a sufficient reserve of spare hardware to ensure essential missions and business functions can be maintained in the event of a supply chain disruption.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic business continuity plan\n∙ Regular data backup", "small": "∙ Business continuity plan\n∙ Tested backup and restore procedures", "medium": "∙ Dedicated recovery environment\n∙ Dedicated recovery hardware", "large": "∙ Dedicated recovery environment\n∙ Dedicated recovery hardware", "enterprise": "∙ Dedicated recovery environment\n∙ Dedicated recovery hardware" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "usa-federal-doe-c2m2-2-1": [ "RESPONSE-4c", "RESPONSE-4l" ], "apac-aus-ism-2024-june": [ "ISM-1789" ] } }, { "control_id": "BCD-16", "title": "AI & Autonomous Technologies Incidents", "family": "BCD", "description": "Mechanisms exist to handle failures or incidents with Artificial Intelligence (AI) and Autonomous Technologies (AAT) deemed to be high-risk.", "scf_question": "Does the organization handle failures or incidents with Artificial Intelligence (AI) and Autonomous Technologies (AAT) deemed to be high-risk?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Business Continuity & Disaster Recovery (BCD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with BCD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Contingency management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Business Continuity & Disaster Recovery (BCD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with BCD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with BCD domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with BCD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to handle failures or incidents with Artificial Intelligence (AI) and Autonomous Technologies (AAT) deemed to be high-risk.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Incident Response Plan (IRP)\n∙ Legal review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "small": "∙ Incident Response Plan (IRP)\n∙ Legal review\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "medium": "∙ Incident Response Plan (IRP)\n∙ Legal review\n∙ Steering committee\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "large": "∙ Incident Response Plan (IRP)\n∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program", "enterprise": "∙ Incident Response Plan (IRP)\n∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)\n∙ Artificial Intelligence (AI) / autonomous technologies governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Business Continuity & Disaster Recovery", "crosswalks": { "general-nist-100-1-ai-rmf": [ "GOVERN 6.2" ], "general-shared-assessments-sig-2025": [ "R.8" ] } }, { "control_id": "CAP-01", "title": "Capacity & Performance Management", "family": "CAP", "description": "Mechanisms exist to facilitate the implementation of capacity management controls to ensure optimal system performance to meet expected and anticipated future capacity requirements.", "scf_question": "Does the organization facilitate the implementation of capacity management controls to ensure optimal system performance to meet expected and anticipated future capacity requirements?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-CAP-01" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Capability & Performance Planning (CAP) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CAP domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Capability management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel work with business stakeholders to identify growth requirements and add capacity accordingly.", "2": "Capability & Performance Planning (CAP) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CAP domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CAP domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CAP domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Capability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Capability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Capability & Performance Planning (CAP) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CAP domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CAP domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CAP domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of capacity management controls to ensure optimal system performance to meet expected and anticipated future capacity requirements.", "4": "Capability & Performance Planning (CAP) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Capability & Performance Planning (CAP) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Manual resource monitoring\n∙ ManageEngine OpManager (https://manageengine.com)", "small": "∙ Manual resource monitoring\n∙ ManageEngine OpManager (https://manageengine.com)", "medium": "∙ Manual resource monitoring\n∙ ManageEngine OpManager (https://manageengine.com)\n∙ Splunk (https://splunk.com)\n∙ Solarwinds (https://solarwinds.com)", "large": "∙ ManageEngine OpManager (https://manageengine.com)\n∙ Splunk (https://splunk.com)\n∙ Solarwinds (https://solarwinds.com)", "enterprise": "∙ Splunk (https://splunk.com)\n∙ Solarwinds (https://solarwinds.com)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Capacity & Performance Planning", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.1", "A1.1-POF1", "A1.1-POF3" ], "general-cobit-2019": [ "BAI04.04", "BAI04.05" ], "general-csa-cmm-4-1-0": [ "I&S-02" ], "general-csa-iot-2": [ "SNT-03" ], "general-govramp": [ "SC-05" ], "general-govramp-low": [ "SC-05" ], "general-govramp-low-plus": [ "SC-05" ], "general-govramp-mod": [ "SC-05" ], "general-govramp-high": [ "SC-05" ], "general-iec-62443-2-1-2024": [ "AVAIL 1.2" ], "general-iec-62443-3-3-2013": [ "SR 7.2" ], "general-iec-62443-4-2-2019": [ "CR 7.2" ], "general-iso-27002-2022": [ "8.6" ], "general-iso-27017-2015": [ "12.1.3" ], "general-iso-27018-2025": [ "8.6" ], "general-nist-privacy-framework-1-0": [ "PR.DS-P4" ], "general-nist-800-53-r4": [ "SC-5", "SC-5(3)" ], "general-nist-800-53-r5-2": [ "SC-05", "SC-05(03)" ], "general-nist-800-53-r5-2-privacy": [ "SC-05" ], "general-nist-800-53-r5-2-low": [ "SC-05" ], "general-nist-800-82-r3": [ "SC-05", "SC-05(03)" ], "general-nist-800-82-r3-low": [ "SC-05" ], "general-nist-800-82-r3-mod": [ "SC-05" ], "general-nist-800-82-r3-high": [ "SC-05" ], "general-nist-800-160-vol-2-r1": [ "SC-05(03)" ], "general-nist-csf-2-0": [ "PR.IR-04" ], "general-shared-assessments-sig-2025": [ "K.1" ], "usa-federal-dow-cert-rmm-1-2": [ "EC:SG4.SP1" ], "usa-federal-fbi-cjis-6-0": [ "SC-5" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-3i" ], "usa-federal-dow-zt-roadmap-1-1": [ "7.1.1" ], "usa-federal-gsa-fedramp-5-low": [ "SC-05" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-05" ], "usa-federal-gsa-fedramp-5-high": [ "SC-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-05" ], "usa-federal-cms-marse-2-0": [ "SC-5" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.3(f)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-05" ], "usa-state-tx-txramp-2-0-level-1": [ "SC-05" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-05" ], "emea-eu-eba-ict-srm-2025": [ "3.5(56)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "8.8" ], "emea-deu-c5-2020": [ "OPS-01", "OPS-02", "OPS-03" ], "emea-isr-cmo-1-0": [ "25.2" ], "emea-zaf-popia-2013": [ "19.1", "19.2" ], "emea-esp-ccn-stic-825-2023": [ "7.1.4 [OP.PL.4]" ], "apac-aus-ism-2024-june": [ "ISM-1579", "ISM-1580", "ISM-1581" ], "apac-ind-sebi-2024": [ "PR.DS.S3" ], "apac-jpn-ismap": [ "12.1.3", "12.1.3.1", "12.1.3.2", "12.1.3.3", "12.1.3.4", "12.1.3.5", "12.1.3.6", "12.1.3.7", "12.1.3.8" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP61", "HML61" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP53" ], "apac-sgp-mas-trm-2021": [ "8.1.1" ], "americas-bmu-mba-coc-2020": [ "6.1" ], "americas-can-osfi-b13-2022": [ "2", "2.8.2" ] } }, { "control_id": "CAP-02", "title": "Resource Priority", "family": "CAP", "description": "Mechanisms exist to control resource utilization of Technology Assets, Applications and/or Services (TAAS) that are susceptible to Denial of Service (DoS) attacks to limit and prioritize the use of resources.", "scf_question": "Does the organization control resource utilization of Technology Assets, Applications and/or Services (TAAS) that are susceptible to Denial of Service (DoS) attacks to limit and prioritize the use of resources?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-CAP-02" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Capability & Performance Planning (CAP) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CAP domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Capability management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel work with business stakeholders to identify growth requirements and add capacity accordingly.", "2": "Capability & Performance Planning (CAP) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CAP domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CAP domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CAP domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Capability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Capability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel work with business stakeholders and process owners to create and maintain infrastructure performance metrics to understand current resource needs.", "3": "Capability & Performance Planning (CAP) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CAP domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CAP domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CAP domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to control resource utilization of Technology Assets, Applications and/or Services (TAAS) that are susceptible to Denial of Service (DoS) attacks to limit and prioritize the use of resources.", "4": "Capability & Performance Planning (CAP) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Capability & Performance Planning (CAP) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Monitor system resource usage periodically", "small": "∙ Capacity monitoring for critical systems\n∙ Resource usage baseline", "medium": "∙ Capacity planning process\n∙ Performance monitoring tools", "large": "∙ Enterprise capacity management program\n∙ Performance monitoring platform (e.g., Dynatrace, New Relic)", "enterprise": "∙ Enterprise capacity management platform\n∙ APM tools (e.g., Dynatrace, Datadog)\n∙ Automated scaling" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Capacity & Performance Planning", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.1" ], "general-csa-iot-2": [ "OPA-08", "OPA-09" ], "general-govramp": [ "SC-05", "SC-06" ], "general-govramp-low": [ "SC-05" ], "general-govramp-low-plus": [ "SC-05" ], "general-govramp-mod": [ "SC-05", "SC-06" ], "general-govramp-high": [ "SC-05", "SC-06" ], "general-mitre-att&ck-16-1": [ "T1564.009" ], "general-nist-800-53-r4": [ "SC-5", "SC-5(1)", "SC-5(2)", "SC-6" ], "general-nist-800-53-r5-2": [ "SC-05", "SC-05(01)", "SC-05(02)", "SC-06" ], "general-nist-800-53-r5-2-privacy": [ "SC-05", "SC-05(02)" ], "general-nist-800-53-r5-2-low": [ "SC-05" ], "general-nist-800-82-r3": [ "SC-05", "SC-05(01)", "SC-05(02)", "SC-06" ], "general-nist-800-82-r3-low": [ "SC-05" ], "general-nist-800-82-r3-mod": [ "SC-05" ], "general-nist-800-82-r3-high": [ "SC-05" ], "general-nist-800-160-vol-2-r1": [ "SC-05(02)" ], "general-nist-800-161-r1": [ "SC-5", "SC-5(2)" ], "general-nist-800-161-r1-level-2": [ "SC-5(2)" ], "general-nist-csf-2-0": [ "PR.IR-04" ], "general-shared-assessments-sig-2025": [ "N.2" ], "usa-federal-fbi-cjis-6-0": [ "SC-5" ], "usa-federal-gsa-fedramp-5-low": [ "SC-05", "SC-05(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-05", "SC-05(02)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-05", "SC-05(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-05", "SC-05(02)" ], "usa-federal-cms-marse-2-0": [ "SC-5", "SC-6" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-05" ], "usa-state-tx-txramp-2-0-level-1": [ "SC-05" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-05" ], "apac-aus-ism-2024-june": [ "ISM-1579", "ISM-1580", "ISM-1581" ] } }, { "control_id": "CAP-03", "title": "Capacity Planning", "family": "CAP", "description": "Mechanisms exist to conduct capacity planning so that necessary capacity for information processing, telecommunications and environmental support will exist during contingency operations.", "scf_question": "Does the organization conduct capacity planning so that necessary capacity for information processing, telecommunications and environmental support will exist during contingency operations?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-CAP-01" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Capability & Performance Planning (CAP) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CAP domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CAP domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CAP domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Capability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Capability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel work with business stakeholders and process owners to create and maintain infrastructure performance metrics to understand current resource needs.", "3": "Capability & Performance Planning (CAP) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CAP domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CAP domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CAP domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct capacity planning so that necessary capacity for information processing, telecommunications and environmental support will exist during contingency operations.", "4": "Capability & Performance Planning (CAP) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Capability & Performance Planning (CAP) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Monitor system resource usage periodically", "small": "∙ Capacity monitoring for critical systems\n∙ Resource usage baseline", "medium": "∙ Capacity planning process\n∙ Performance monitoring tools", "large": "∙ Enterprise capacity management program\n∙ Performance monitoring platform (e.g., Dynatrace, New Relic)", "enterprise": "∙ Enterprise capacity management platform\n∙ APM tools (e.g., Dynatrace, Datadog)\n∙ Automated scaling" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Capacity & Performance Planning", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.1", "A1.1-POF2" ], "general-csa-cmm-4-1-0": [ "I&S-02" ], "general-govramp": [ "CP-02(02)", "SC-05" ], "general-govramp-low": [ "SC-05" ], "general-govramp-low-plus": [ "SC-05" ], "general-govramp-mod": [ "CP-02(02)", "SC-05" ], "general-govramp-high": [ "CP-02(02)", "SC-05" ], "general-iso-27002-2022": [ "8.6" ], "general-iso-27017-2015": [ "12.1.3" ], "general-iso-27018-2025": [ "8.6" ], "general-nist-privacy-framework-1-0": [ "PR.DS-P4" ], "general-nist-800-53-r4": [ "SC-5", "SC-5(2)", "CP-2(2)" ], "general-nist-800-53-r5-2": [ "CP-02(02)", "SC-05", "SC-05(02)" ], "general-nist-800-53-r5-2-privacy": [ "SC-05", "SC-05(02)" ], "general-nist-800-53-r5-2-low": [ "SC-05" ], "general-nist-800-53-r5-2-high": [ "CP-02(02)" ], "general-nist-800-82-r3": [ "CP-02(02)", "SC-05", "SC-05(02)" ], "general-nist-800-82-r3-low": [ "SC-05" ], "general-nist-800-82-r3-mod": [ "SC-05" ], "general-nist-800-82-r3-high": [ "CP-02(02)", "SC-05" ], "general-nist-800-160-vol-2-r1": [ "SC-05(02)" ], "general-nist-800-161-r1": [ "CP-2(2)", "SC-5(2)" ], "general-nist-800-161-r1-level-2": [ "CP-2(2)", "SC-5(2)" ], "general-nist-800-161-r1-level-3": [ "CP-2(2)" ], "general-nist-csf-2-0": [ "PR.IR-04" ], "general-shared-assessments-sig-2025": [ "N.2" ], "usa-federal-fbi-cjis-6-0": [ "SC-5" ], "usa-federal-dow-zt-roadmap-1-1": [ "7.1.1" ], "usa-federal-gsa-fedramp-5-low": [ "SC-05", "SC-05(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-05", "SC-05(02)" ], "usa-federal-gsa-fedramp-5-high": [ "CP-02(02)", "SC-05", "SC-05(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-05", "SC-05(02)" ], "usa-federal-cms-marse-2-0": [ "CP-2(2)", "SC-5" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-05" ], "usa-state-tx-txramp-2-0-level-1": [ "SC-05" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-05" ], "emea-deu-bsrit-2017": [ "8.8" ], "emea-deu-c5-2020": [ "OPS-01", "OPS-02", "OPS-03" ], "emea-isr-cmo-1-0": [ "25.2" ], "apac-aus-ism-2024-june": [ "ISM-1579", "ISM-1580", "ISM-1581" ], "apac-sgp-mas-trm-2021": [ "8.1.3" ], "americas-can-osfi-b13-2022": [ "2.8.2" ] } }, { "control_id": "CAP-04", "title": "Performance Monitoring", "family": "CAP", "description": "Automated mechanisms exist to centrally-monitor and alert on the operating state and health status of critical Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization use automated mechanisms to centrally-monitor and alert on the operating state and health status of critical Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 7, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-CAP-03" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Capability & Performance Planning (CAP) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CAP domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CAP domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CAP domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Capability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Capability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel work with business stakeholders and process owners to create and maintain infrastructure performance metrics to understand current resource needs.", "3": "Capability & Performance Planning (CAP) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CAP domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CAP domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CAP domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically centrally-monitor and alert on the operating state and health status of critical Technology Assets, Applications and/or Services (TAAS).", "4": "Capability & Performance Planning (CAP) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Capability & Performance Planning (CAP) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ ManageEngine OpManager (https://manageengine.com)", "small": "∙ ManageEngine OpManager (https://manageengine.com)", "medium": "∙ ManageEngine OpManager (https://manageengine.com)\n∙ Splunk (https://splunk.com)\n∙ Solarwinds (https://solarwinds.com)", "large": "∙ ManageEngine OpManager (https://manageengine.com)\n∙ Splunk (https://splunk.com)\n∙ Solarwinds (https://solarwinds.com)", "enterprise": "∙ Splunk (https://splunk.com)\n∙ Solarwinds (https://solarwinds.com)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-6", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-11", "NT-12", "NT-13", "MT-1", "MT-2", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Capacity & Performance Planning", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.1-POF1" ], "general-csa-iot-2": [ "SNT-03" ], "general-nist-csf-2-0": [ "PR.IR-04" ], "emea-deu-bsrit-2017": [ "8.8" ], "apac-ind-sebi-2024": [ "DE.CM.S4" ], "amaericas-can-osfi-self-assessment": [ "3.1" ], "americas-can-osfi-b13-2022": [ "2.8.2" ] } }, { "control_id": "CAP-05", "title": "Elastic Expansion", "family": "CAP", "description": "Mechanisms exist to automatically scale the resources available for Technology Assets, Applications and/or Services (TAAS), as demand conditions change.", "scf_question": "Does the organization automatically scale the resources available for Technology Assets, Applications and/or Services (TAAS), as demand conditions change?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-CAP-04" ], "pptdf": "Technology", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Capability & Performance Planning (CAP) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CAP domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CAP domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CAP domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically scale the resources available for Technology Assets, Applications and/or Services (TAAS), as demand conditions change.", "4": "Capability & Performance Planning (CAP) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Capability & Performance Planning (CAP) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Monitor system resource usage periodically", "small": "∙ Capacity monitoring for critical systems\n∙ Resource usage baseline", "medium": "∙ Capacity planning process\n∙ Performance monitoring tools", "large": "∙ Enterprise capacity management program\n∙ Performance monitoring platform (e.g., Dynatrace, New Relic)", "enterprise": "∙ Enterprise capacity management platform\n∙ APM tools (e.g., Dynatrace, Datadog)\n∙ Automated scaling" }, "risks": [ "R-BC-1", "R-BC-3", "R-GV-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-2", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Capacity & Performance Planning", "crosswalks": { "general-nist-csf-2-0": [ "PR.IR-04" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.RE.EEXPS" ], "usa-federal-dow-zt-roadmap-1-1": [ "7.1.1" ], "apac-aus-ism-2024-june": [ "ISM-1579" ] } }, { "control_id": "CAP-06", "title": "Regional Delivery", "family": "CAP", "description": "Mechanisms exist to support operations that are geographically dispersed via regional delivery of technological Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization support operations that are geographically dispersed via regional delivery of technological Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Capability & Performance Planning (CAP) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CAP domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Capability management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel work with business stakeholders to identify growth requirements and add capacity accordingly.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Capability & Performance Planning (CAP) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CAP domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CAP domain capabilities are well-documented and kept current by process owners.\n▪ A Business Continuity & Disaster Recovery (BC/DR) team, or similar function, is appropriately staffed and supported to implement and maintain BCD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of BC/DR operations (e.g., BC/DR planning software, Disaster Recovery as a Service (DRaaS), Orchestration and Automation Tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CAP domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to support operations that are geographically dispersed via regional delivery of technological Technology Assets, Applications and/or Services (TAAS).", "4": "Capability & Performance Planning (CAP) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Capability & Performance Planning (CAP) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Monitor system resource usage periodically", "small": "∙ Capacity monitoring for critical systems\n∙ Resource usage baseline", "medium": "∙ Capacity planning process\n∙ Performance monitoring tools", "large": "∙ Enterprise capacity management program\n∙ Performance monitoring platform (e.g., Dynatrace, New Relic)", "enterprise": "∙ Enterprise capacity management platform\n∙ APM tools (e.g., Dynatrace, Datadog)\n∙ Automated scaling" }, "risks": [ "R-BC-1", "R-BC-3", "R-GV-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "MT-1", "MT-2", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Capacity & Performance Planning", "crosswalks": { "general-csa-iot-2": [ "OPA-03" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.RE.RDELI" ] } }, { "control_id": "CHG-01", "title": "Change Management Program", "family": "CHG", "description": "Mechanisms exist to facilitate the implementation of a change management program.", "scf_question": "Does the organization facilitate the implementation of a change management program?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-CHG-02" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Change Management (CHG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CHG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Change management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Documented change control processes are either informal or do not exist.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.\n▪ A Change Advisory Board (CAB), or similar function, exists to govern Requests For Change (RFC) to TAAS to ensure security, compliance and resilience.\n▪ The CAB includes a function to review RFCs for cybersecurity and data protection ramifications.\n▪ The CAB notifies affected stakeholders to ensure awareness of the impact of proposed changes.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of a change management program.", "4": "Change Management (CHG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "small": "∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "medium": "∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "large": "∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "enterprise": "∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF13", "CC3.4", "CC3.4-POF4", "CC6.8-POF3", "CC8.1", "CC8.1-POF1", "CC8.1-POF2", "CC8.1-POF3", "CC8.1-POF4", "CC8.1-POF5", "CC8.1-POF6", "CC8.1-POF7", "CC8.1-POF8", "CC8.1-POF9", "CC8.1-POF10", "CC8.1-POF11", "CC8.1-POF13", "CC8.1-POF14", "CC8.1-POF16" ], "general-cobit-2019": [ "BAI06.03" ], "general-coso-2013": [ "9" ], "general-csa-cmm-4-1-0": [ "CCC-01", "CCC-03", "CEK-06" ], "general-csa-iot-2": [ "CCM-02", "CCM-08", "DAT-04", "IAM-22" ], "general-govramp": [ "CM-03" ], "general-govramp-low-plus": [ "CM-03" ], "general-govramp-mod": [ "CM-03" ], "general-govramp-high": [ "CM-03" ], "general-iec-62443-2-1-2024": [ "CM 1.4" ], "general-iso-27001-2022": [ "6.3" ], "general-iso-27002-2022": [ "8.19", "8.32" ], "general-iso-27017-2015": [ "12.1.2" ], "general-iso-27018-2025": [ "8.19", "8.32" ], "general-iso-42001-2023": [ "6.3" ], "general-mpa-csbp-5-3-1": [ "TS-5.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(f)" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P2" ], "general-nist-800-53-r4": [ "CM-3" ], "general-nist-800-53-r5-2": [ "CM-03" ], "general-nist-800-53-r5-2-privacy": [ "CM-03" ], "general-nist-800-53-r5-2-mod": [ "CM-03" ], "general-nist-800-66-r2": [ "164.308(a)(1)" ], "general-nist-800-82-r3": [ "CM-03" ], "general-nist-800-82-r3-mod": [ "CM-03" ], "general-nist-800-82-r3-high": [ "CM-03" ], "general-nist-800-161-r1": [ "CM-3" ], "general-nist-800-161-r1-flowdown": [ "CM-3" ], "general-nist-800-161-r1-level-2": [ "CM-3" ], "general-nist-800-161-r1-level-3": [ "CM-3" ], "general-nist-800-171-r2": [ "3.4.3" ], "general-nist-800-171-r3": [ "03.04.02.b", "03.04.03.a" ], "general-nist-800-171a-r3": [ "A.03.04.03.d[01]", "A.03.04.03.d[02]" ], "general-nist-800-172": [ "3.13.2e" ], "general-nist-800-207": [ "NIST Tenet 5" ], "general-nist-csf-2-0": [ "ID.RA-07" ], "general-pci-dss-4-0-1": [ "1.2.2", "6.5", "6.5.1", "6.5.2", "6.5.3", "12.4.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.2", "6.5.1", "6.5.2" ], "general-pci-dss-4-0-1-saq-c": [ "6.5.1", "6.5.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.2", "6.5.1", "6.5.2", "6.5.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.2", "6.5.1", "6.5.2", "6.5.3", "12.4.2" ], "general-tisax-6-0-3": [ "5.2.1" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG3.SP1", "TM:SG4", "TM:SG4.SP1", "TM:SG4.SP2", "TM:SG4.SP3" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.CMANA" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.Q" ], "usa-federal-fbi-cjis-6-0": [ "CM-3" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-4a", "ASSET-4c", "ASSET-4g" ], "usa-federal-dow-cmmc-2-level-2": [ "CML2.-3.4.3" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-gsa-fedramp-5-low": [ "CM-03" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-03" ], "usa-federal-gsa-fedramp-5-high": [ "CM-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-03" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(7)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(1)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(1)(i)" ], "usa-federal-irs-1075-2021": [ "CM-3" ], "usa-federal-cms-marse-2-0": [ "CM-3", "CM-3.e", "CM-3.f", "CM-3.g" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.7" ], "usa-federal-nispom-2020": [ "§117.18(b)(6)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(C)", "7123(c)(5)(D)", "7123(c)(5)(E)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-03" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-03" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(37)", "3.6.3(75)", "3.6.3(76)" ], "emea-eu-dora-2023": [ "Article 9.4(e)" ], "emea-eu-nis2-annex-2024": [ "5.1.7(d)", "6.4.1", "6.4.4", "6.6.1", "6.10.2(d)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "8.4" ], "emea-deu-c5-2020": [ "DEV-03", "DEV-08" ], "emea-isr-cmo-1-0": [ "10.6", "14.6", "14.7" ], "emea-sau-cgiot-2024": [ "1-5-3" ], "emea-sau-ecc-1-2018": [ "1-6-2" ], "emea-sau-otcc-1-2022": [ "1-5", "1-5-1", "1-5-2" ], "emea-sau-sama-csf-1-2017": [ "3.3.7" ], "emea-zaf-popia-2013": [ "19.1", "19.2" ], "emea-esp-boe-a-2022-7191": [ "Article 21.1" ], "emea-esp-decree-311-2022": [ "21.1" ], "emea-esp-ccn-stic-825-2023": [ "7.3.5 [OP.EXP.5]" ], "emea-gbr-def-stan-05-138-2024": [ "2404" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2404" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2404" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2404" ], "apac-aus-ism-2024-june": [ "ISM-1211" ], "apac-ind-sebi-2024": [ "PR.IP.S3" ], "apac-jpn-ismap": [ "4.5.4.4", "12.1.2", "12.1.2.1", "12.1.2.11.PB" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP18", "HML18" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP16" ], "apac-nzl-ism-3-9": [ "6.3.6.C.01" ], "apac-sgp-mas-trm-2021": [ "7.5.1", "7.5.2", "7.5.3", "7.5.4", "7.5.5", "7.5.6", "7.5.7" ], "americas-bmu-mba-coc-2020": [ "6.1" ], "amaericas-can-osfi-self-assessment": [ "4.17", "4.20", "6.11" ], "americas-can-osfi-b13-2022": [ "2.5", "2.5.1" ], "americas-can-itsp-10-171-2025": [ "03.04.02.B", "03.04.03.A" ] } }, { "control_id": "CHG-02", "title": "Configuration Change Control", "family": "CHG", "description": "Mechanisms exist to govern the technical configuration change control processes.", "scf_question": "Does the organization govern the technical configuration change control processes?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-CHG-02", "E-CHG-05" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Change Management (CHG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CHG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Change management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Requests for Change (RFC) are submitted to IT and/or cybersecurity personnel.\n▪ Documented change control processes are either informal or do not exist.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.\n▪ Configuration management practices prevent unauthorized changes by limiting and reviewing permissions to modify TAAS components within a production/operational environment\n▪ A Change Advisory Board (CAB), or similar function, exists to govern Requests For Change (RFC) to TAAS to ensure security, compliance and resilience.\n▪ The CAB includes a function to review RFCs for cybersecurity and data protection ramifications.\n▪ The CAB notifies affected stakeholders to ensure awareness of the impact of proposed changes.\n▪ Unauthorized configuration changes are responded to in accordance with an Incident Response Plan (IRP) to determine if the unauthorized configuration is malicious in nature.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern the technical configuration change control processes.", "4": "Change Management (CHG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Change Control Board (CCB)\n∙ Configuration Management Database (CMDB)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "small": "∙ Change Control Board (CCB)\n∙ Configuration Management Database (CMDB)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "medium": "∙ Change Control Board (CCB)\n∙ Configuration Management Database (CMDB)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "large": "∙ Change Control Board (CCB)\n∙ Configuration Management Database (CMDB)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "enterprise": "∙ Change Control Board (CCB)\n∙ Configuration Management Database (CMDB)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF13", "CC3.4", "CC3.4-POF4", "CC6.8-POF3", "CC8.1", "CC8.1-POF1", "CC8.1-POF2", "CC8.1-POF3", "CC8.1-POF4", "CC8.1-POF5", "CC8.1-POF6", "CC8.1-POF7", "CC8.1-POF8", "CC8.1-POF9", "CC8.1-POF10", "CC8.1-POF11", "CC8.1-POF13", "CC8.1-POF14" ], "general-cobit-2019": [ "BAI06.03", "BAI06.04", "BAI07.01", "BAI07.02", "BAI07.06" ], "general-coso-2013": [ "9" ], "general-csa-cmm-4-1-0": [ "CCC-02", "CCC-03", "CCC-05", "CCC-09", "CEK-05" ], "general-csa-iot-2": [ "CCM-02", "CCM-08", "GVN-05", "IAM-22" ], "general-govramp": [ "CM-03" ], "general-govramp-low-plus": [ "CM-03" ], "general-govramp-mod": [ "CM-03" ], "general-govramp-high": [ "CM-03" ], "general-iec-62443-2-1-2024": [ "CM 1.4", "DATA 1.3(a)", "DATA 1.3(b)" ], "general-iso-27002-2022": [ "8.19", "8.32" ], "general-iso-27017-2015": [ "12.1.2", "14.2.2" ], "general-iso-27018-2025": [ "8.19", "8.32" ], "general-iso-42001-2023": [ "6.3" ], "general-mitre-att&ck-16-1": [ "T1021.005", "T1059.006", "T1176", "T1195", "T1195.003", "T1213", "T1213.001", "T1213.002", "T1213.005", "T1495", "T1542", "T1542.001", "T1542.003", "T1542.004", "T1542.005", "T1543", "T1543.002", "T1546", "T1547.007", "T1547.013", "T1548", "T1553", "T1553.006", "T1555", "T1556.008", "T1562.008", "T1562.012", "T1564.008", "T1578.005", "T1601", "T1601.001", "T1601.002", "T1647", "T1653", "T1666" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P2" ], "general-nist-800-53-r4": [ "CM-3" ], "general-nist-800-53-r5-2": [ "CM-03", "SA-08(31)" ], "general-nist-800-53-r5-2-privacy": [ "CM-03", "SA-08(31)" ], "general-nist-800-53-r5-2-mod": [ "CM-03" ], "general-nist-800-82-r3": [ "CM-03", "SA-08(31)" ], "general-nist-800-82-r3-mod": [ "CM-03" ], "general-nist-800-82-r3-high": [ "CM-03" ], "general-nist-800-160-vol-2-r1": [ "SA-08(31)" ], "general-nist-800-161-r1": [ "CM-3" ], "general-nist-800-161-r1-flowdown": [ "CM-3" ], "general-nist-800-161-r1-level-2": [ "CM-3" ], "general-nist-800-161-r1-level-3": [ "CM-3" ], "general-nist-800-171-r2": [ "3.4.3" ], "general-nist-800-171-r3": [ "03.04.02.b", "03.04.03.a", "03.04.03.b", "03.04.03.c" ], "general-nist-800-171a": [ "3.4.3[a]", "3.4.3[b]", "3.4.3[c]", "3.4.3[d]" ], "general-nist-800-171a-r3": [ "A.03.04.03.a", "A.03.04.03.c[01]" ], "general-nist-800-207": [ "NIST Tenet 5" ], "general-nist-csf-2-0": [ "ID.RA-07" ], "general-pci-dss-4-0-1": [ "1.2.2", "6.5", "6.5.1", "6.5.6", "12.4.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.2", "6.5.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.2", "6.5.1", "6.5.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.2", "6.5.1", "6.5.6", "12.4.2" ], "general-scf-dpmp-2025": [ "7.1" ], "general-tisax-6-0-3": [ "5.2.1" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG3.SP2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.CMANA" ], "usa-federal-fbi-cjis-6-0": [ "CM-3" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-4b", "ARCHITECTURE-3l" ], "usa-federal-dow-cmmc-2-level-2": [ "CML2.-3.4.3" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(k)(2)" ], "usa-federal-gsa-fedramp-5-low": [ "CM-03", "SA-08(31)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-03", "SA-08(31)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-03", "SA-08(31)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-03", "SA-08(31)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(7)" ], "usa-federal-irs-1075-2021": [ "CM-3" ], "usa-federal-cms-marse-2-0": [ "CM-1-IS.3", "CM-3", "CM-3.a", "CM-3.b", "CM-3.c", "CM-3.d", "CM-3-IS.1", "CM-3-IS.2" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(C)", "7123(c)(5)(D)", "7123(c)(5)(E)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-03", "CM-03-SID" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-03" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(37)", "3.6.3(75)", "3.6.3(76)" ], "emea-eu-dora-2023": [ "Article 9.4(e)" ], "emea-eu-nis2-annex-2024": [ "6.4.1", "6.4.2" ], "emea-deu-bsrit-2017": [ "8.5" ], "emea-deu-c5-2020": [ "DEV-08" ], "emea-isr-cmo-1-0": [ "10.6", "14.7" ], "emea-sau-ecc-1-2018": [ "1-6-3-5" ], "emea-sau-otcc-1-2022": [ "1-5", "1-5-1", "1-5-2", "1-5-3", "1-5-3-1" ], "emea-sau-sacs-002-2022": [ "TPC-73" ], "emea-esp-boe-a-2022-7191": [ "Article 21.1" ], "emea-esp-decree-311-2022": [ "21.1" ], "apac-aus-ism-2024-june": [ "ISM-1211" ], "apac-ind-sebi-2024": [ "PR.IP.S3" ], "apac-jpn-ismap": [ "12.1.2.2", "12.1.2.3", "12.1.2.4", "12.1.2.5", "12.1.2.6", "12.1.2.7", "12.1.2.8", "12.1.2.9", "12.1.2.13", "12.1.2.14", "12.5.1.4", "12.5.1.6", "12.5.1.7", "12.5.1.8", "12.5.1.10", "12.5.1.11", "12.5.1.12", "12.5.1.13", "12.5.1.14", "12.5.1.15", "12.5.1.16", "12.5.1.17", "12.5.1.18", "14.2.2", "14.2.2.1", "14.2.2.2", "14.2.2.3", "14.2.2.4", "14.2.2.5", "14.2.2.6", "14.2.2.7", "14.2.2.8", "14.2.2.9", "14.2.2.10", "14.2.2.11", "14.2.2.12", "14.2.2.13", "14.2.2.14", "14.2.2.15", "14.2.2.16", "14.2.2.17", "14.2.4.7", "14.2.4.8", "14.2.4.9", "14.2.4.10" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP18", "HML18" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP16" ], "apac-nzl-ism-3-9": [ "6.3.6.C.02", "6.3.7.C.01", "6.3.7.C.02", "6.3.7.C.03" ], "amaericas-can-osfi-self-assessment": [ "4.18", "4.20" ], "americas-can-osfi-b13-2022": [ "2.5", "2.5.1", "2.5.3" ], "americas-can-itsp-10-171-2025": [ "03.04.02.B", "03.04.03.A", "03.04.03.B", "03.04.03.C" ] } }, { "control_id": "CHG-02.1", "title": "Prohibition Of Changes", "family": "CHG", "description": "Mechanisms exist to prohibit unauthorized changes, unless organization-approved change requests are received.", "scf_question": "Does the organization prohibit unauthorized changes, unless organization-approved change requests are received?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-CHG-02" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Change Management (CHG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CHG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Change management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Requests for Change (RFC) are submitted to IT and/or cybersecurity personnel.\n▪ Prior to changes being made, RFCs are informally reviewed for cybersecurity and/or data protection ramifications.\n▪ Documented change control processes are either informal or do not exist.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.\n▪ Configuration management practices prevent unauthorized changes by limiting and reviewing permissions to modify TAAS components within a production/operational environment", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit unauthorized changes, unless organization-approved change requests are received.", "4": "Change Management (CHG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)\n∙ Manual processes/workflows\n∙ Application whitelisting", "small": "∙ Role Based Access Control (RBAC)\n∙ Manual processes/workflows\n∙ Application whitelisting", "medium": "∙ Role Based Access Control (RBAC)\n∙ Application whitelisting\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ Role Based Access Control (RBAC)\n∙ Application whitelisting\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Application whitelisting\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.8", "CC8.1-POF2" ], "general-csa-cmm-4-1-0": [ "CCC-03", "CCC-04" ], "general-csa-iot-2": [ "GVN-05" ], "general-govramp": [ "CM-03(01)" ], "general-govramp-high": [ "CM-03(01)" ], "general-iso-42001-2023": [ "6.3" ], "general-mpa-csbp-5-3-1": [ "TS-2.6" ], "general-nist-800-53-r4": [ "CM-3(1)" ], "general-nist-800-53-r5-2": [ "CM-03(01)" ], "general-nist-800-53-r5-2-high": [ "CM-03(01)" ], "general-nist-800-82-r3": [ "CM-03(01)" ], "general-nist-800-82-r3-high": [ "CM-03(01)" ], "general-nist-800-161-r1": [ "CM-3(1)" ], "general-nist-800-161-r1-level-2": [ "CM-3(1)" ], "general-nist-800-161-r1-level-3": [ "CM-3(1)" ], "general-nist-800-171-r3": [ "03.04.02.b", "03.04.03.a" ], "general-nist-800-171a-r3": [ "A.03.04.03.b[02]", "A.03.04.05[05]" ], "general-nist-800-207": [ "NIST Tenet 5" ], "general-nist-csf-2-0": [ "ID.RA-07" ], "general-pci-dss-4-0-1": [ "1.2.2", "6.5", "6.5.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.2", "6.5.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.2", "6.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.2", "6.5.1" ], "general-shared-assessments-sig-2025": [ "G.2" ], "usa-federal-gsa-fedramp-5-high": [ "CM-03(01)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(C)", "7123(c)(5)(D)", "7123(c)(5)(E)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(37)", "3.6.3(75)", "3.6.3(76)" ], "emea-deu-c5-2020": [ "IDM-02" ], "emea-isr-cmo-1-0": [ "14.7" ], "emea-sau-otcc-1-2022": [ "1-5-3-4" ], "emea-sau-sacs-002-2022": [ "TPC-73" ], "apac-jpn-ismap": [ "14.2.4", "14.2.4.1", "14.2.4.2", "14.2.4.3", "14.2.4.4", "14.2.4.5", "14.2.4.6" ], "apac-sgp-mas-trm-2021": [ "7.5.4" ], "americas-can-osfi-b13-2022": [ "2.5", "2.5.1" ], "americas-can-itsp-10-171-2025": [ "03.04.02.B", "03.04.03.A" ] } }, { "control_id": "CHG-02.2", "title": "Test, Validate & Document Changes", "family": "CHG", "description": "Mechanisms exist to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment.", "scf_question": "Does the organization appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-CHG-03", "E-CHG-05" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Change Management (CHG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CHG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Change management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Whenever possible, IT and/or cybersecurity personnel test changes to business-critical Technology Assets, Applications and/or Services (TAAS) on a similarly configured IT environment, prior to widespread production release of the change.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to test controls after a change is implemented to ensure cybersecurity and/or data protection controls are operating properly.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to document the results from testing changes.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Change Control Board (CCB)\n∙ Configuration Management Database (CMDB)\n∙ VisibleOps (https://itpi.org)", "small": "∙ Change Control Board (CCB)\n∙ Configuration Management Database (CMDB)\n∙ VisibleOps (https://itpi.org)", "medium": "∙ Change Control Board (CCB)\n∙ Configuration Management Database (CMDB)\n∙ VisibleOps (https://itpi.org)", "large": "∙ Change Control Board (CCB)\n∙ Configuration Management Database (CMDB)\n∙ VisibleOps (https://itpi.org)", "enterprise": "∙ Change Control Board (CCB)\n∙ Configuration Management Database (CMDB)\n∙ VisibleOps (https://itpi.org)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.4", "CC8.1", "CC8.1-POF4", "CC8.1-POF5", "CC8.1-POF7", "CC8.1-POF10", "CC8.1-POF13", "CC8.1-POF16" ], "general-cobit-2019": [ "BAI07.05" ], "general-coso-2013": [ "9" ], "general-csa-cmm-4-1-0": [ "CCC-02" ], "general-csa-iot-2": [ "CCM-08" ], "general-govramp": [ "CM-03(02)" ], "general-govramp-low-plus": [ "CM-03(02)" ], "general-govramp-mod": [ "CM-03(02)" ], "general-govramp-high": [ "CM-03(02)" ], "general-iec-62443-2-1-2024": [ "COMP 3.4" ], "general-iec-62443-3-3-2013": [ "SR 3.3" ], "general-iso-27002-2022": [ "8.19", "8.32" ], "general-iso-27017-2015": [ "12.1.2", "14.2.3" ], "general-iso-27018-2025": [ "8.19", "8.32" ], "general-mpa-csbp-5-3-1": [ "TS-5.0" ], "general-nist-800-53-r4": [ "CM-3(2)", "CM-5(2)" ], "general-nist-800-53-r5-2": [ "CM-03(02)", "CM-03(07)", "SA-08(31)" ], "general-nist-800-53-r5-2-privacy": [ "CM-03(02)", "SA-08(31)" ], "general-nist-800-53-r5-2-mod": [ "CM-03(02)" ], "general-nist-800-82-r3": [ "CM-03(02)", "CM-03(07)", "SA-08(31)" ], "general-nist-800-160-vol-2-r1": [ "SA-08(31)" ], "general-nist-800-161-r1": [ "CM-3(2)" ], "general-nist-800-161-r1-level-2": [ "CM-3(2)" ], "general-nist-800-161-r1-level-3": [ "CM-3(2)" ], "general-nist-800-171-r2": [ "NFO - CM-3(2)" ], "general-nist-800-171-r3": [ "03.04.03.b", "03.04.03.c", "03.04.04.a", "03.04.11.b" ], "general-nist-800-171a-r3": [ "A.03.04.03.c[02]" ], "general-nist-csf-2-0": [ "ID.RA-07" ], "general-pci-dss-4-0-1": [ "6.5", "6.5.1", "6.5.2", "A3.2.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.5.1", "6.5.2" ], "general-pci-dss-4-0-1-saq-c": [ "6.5.1", "6.5.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.5.1", "6.5.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.5.1", "6.5.2" ], "usa-federal-fbi-cjis-6-0": [ "CM-3(2)" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-4b", "ASSET-4c", "ASSET-4d", "ASSET-4f", "ASSET-4h", "ASSET-4i", "THREAT-1h" ], "usa-federal-gsa-fedramp-5-low": [ "CM-03(02)", "SA-08(31)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-03(02)", "SA-08(31)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-03(02)", "SA-08(31)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-03(02)", "SA-08(31)" ], "usa-federal-irs-1075-2021": [ "CM-3(CE-2)" ], "usa-federal-cms-marse-2-0": [ "CM-3(2)" ], "usa-federal-nerc-cip-2024": [ "CIP-010-4 1.4.2", "CIP-010-4 1.5.1", "CIP-010-4 1.5.2" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(D)", "7123(c)(5)(E)" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-03 (02)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(37)", "3.6.3(75)", "3.6.3(76)" ], "emea-deu-c5-2020": [ "DEV-06", "DEV-08", "DEV-09" ], "emea-isr-cmo-1-0": [ "10.6", "12.21", "12.30", "14.6", "14.8", "14.9", "14.10" ], "emea-sau-cscc-1-2019": [ "1-3-1-2" ], "emea-sau-cgiot-2024": [ "1-5-3" ], "emea-sau-ecc-1-2018": [ "1-6-2-1", "1-6-3-5" ], "emea-sau-otcc-1-2022": [ "1-5-3-2" ], "emea-sau-sacs-002-2022": [ "TPC-73" ], "apac-ind-sebi-2024": [ "PR.MA.S1" ], "apac-jpn-ismap": [ "12.1.2.10", "12.5.1.5", "12.5.1.9", "14.2.3", "14.2.3.1", "14.2.3.2", "14.2.3.3" ], "apac-nzl-ism-3-9": [ "6.3.8.C.01" ], "apac-sgp-mas-trm-2021": [ "7.4.2", "7.5.3", "7.5.5", "7.5.7" ], "amaericas-can-osfi-self-assessment": [ "6.11" ], "americas-can-osfi-b13-2022": [ "2.5.1" ], "americas-can-itsp-10-171-2025": [ "03.04.03.B", "03.04.03.C", "03.04.04.A", "03.04.11.B" ] } }, { "control_id": "CHG-02.3", "title": "Security, Compliance & Resilience Representative for Asset Lifecycle Changes", "family": "CHG", "description": "Mechanisms exist to include a cybersecurity and/or data protection representative in the configuration change control review process.", "scf_question": "Does the organization include a cybersecurity and/or data protection representative in the configuration change control review process?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-CHG-04" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to include a cybersecurity and/or data protection representative in the configuration change control review process.", "4": "Change Management (CHG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "small": "∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "medium": "∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "large": "∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "enterprise": "∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed", "family_name": "Change Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.4", "CC8.1-POF3" ], "general-coso-2013": [ "9" ], "general-csa-iot-2": [ "CCM-08" ], "general-govramp": [ "CM-03(04)" ], "general-govramp-high": [ "CM-03(04)" ], "general-nist-800-53-r4": [ "CM-3(4)" ], "general-nist-800-53-r5-2": [ "CM-03(04)" ], "general-nist-800-53-r5-2-mod": [ "CM-03(04)" ], "general-nist-800-82-r3": [ "CM-03(04)" ], "general-nist-800-82-r3-mod": [ "CM-03(04)" ], "general-nist-800-82-r3-high": [ "CM-03(04)" ], "general-nist-800-161-r1": [ "CM-3(4)" ], "general-nist-800-161-r1-level-2": [ "CM-3(4)" ], "general-nist-800-161-r1-level-3": [ "CM-3(4)" ], "general-nist-800-171-r3": [ "03.04.04.a" ], "general-tisax-6-0-3": [ "5.2.2" ], "usa-federal-fbi-cjis-6-0": [ "CM-3(4)" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-4c", "THREAT-1h" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-03(04)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-03(04)" ], "usa-federal-irs-1075-2021": [ "CM-3(CE-4)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(D)", "7123(c)(5)(E)" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-03 (04)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(37)", "3.6.3(75)", "3.6.3(76)" ], "emea-deu-c5-2020": [ "DEV-05", "DEV-09" ], "emea-isr-cmo-1-0": [ "14.8" ], "emea-sau-ecc-1-2018": [ "1-6-2-2" ], "emea-sau-otcc-1-2022": [ "1-5-2" ], "apac-sgp-mas-trm-2021": [ "7.5.4" ], "amaericas-can-osfi-self-assessment": [ "2.4", "6.11" ], "americas-can-itsp-10-171-2025": [ "03.04.04.A" ] } }, { "control_id": "CHG-02.4", "title": "Automated Security Response", "family": "CHG", "description": "Automated mechanisms exist to implement remediation actions upon the detection of unauthorized baseline configurations change(s).", "scf_question": "Does the organization use automated mechanisms to implement remediation actions upon the detection of unauthorized baseline configurations change(s)?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically implement remediation actions upon the detection of unauthorized baseline configurations change(s).", "4": "Change Management (CHG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document and approve changes before making them", "small": "∙ Change request form\n∙ Change approval process\n∙ Change log", "medium": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-csa-cmm-4-1-0": [ "CCC-04", "CCC-06", "CCC-09" ], "general-csa-iot-2": [ "GVN-05" ], "general-nist-800-53-r4": [ "CM-3(5)" ], "general-nist-800-53-r5-2": [ "CM-03(05)" ], "general-nist-800-82-r3": [ "CM-03(05)" ], "general-nist-800-207": [ "NIST Tenet 5" ], "general-pci-dss-4-0-1": [ "10.7" ], "emea-sau-otcc-1-2022": [ "1-5-4" ] } }, { "control_id": "CHG-02.5", "title": "Cryptographic Management", "family": "CHG", "description": "Mechanisms exist to govern assets involved in providing cryptographic protections according to the organization's configuration management processes.", "scf_question": "Does the organization govern assets involved in providing cryptographic protections according to its configuration management processes?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Change Management (CHG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CHG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Change management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern assets involved in providing cryptographic protections according to the organization's configuration management processes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document and approve changes before making them", "small": "∙ Change request form\n∙ Change approval process\n∙ Change log", "medium": "∙ Formal change management process (ITIL-aligned)\n∙ CAB\n∙ Rollback procedures", "large": "∙ Enterprise change management platform (e.g., ServiceNow)\n∙ Formal CAB\n∙ Change risk assessment", "enterprise": "∙ Enterprise change management platform (ServiceNow, Jira)\n∙ Formal CAB\n∙ Automated CI/CD change controls" }, "risks": [ "R-AC-1", "R-AM-2", "R-AM-3" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-govramp": [ "CM-03(06)" ], "general-govramp-high": [ "CM-03(06)" ], "general-nist-800-53-r4": [ "CM-3(6)" ], "general-nist-800-53-r5-2": [ "CM-03(06)" ], "general-nist-800-53-r5-2-high": [ "CM-03(06)" ], "general-nist-800-82-r3": [ "CM-03(06)" ], "general-nist-800-82-r3-high": [ "CM-03(06)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-03(06)" ] } }, { "control_id": "CHG-03", "title": "Security Impact Analysis for Changes", "family": "CHG", "description": "Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.", "scf_question": "Does the organization analyze proposed changes for potential security impacts, prior to the implementation of the change?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-CHG-04" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Change Management (CHG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CHG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Change management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Prior to changes being made, RFCs are informally reviewed for cybersecurity and/or data protection ramifications.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to analyze proposed changes for potential security impacts, prior to the implementation of the change.", "4": "Change Management (CHG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "small": "∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "medium": "∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "large": "∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "enterprise": "∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.4", "CC3.4-POF4", "CC8.1-POF3", "CC8.1-POF10" ], "general-coso-2013": [ "9" ], "general-csa-cmm-4-1-0": [ "CCC-03", "CCC-05" ], "general-govramp": [ "CM-04" ], "general-govramp-core": [ "CM-04" ], "general-govramp-low": [ "CM-04" ], "general-govramp-low-plus": [ "CM-04" ], "general-govramp-mod": [ "CM-04" ], "general-govramp-high": [ "CM-04" ], "general-iso-42001-2023": [ "A.5.2", "A.5.3" ], "general-mpa-csbp-5-3-1": [ "TS-5.0" ], "general-nist-800-53-r4": [ "CM-4" ], "general-nist-800-53-r5-2": [ "CM-04" ], "general-nist-800-53-r5-2-privacy": [ "CM-04" ], "general-nist-800-53-r5-2-low": [ "CM-04" ], "general-nist-800-82-r3": [ "CM-04" ], "general-nist-800-82-r3-low": [ "CM-04" ], "general-nist-800-82-r3-mod": [ "CM-04" ], "general-nist-800-82-r3-high": [ "CM-04" ], "general-nist-800-161-r1": [ "CM-4" ], "general-nist-800-161-r1-cscrm": [ "CM-4" ], "general-nist-800-161-r1-level-3": [ "CM-4" ], "general-nist-800-171-r2": [ "3.4.4" ], "general-nist-800-171-r3": [ "03.04.03.b", "03.04.04.a", "03.04.11.b" ], "general-nist-800-171a": [ "3.4.4" ], "general-nist-800-171a-r3": [ "A.03.04.03.b[01]", "A.03.04.04.a" ], "general-nist-csf-2-0": [ "ID.RA-07" ], "general-pci-dss-4-0-1": [ "6.5.2", "6.5.6", "A3.2.2", "A3.2.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.5.2" ], "general-pci-dss-4-0-1-saq-c": [ "6.5.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.5.2", "6.5.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.5.2", "6.5.6" ], "general-scf-dpmp-2025": [ "7.1" ], "general-tisax-6-0-3": [ "5.2.2", "5.3.1" ], "usa-federal-fbi-cjis-6-0": [ "CM-4" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-4c", "ASSET-4d" ], "usa-federal-dow-cmmc-2-level-2": [ "CML2.-3.4.4" ], "usa-federal-gsa-fedramp-5-low": [ "CM-04" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-04" ], "usa-federal-gsa-fedramp-5-high": [ "CM-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-04" ], "usa-federal-irs-1075-2021": [ "CM-4" ], "usa-federal-cms-marse-2-0": [ "CM-4", "CM-4-IS.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(D)", "7123(c)(5)(E)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-04" ], "usa-state-tx-txramp-2-0-level-1": [ "CM-04" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-04" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(37)", "3.6.3(75)", "3.6.3(76)" ], "emea-deu-c5-2020": [ "DEV-05", "BCM-02" ], "emea-isr-cmo-1-0": [ "10.6", "14.8" ], "emea-sau-cscc-1-2019": [ "1-3-1-2" ], "emea-sau-otcc-1-2022": [ "1-5-2", "1-5-4" ], "apac-aus-ps-cps-234-2019": [ "21(d)" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP33", "HML33" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP29" ], "apac-sgp-mas-trm-2021": [ "7.5.2" ], "americas-can-itsp-10-171-2025": [ "03.04.03.B", "03.04.04.A", "03.04.11.B" ] } }, { "control_id": "CHG-04", "title": "Access Restriction For Change", "family": "CHG", "description": "Mechanisms exist to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes.", "scf_question": "Does the organization enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-13", "E-IAM-02" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes.", "4": "Change Management (CHG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)", "small": "∙ Role Based Access Control (RBAC)", "medium": "∙ Role Based Access Control (RBAC)", "large": "∙ Role Based Access Control (RBAC)", "enterprise": "∙ Role Based Access Control (RBAC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-2", "R-AM-3" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC8.1-POF2", "CC8.1-POF9" ], "general-csa-cmm-4-1-0": [ "CCC-04" ], "general-govramp": [ "CM-05" ], "general-govramp-core": [ "CM-05" ], "general-govramp-low-plus": [ "CM-05" ], "general-govramp-mod": [ "CM-05" ], "general-govramp-high": [ "CM-05" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1020.001", "T1021", "T1021.001", "T1021.002", "T1021.003", "T1021.004", "T1021.005", "T1021.006", "T1021.008", "T1047", "T1053", "T1053.002", "T1053.003", "T1053.005", "T1053.006", "T1053.007", "T1055", "T1055.008", "T1056.003", "T1059", "T1059.001", "T1059.006", "T1059.008", "T1072", "T1078", "T1078.002", "T1078.003", "T1078.004", "T1098", "T1098.001", "T1098.002", "T1098.003", "T1098.004", "T1098.005", "T1098.007", "T1134", "T1134.001", "T1134.002", "T1134.003", "T1136", "T1136.001", "T1136.002", "T1136.003", "T1137.002", "T1176", "T1185", "T1190", "T1195", "T1195.001", "T1195.003", "T1197", "T1210", "T1213", "T1213.001", "T1213.002", "T1213.005", "T1218", "T1218.007", "T1218.015", "T1222", "T1222.001", "T1222.002", "T1484", "T1489", "T1495", "T1505", "T1505.002", "T1525", "T1528", "T1530", "T1537", "T1542", "T1542.001", "T1542.003", "T1542.004", "T1542.005", "T1543", "T1543.001", "T1543.002", "T1543.003", "T1543.004", "T1546.003", "T1546.016", "T1547.003", "T1547.004", "T1547.006", "T1547.007", "T1547.009", "T1547.012", "T1547.013", "T1548", "T1548.002", "T1548.003", "T1548.005", "T1548.006", "T1550", "T1550.002", "T1550.003", "T1552", "T1552.002", "T1552.007", "T1553", "T1553.006", "T1554", "T1556", "T1556.001", "T1556.003", "T1556.004", "T1556.008", "T1556.009", "T1558", "T1558.001", "T1558.002", "T1558.003", "T1559", "T1559.001", "T1559.003", "T1562", "T1562.001", "T1562.002", "T1562.004", "T1562.006", "T1562.007", "T1562.008", "T1562.009", "T1562.011", "T1562.012", "T1563", "T1563.001", "T1563.002", "T1564.008", "T1569", "T1569.001", "T1569.002", "T1574", "T1574.005", "T1574.010", "T1574.011", "T1574.012", "T1574.014", "T1578", "T1578.001", "T1578.002", "T1578.003", "T1599", "T1599.001", "T1601", "T1601.001", "T1601.002", "T1611", "T1619", "T1621", "T1647" ], "general-nist-800-53-r4": [ "CM-5" ], "general-nist-800-53-r5-2": [ "CM-05" ], "general-nist-800-53-r5-2-privacy": [ "CM-05" ], "general-nist-800-53-r5-2-low": [ "CM-05" ], "general-nist-800-82-r3": [ "CM-05" ], "general-nist-800-82-r3-low": [ "CM-05" ], "general-nist-800-82-r3-mod": [ "CM-05" ], "general-nist-800-82-r3-high": [ "CM-05" ], "general-nist-800-161-r1": [ "CM-5" ], "general-nist-800-161-r1-cscrm": [ "CM-5" ], "general-nist-800-161-r1-level-2": [ "CM-5" ], "general-nist-800-161-r1-level-3": [ "CM-5" ], "general-nist-800-171-r2": [ "3.4.5" ], "general-nist-800-171-r3": [ "03.04.02.b", "03.04.05" ], "general-nist-800-171a": [ "3.4.5[a]", "3.4.5[b]", "3.4.5[c]", "3.4.5[d]", "3.4.5[e]", "3.4.5[f]", "3.4.5[g]", "3.4.5[h]" ], "general-nist-800-218": [ "PS.1" ], "general-nist-csf-2-0": [ "ID.RA-07" ], "general-pci-dss-4-0-1": [ "1.2.8" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.8" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.8" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.8" ], "usa-federal-fbi-cjis-6-0": [ "CM-5" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-4e" ], "usa-federal-dow-cmmc-2-level-2": [ "CML2.-3.4.5" ], "usa-federal-gsa-fedramp-5-low": [ "CM-05" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-05" ], "usa-federal-gsa-fedramp-5-high": [ "CM-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-05" ], "usa-federal-irs-1075-2021": [ "CM-5", "CM-5(IRS-Defined)-1", "CM-5(IRS-Defined)-2" ], "usa-federal-cms-marse-2-0": [ "CM-5" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(D)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-05" ], "usa-state-tx-txramp-2-0-level-1": [ "CM-05" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-05" ], "emea-deu-c5-2020": [ "DEV-09" ], "emea-sau-otcc-1-2022": [ "1-5-3-4" ], "emea-gbr-def-stan-05-138-2024": [ "2422" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2422" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2422" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2422" ], "americas-can-osfi-b13-2022": [ "2.5", "2.5.2" ], "americas-can-itsp-10-171-2025": [ "03.04.02.B", "03.04.05" ] } }, { "control_id": "CHG-04.1", "title": "Automated Access Enforcement / Auditing", "family": "CHG", "description": "Mechanisms exist to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes.", "scf_question": "Does the organization perform after-the-fact reviews of configuration change logs to discover any unauthorized changes?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes.", "4": "Change Management (CHG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Configuration Management Database (CMDB)", "small": "∙ Configuration Management Database (CMDB)", "medium": "∙ Configuration Management Database (CMDB)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ Configuration Management Database (CMDB)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ Configuration Management Database (CMDB)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC8.1-POF10", "CC8.1-POF11" ], "general-csa-cmm-4-1-0": [ "CCC-04", "CCC-09" ], "general-govramp": [ "CM-05(01)" ], "general-govramp-core": [ "CM-05(01)" ], "general-govramp-mod": [ "CM-05(01)" ], "general-govramp-high": [ "CM-05(01)" ], "general-nist-800-53-r4": [ "CM-5(1)" ], "general-nist-800-53-r5-2": [ "CM-05(01)" ], "general-nist-800-53-r5-2-high": [ "CM-05(01)" ], "general-nist-800-82-r3": [ "CM-05(01)" ], "general-nist-800-82-r3-high": [ "CM-05(01)" ], "general-nist-800-161-r1": [ "CM-5(1)" ], "general-nist-800-161-r1-level-3": [ "CM-5(1)" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.CMANA" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "2.2.2" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-05(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-05(01)" ], "usa-federal-cms-marse-2-0": [ "CM-5(1)" ], "emea-sau-otcc-1-2022": [ "1-5-4" ], "amaericas-can-osfi-self-assessment": [ "6.11" ] } }, { "control_id": "CHG-04.2", "title": "Signed Components", "family": "CHG", "description": "Mechanisms exist to prevent the installation of software and firmware components without verification that the component has been digitally signed using an organization-approved certificate authority.", "scf_question": "Does the organization prevent the installation of software and firmware components without verification that the component has been digitally signed using an organization-approved certificate authority?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent the installation of software and firmware components without verification that the component has been digitally signed using an organization-approved certificate authority.", "4": "Change Management (CHG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document and approve changes before making them", "small": "∙ Change request form\n∙ Change approval process\n∙ Change log", "medium": "∙ Formal change management process (ITIL-aligned)\n∙ CAB\n∙ Rollback procedures", "large": "∙ Enterprise change management platform (e.g., ServiceNow)\n∙ Formal CAB\n∙ Change risk assessment", "enterprise": "∙ Enterprise change management platform (ServiceNow, Jira)\n∙ Formal CAB\n∙ Automated CI/CD change controls" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-EX-7" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-iec-62443-4-2-2019": [ "CR 3.4(1)", "EDR 2.4(1)", "HDR 3.10(1)", "NDR 3.10(1)" ], "general-nist-800-53-r4": [ "CM-5(3)" ], "general-nist-800-53-r5-2": [ "CM-14", "SI-07(15)" ], "general-nist-800-53-r5-2-high": [ "SI-07(15)" ], "general-nist-800-82-r3": [ "CM-14", "SI-07(15)" ], "general-nist-800-82-r3-high": [ "SI-07(15)" ], "general-nist-800-160-vol-2-r1": [ "CM-14", "SI-07(15)" ], "general-nist-800-161-r1": [ "CM-14", "SI-7(15)" ], "general-nist-800-161-r1-level-3": [ "CM-14", "SI-7(15)" ], "general-sparta": [ "CM0021" ], "usa-federal-gsa-fedramp-5-high": [ "CM-14", "SI-07(15)" ], "usa-federal-irs-1075-2021": [ "CM-14" ], "apac-aus-ism-2024-june": [ "ISM-1796" ] } }, { "control_id": "CHG-04.3", "title": "Dual Authorization for Change", "family": "CHG", "description": "Mechanisms exist to enforce a two-person rule for implementing changes to critical Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization enforce a two-person rule for implementing changes to critical Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce a two-person rule for implementing changes to critical Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "medium": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "large": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "enterprise": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-2", "R-GV-3", "R-GV-6", "R-GV-7", "R-IR-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-govramp": [ "AC-05" ], "general-govramp-low-plus": [ "AC-05" ], "general-govramp-mod": [ "AC-05" ], "general-govramp-high": [ "AC-05" ], "general-iec-62443-2-1-2024": [ "USER 2.3" ], "general-nist-800-53-r4": [ "AC-5", "CM-5(4)" ], "general-nist-800-53-r5-2": [ "AC-05", "CM-05(04)" ], "general-nist-800-53-r5-2-privacy": [ "AC-05" ], "general-nist-800-53-r5-2-mod": [ "AC-05" ], "general-nist-800-82-r3": [ "AC-05", "CM-05(04)" ], "general-nist-800-82-r3-mod": [ "AC-05" ], "general-nist-800-82-r3-high": [ "AC-05" ], "general-nist-800-160-vol-2-r1": [ "CM-05(04)" ], "general-nist-800-161-r1": [ "AC-5" ], "general-nist-800-161-r1-flowdown": [ "AC-5" ], "general-nist-800-161-r1-level-2": [ "AC-5" ], "general-nist-800-161-r1-level-3": [ "AC-5" ], "usa-federal-fbi-cjis-6-0": [ "AC-5" ], "usa-federal-gsa-fedramp-5-low": [ "AC-05" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-05" ], "usa-federal-gsa-fedramp-5-high": [ "AC-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-05" ], "usa-federal-irs-1075-2021": [ "AC-5" ], "usa-federal-cms-marse-2-0": [ "AC-5" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-05" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-05" ], "emea-sau-otcc-1-2022": [ "2-2-1-6" ] } }, { "control_id": "CHG-04.4", "title": "Permissions To Implement Changes", "family": "CHG", "description": "Mechanisms exist to limit operational privileges for implementing changes.", "scf_question": "Does the organization limit operational privileges for implementing changes?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Change Management (CHG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CHG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Change management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to limit operational privileges for implementing changes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "small": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "medium": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-2", "R-GV-3", "R-GV-6", "R-GV-7", "R-IR-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC8.1-POF9" ], "general-cobit-2019": [ "DSS06.03" ], "general-csa-cmm-4-1-0": [ "CCC-04" ], "general-govramp": [ "CM-05(05)" ], "general-govramp-core": [ "CM-05(05)" ], "general-govramp-mod": [ "CM-05(05)" ], "general-govramp-high": [ "CM-05(05)" ], "general-nist-800-53-r4": [ "CM-5(5)" ], "general-nist-800-53-r5-2": [ "CM-05(05)" ], "general-nist-800-82-r3": [ "CM-05(05)" ], "general-nist-800-160-vol-2-r1": [ "CM-05(05)" ], "general-nist-800-171-r3": [ "03.04.05" ], "general-nist-800-171a-r3": [ "A.03.04.05[06]" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-4e" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-05(05)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-05(05)" ], "usa-federal-irs-1075-2021": [ "CM-5(CE-5)", "CM-5(CE-5).a", "CM-5(CE-5).b" ], "usa-federal-cms-marse-2-0": [ "CM-5(5)", "CM-5(5).a", "CM-5(5).b" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-05 (05)" ], "emea-deu-c5-2020": [ "DEV-09", "PSS-08" ], "emea-isr-cmo-1-0": [ "10.4" ], "apac-chn-data-security-law-2021": [ "27" ], "americas-can-osfi-b13-2022": [ "2.5", "2.5.2" ], "americas-can-itsp-10-171-2025": [ "03.04.05" ] } }, { "control_id": "CHG-04.5", "title": "Library Privileges", "family": "CHG", "description": "Mechanisms exist to restrict software library privileges to those individuals with a pertinent business need for access.", "scf_question": "Does the organization restrict software library privileges to those individuals with a pertinent business need for access?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Change Management (CHG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CHG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Change management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict software library privileges to those individuals with a pertinent business need for access.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "small": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "medium": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "large": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-2", "R-GV-3", "R-GV-6", "R-GV-7", "R-IR-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-nist-800-53-r4": [ "CM-5(6)" ], "general-nist-800-53-r5-2": [ "CM-05(06)" ], "general-nist-800-82-r3": [ "CM-05(06)" ], "general-nist-800-160-vol-2-r1": [ "CM-05(06)" ], "general-nist-800-161-r1": [ "CM-5(6)" ], "general-nist-800-161-r1-level-3": [ "CM-5(6)" ], "general-nist-800-218": [ "PS.1" ], "general-ul-2900-1-2017": [ "4.1(e)" ], "emea-deu-c5-2020": [ "DEV-07", "DEV-08" ], "emea-sau-cscc-1-2019": [ "1-3-2-2" ], "apac-aus-ism-2024-june": [ "ISM-0405" ] } }, { "control_id": "CHG-05", "title": "Stakeholder Notification of Changes", "family": "CHG", "description": "Mechanisms exist to ensure stakeholders are made aware of and understand the impact of proposed changes.", "scf_question": "Does the organization ensure stakeholders are made aware of and understand the impact of proposed changes?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-CHG-06" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Change Management (CHG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CHG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Change management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited information is provided to stakeholders about proposed changes.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure stakeholders are made aware of and understand the impact of proposed changes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "small": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "medium": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "large": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "enterprise": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-2", "R-GV-3", "R-GV-6", "R-GV-7", "R-IR-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF13", "CC8.1" ], "general-cobit-2019": [ "EDM05.01", "EDM05.02", "EDM05.03", "APO14.01" ], "general-csa-cmm-4-1-0": [ "CCC-05", "CEK-06" ], "general-govramp": [ "CM-09" ], "general-govramp-core": [ "CM-09" ], "general-govramp-low-plus": [ "CM-09" ], "general-govramp-mod": [ "CM-09" ], "general-govramp-high": [ "CM-09" ], "general-iso-42001-2023": [ "A.5.2", "A.5.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 5.0" ], "general-nist-800-53-r4": [ "CM-9" ], "general-nist-800-53-r5-2": [ "CM-09" ], "general-nist-800-53-r5-2-privacy": [ "CM-09" ], "general-nist-800-53-r5-2-mod": [ "CM-09" ], "general-nist-800-82-r3": [ "CM-09" ], "general-nist-800-82-r3-mod": [ "CM-09" ], "general-nist-800-82-r3-high": [ "CM-09" ], "general-nist-800-161-r1": [ "CM-9" ], "general-nist-800-161-r1-flowdown": [ "CM-9" ], "general-nist-800-161-r1-level-2": [ "CM-9" ], "general-nist-800-161-r1-level-3": [ "CM-9" ], "general-nist-800-171-r2": [ "NFO - CM-9" ], "general-nist-800-171-r3": [ "03.04.11.b" ], "general-nist-800-171a-r3": [ "A.03.04.11.b[01]", "A.03.04.11.b[02]" ], "usa-federal-fbi-cjis-6-0": [ "CM-9" ], "usa-federal-gsa-fedramp-5-low": [ "CM-09" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-09" ], "usa-federal-gsa-fedramp-5-high": [ "CM-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-09" ], "usa-federal-irs-1075-2021": [ "CM-9" ], "usa-federal-cms-marse-2-0": [ "CM-3-IS.3", "CM-9" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-09" ], "emea-sau-cgiot-2024": [ "1-5-3" ], "americas-can-itsp-10-171-2025": [ "03.04.11.B" ] } }, { "control_id": "CHG-06", "title": "Control Functionality Verification", "family": "CHG", "description": "Mechanisms exist to verify the functionality of security, compliance and resilience controls following implemented changes to ensure applicable controls operate as designed.", "scf_question": "Does the organization verify the functionality of cybersecurity and/or data protection controls following implemented changes to ensure applicable controls operate as designed?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to verify the functionality of security, compliance and resilience controls following implemented changes to ensure applicable controls operate as designed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)", "small": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)", "medium": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)", "large": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)", "enterprise": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)" }, "risks": [ "R-AC-2", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Change Management", "crosswalks": { "general-cis-csc-8-1": [ "18.4" ], "general-cis-csc-8-1-ig3": [ "18.4" ], "general-cobit-2019": [ "BAI07.08" ], "general-govramp": [ "CM-03(02)", "SI-06" ], "general-govramp-low-plus": [ "CM-03(02)" ], "general-govramp-mod": [ "CM-03(02)", "SI-06" ], "general-govramp-high": [ "CM-03(02)", "SI-06" ], "general-iec-62443-3-3-2013": [ "SR 3.3" ], "general-iec-62443-4-2-2019": [ "CR 3.3", "CR 3.3(1)" ], "general-nist-800-53-r4": [ "CM-3(2)", "SI-6" ], "general-nist-800-53-r5-2": [ "CM-03(02)", "SA-08(31)", "SI-06" ], "general-nist-800-53-r5-2-privacy": [ "CM-03(02)", "SA-08(31)" ], "general-nist-800-53-r5-2-mod": [ "CM-03(02)" ], "general-nist-800-53-r5-2-high": [ "SI-06" ], "general-nist-800-82-r3": [ "CM-03(02)", "SA-08(31)", "SI-06" ], "general-nist-800-82-r3-mod": [ "CM-03(02)" ], "general-nist-800-82-r3-high": [ "CM-03(02)", "SI-06" ], "general-nist-800-160-vol-2-r1": [ "SA-08(31)", "SI-06" ], "general-nist-800-161-r1": [ "CM-3(2)" ], "general-nist-800-161-r1-level-2": [ "CM-3(2)" ], "general-nist-800-161-r1-level-3": [ "CM-3(2)" ], "general-nist-800-171-r3": [ "03.04.04.b" ], "general-nist-800-171a-r3": [ "A.03.04.04.b" ], "general-pci-dss-4-0-1": [ "6.5.2", "10.7.3", "A3.2.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.5.2" ], "general-pci-dss-4-0-1-saq-c": [ "6.5.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.5.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.5.2", "10.7.3" ], "usa-federal-fbi-cjis-6-0": [ "CM-3(2)" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-4e" ], "usa-federal-gsa-fedramp-5-low": [ "CM-03(02)", "SA-08(31)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-03(02)", "SA-08(31)", "SI-06" ], "usa-federal-gsa-fedramp-5-high": [ "CM-03(02)", "SA-08(31)", "SI-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-03(02)", "SA-08(31)" ], "usa-federal-cms-marse-2-0": [ "CM-3(2)", "SI-6", "SI-6.a", "SI-6.b", "SI-6.c", "SI-6.d" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(D)", "7123(c)(5)(E)" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-03 (02)" ], "emea-isr-cmo-1-0": [ "10.6", "12.30", "14.10" ], "apac-sgp-mas-trm-2021": [ "7.5.5" ], "americas-can-itsp-10-171-2025": [ "03.04.04.B" ] } }, { "control_id": "CHG-06.1", "title": "Report Verification Results", "family": "CHG", "description": "Mechanisms exist to report the results of security, compliance and resilience capability verification to appropriate organizational management.", "scf_question": "Does the organization report the results of cybersecurity and data protection function verification to appropriate organizational management?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to report the results of security, compliance and resilience capability verification to appropriate organizational management.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "small": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "medium": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "large": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "enterprise": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)" }, "risks": [ "R-AM-3", "R-GV-3", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-3", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Change Management", "crosswalks": { "general-nist-800-53-r5-2": [ "SI-06(03)" ], "general-nist-800-82-r3": [ "SI-06(03)" ], "general-pci-dss-4-0-1": [ "6.5.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.5.2" ], "general-pci-dss-4-0-1-saq-c": [ "6.5.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.5.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.5.2" ] } }, { "control_id": "CHG-07", "title": "Emergency Changes", "family": "CHG", "description": "Mechanisms exist to govern change management procedures for \"emergency\" changes.", "scf_question": "Does the organization govern change management procedures for \"emergency\" changes?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern change management procedures for \"emergency\" changes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": {}, "risks": [ "R-AC-1", "R-AC-2", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "general-cobit-2019": [ "BAI06.02" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-4f" ], "emea-eu-nis2-annex-2024": [ "6.4.3" ] } }, { "control_id": "CHG-07.1", "title": "Documenting Emergency Changes", "family": "CHG", "description": "Mechanisms exist to document the results of \"emergency\" changes, including an explanation for why standard change management procedures could not be followed.", "scf_question": "Does the organization document the results of \"emergency\" changes, including an explanation for why standard change management procedures could not be followed?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Change Management (CHG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CHG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Change management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document the results of \"emergency\" changes, including an explanation for why standard change management procedures could not be followed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": {}, "risks": [ "R-AC-1", "R-AC-2", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Change Management", "crosswalks": { "emea-eu-nis2-annex-2024": [ "6.4.3" ] } }, { "control_id": "CHG-08", "title": "Dual Approval For High-Impact Environments", "family": "CHG", "description": "Mechanisms exist to require dual approval for any changes that might result in a serious incident that could adversely impact:\n(1) Business processes; and/or\n(2) Technology Assets, Applications, Services and/or Data (TAASD).", "scf_question": "Does the organization require dual approval for any changes that might result in a serious, but adverse impact to:\n(1) Business processes; and/or\n(2) Technology Assets, Applications, Services and/or Data (TAASD)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Change Management (CHG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Change management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Change management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business stakeholders and process owners ensure changes to Technology Assets, Applications and/or Services (TAAS) within the System Development Lifecycle (SDLC) are controlled through formal change control procedures.", "3": "Change Management (CHG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CHG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CHG domain capabilities are well-documented and kept current by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain CHG domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities (e.g., Change Advisory Board (CAB)) to ensure successful, efficient and secure change management operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CHG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require dual approval for any changes that might result in a serious incident that could adversely impact:\n(1) Business processes; and/or\n(2) Technology Assets, Applications, Services and/or Data (TAASD).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Inventory embedded devices and document security settings", "small": "∙ Embedded device inventory\n∙ Default credential change policy", "medium": "∙ Embedded/IoT device security program\n∙ Network segmentation for IoT", "large": "∙ IoT/OT security program\n∙ Network segmentation\n∙ IoT security platform (e.g., Claroty, Armis)", "enterprise": "∙ Enterprise IoT/OT security platform (e.g., Claroty, Armis, Dragos)\n∙ Zero-trust IoT architecture" }, "risks": [ "R-AC-1", "R-AC-3", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-4", "R-EX-7", "R-GV-4", "R-GV-6", "R-IR-1" ], "threats": [ "NT-7", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11" ], "errata": "- new control (IEC 62443-4-2)", "family_name": "Change Management", "crosswalks": { "general-iec-62443-4-2-2019": [ "CR 2.1(4)" ] } }, { "control_id": "CLD-01", "title": "Cloud Services", "family": "CLD", "description": "Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices.", "scf_question": "Does the organization facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-06" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cloud Security (CLD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CLD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cloud management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Cloud-based technologies are governed no differently from on-premise network assets (e.g., cloud-based technology is viewed as an extension of the corporate network).", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to ensure the architecture for cloud-based technologies supports applicable cybersecurity and data protection requirements.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to identify cybersecurity and data protection requirements for CSP environments, including dedicated and multi-client environments.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Secure Baseline Configurations (SBC)", "small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Secure Baseline Configurations (SBC)", "medium": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Secure Baseline Configurations (SBC)", "large": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1-POF5" ], "general-csa-cmm-4-1-0": [ "IPY-01", "IPY-04" ], "general-csa-iot-2": [ "CLS-01", "CLS-05" ], "general-iso-27002-2022": [ "5.23" ], "general-iso-27018-2025": [ "5.23" ], "general-mpa-csbp-5-3-1": [ "PS-3.3", "TS-2.0", "TS-2.12" ], "general-nist-800-171-r2": [ "3.1.22", "NFO–PL-8" ], "general-nist-800-207": [ "NIST Tenet 1" ], "general-pci-dss-4-0-1": [ "1.2.1", "12.8.1" ], "general-pci-dss-4-0-1-saq-a": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.1", "12.8.1" ], "general-pci-dss-4-0-1-saq-b": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.1", "12.8.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.1", "12.8.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.8.1" ], "general-scf-dpmp-2025": [ "7.1" ], "general-shared-assessments-sig-2025": [ "J.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.EUSSE" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.IV" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.22" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iv)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-c5-2020": [ "COS-01", "COS-02" ], "emea-isr-cmo-1-0": [ "11.2" ], "emea-sau-cscc-1-2019": [ "4-2" ], "emea-sau-cgiot-2024": [ "4-2-1" ], "emea-sau-ecc-1-2018": [ "4-2-1", "4-2-2", "4-2-3", "4-2-3-2", "4-2-4" ], "emea-sau-sacs-002-2022": [ "TPC-43" ], "emea-sau-sama-csf-1-2017": [ "3.3.4", "3.3.8", "3.4.3" ], "emea-zaf-popia-2013": [ "19.1", "19.2" ], "apac-aus-ism-2024-june": [ "ISM-1437", "ISM-1529", "ISM-1579", "ISM-1580", "ISM-1581" ], "apac-ind-sebi-2024": [ "PR.IP.S13" ], "apac-jpn-ismap": [ "5.1.1.22.P", "5.1.1.23.P", "5.1.1.24.P", "5.1.1.25.P", "5.1.1.26.P", "5.1.1.27.P", "5.1.1.28.P", "5.1.1.29.P", "5.1.1.30.P" ], "apac-nzl-ism-3-9": [ "22.1.20.C.01", "22.1.20.C.02", "22.1.20.C.03", "22.1.20.C.04", "22.1.20.C.05", "22.1.21.C.01", "22.1.21.C.02", "22.1.21.C.03", "22.1.21.C.04", "22.1.21.C.05", "22.1.21.C.06", "22.1.21.C.07", "22.1.24.C.01", "22.1.24.C.02", "22.1.24.C.03", "22.1.24.C.04", "22.1.25.C.01", "22.1.25.C.02", "22.1.26.C.01", "22.1.26.C.02", "22.1.26.C.03", "22.1.27.C.01", "23.1.54.C.01", "23.1.54.C.02", "23.2.19.C.01" ], "americas-bmu-mba-coc-2020": [ "5.11" ] } }, { "control_id": "CLD-01.1", "title": "Cloud Infrastructure Onboarding", "family": "CLD", "description": "Mechanisms exist to ensure cloud services are designed and configured so Technology Assets, Applications and/or Services (TAAS) are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.", "scf_question": "Does the organization ensure cloud services are designed and configured so Technology Assets, Applications and/or Services (TAAS) are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cloud Security (CLD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CLD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cloud management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Cloud-based technologies are governed no differently from on-premise network assets (e.g., cloud-based technology is viewed as an extension of the corporate network).", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure cloud services are designed and configured so Technology Assets, Applications and/or Services (TAAS) are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "small": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "medium": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "large": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "enterprise": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "emea-sau-sacs-002-2022": [ "TPC-43" ], "apac-nzl-ism-3-9": [ "23.4.9.C.01", "23.4.9.C.02", "23.4.9.C.03", "23.4.10.C.01", "23.5.11.C.01", "23.5.12.C.01", "23.5.12.C.02" ] } }, { "control_id": "CLD-01.2", "title": "Cloud Infrastructure Offboarding", "family": "CLD", "description": "Mechanisms exist to ensure cloud services are decommissioned so that data is securely transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.", "scf_question": "Does the organization ensure cloud services are decommissioned so that data is securely transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cloud Security (CLD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CLD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cloud management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure cloud services are decommissioned so that data is securely transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "small": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "medium": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "large": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)", "enterprise": "∙ Change management procedures\n∙ Change Control Board (CCB)\n∙ VisibleOps (https://itpi.org)" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "apac-jpn-ismap": [ "8.1.5.P", "8.1.5.1.P", "8.1.5.2.P", "8.1.5.3.P", "8.1.5.4.P" ], "apac-nzl-ism-3-9": [ "23.4.13.C.01", "23.4.13.C.02", "23.4.13.C.03" ] } }, { "control_id": "CLD-02", "title": "Cloud Security Architecture", "family": "CLD", "description": "Mechanisms exist to ensure the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments.", "scf_question": "Does the organization ensure the cloud security architecture supports its technology strategy to securely design, configure and maintain cloud employments?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-09" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cloud Security (CLD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CLD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cloud management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Cloud-based technologies are governed no differently from on-premise network assets (e.g., cloud-based technology is viewed as an extension of the corporate network).", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to ensure the architecture for cloud-based technologies supports applicable cybersecurity and data protection requirements.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ System Security & Privacy Plan (SSPP)", "small": "∙ System Security & Privacy Plan (SSPP)", "medium": "∙ Architectural review board\n∙ System Security & Privacy Plan (SSPP)\n∙ Security architecture roadmaps", "large": "∙ Steering committee\n∙ Architectural review board\n∙ System Security & Privacy Plan (SSPP)\n∙ Security architecture roadmaps", "enterprise": "∙ Steering committee\n∙ Architectural review board\n∙ System Security & Privacy Plan (SSPP)\n∙ Security architecture roadmaps" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "general-csa-iot-2": [ "CLS-01", "CLS-05" ], "general-iso-27002-2022": [ "5.23" ], "general-iso-27017-2015": [ "4.1", "4.4" ], "general-iso-27018-2025": [ "5.23" ], "general-mpa-csbp-5-3-1": [ "PS-3.3", "TS-2.0", "TS-2.12", "TS-8.2" ], "general-nist-800-171-r2": [ "3.1.22", "NFO–PL-8" ], "general-scf-dpmp-2025": [ "7.1" ], "general-shared-assessments-sig-2025": [ "N.2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.EUSSE" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.IV" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.22" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iv)" ], "usa-federal-irs-1075-2021": [ "3.3.1.h" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)", "7123(c)(10)" ], "emea-deu-c5-2020": [ "COS-01", "COS-02" ], "emea-sau-cgiot-2024": [ "4-2-1", "4-2-2" ], "emea-sau-ecc-1-2018": [ "4-2-3-2" ], "emea-sau-sama-csf-1-2017": [ "3.3.4", "3.3.8", "3.4.3" ], "apac-ind-sebi-2024": [ "PR.IP.S13" ], "apac-jpn-ismap": [ "8.1.2.7.PB", "9.2.3.11.PB" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP51", "HML51" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP43" ], "apac-nzl-ism-3-9": [ "22.1.23.C.01", "22.1.23.C.02", "22.1.23.C.03", "23.1.54.C.01", "23.1.54.C.02", "23.1.56.C.01", "23.2.20.C.01" ] } }, { "control_id": "CLD-03", "title": "Cloud Infrastructure Security Subnet", "family": "CLD", "description": "Mechanisms exist to host security-specific technologies in a dedicated subnet.", "scf_question": "Does the organization host security-specific technologies in a dedicated subnet?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.\n▪ The cloud infrastructure incorporates a managed security zone to house cybersecurity and data protection tools.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to host security-specific technologies in a dedicated subnet.", "4": "Compliance (CPL) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Enable default security settings on cloud accounts (MFA, basic firewall rules)", "small": "∙ Cloud security policy\n∙ Enable cloud provider security baseline controls", "medium": "∙ Cloud security program\n∙ CSPM tool (e.g., Microsoft Defender for Cloud)", "large": "∙ Enterprise CSPM/CWPP (e.g., Wiz, Prisma Cloud)\n∙ Cloud security architecture review", "enterprise": "∙ Enterprise CNAPP (e.g., Wiz, Prisma Cloud, CrowdStrike Falcon)\n∙ DevSecOps cloud integration" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "general-nist-800-53-r5-2": [ "SC-07(29)" ], "general-nist-800-53-r5-2-privacy": [ "SC-07(29)" ], "general-nist-800-82-r3": [ "SC-07(29)" ], "general-nist-800-82-r3-low": [ "SC-07(29)" ], "general-nist-800-82-r3-mod": [ "SC-07(29)" ], "general-nist-800-82-r3-high": [ "SC-07(29)" ], "general-nist-800-160-vol-2-r1": [ "SC-07(29)" ], "general-nist-800-171-r2": [ "3.13.2", "NFO–PL-8" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.2" ], "usa-federal-gsa-fedramp-5-low": [ "SC-07(29)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07(29)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(29)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-07(29)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)", "7123(c)(10)" ], "emea-deu-c5-2020": [ "COS-01", "COS-02", "COS-05" ], "emea-isr-cmo-1-0": [ "9.2" ], "apac-aus-ism-2024-june": [ "ISM-1385", "ISM-1750" ], "apac-nzl-ism-3-9": [ "22.1.24.C.02" ] } }, { "control_id": "CLD-04", "title": "Application Programming Interface (API) Security", "family": "CLD", "description": "Mechanisms exist to ensure support for secure interoperability between components with Application Programming Interfaces (APIs).", "scf_question": "Does the organization ensure support for secure interoperability between components with Application Programming Interfaces (APIs)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure support for secure interoperability between components with Application Programming Interfaces (APIs).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Enable default security settings on cloud accounts (MFA, basic firewall rules)", "small": "∙ Cloud security policy\n∙ Enable cloud provider security baseline controls", "medium": "∙ Cloud security program\n∙ CSPM tool (e.g., Microsoft Defender for Cloud)", "large": "∙ Enterprise CSPM/CWPP (e.g., Wiz, Prisma Cloud)\n∙ Cloud security architecture review", "enterprise": "∙ Enterprise CNAPP (e.g., Wiz, Prisma Cloud, CrowdStrike Falcon)\n∙ DevSecOps cloud integration" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "general-csa-cmm-4-1-0": [ "AIS-08", "IPY-02", "IPY-03" ], "general-csa-iot-2": [ "CLS-07", "CLS-12", "CLS-13" ], "general-iso-27002-2022": [ "5.23", "8.26" ], "general-iso-27018-2025": [ "5.23", "8.26" ], "usa-federal-dow-zt-roadmap-1-1": [ "6.6", "6.6.2", "6.6.3" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(6)" ], "emea-deu-c5-2020": [ "PI-01" ], "emea-sau-cscc-1-2019": [ "1-3-2-3" ], "apac-ind-sebi-2024": [ "PR.AA.S17" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP52", "HML52" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP44" ] } }, { "control_id": "CLD-04.1", "title": "API Gateway", "family": "CLD", "description": "Mechanisms exist to implement an Application Programming Interface (API) Gateway, or similar technology, to serve as a controlled entry point that manages interactions between client-facing requests and backend services.", "scf_question": "Does the organization implement an Application Programming Interface (API) Gateway, or similar technology, to serve as a controlled entry point that manages interactions between client-facing requests and backend services?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cloud Security (CLD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CLD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cloud management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.\n▪ Cloud requirements for interoperability between components (APIs) are identified and documented.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement an Application Programming Interface (API) Gateway, or similar technology, to serve as a controlled entry point that manages interactions between client-facing requests and backend services.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Enable default security settings on cloud accounts (MFA, basic firewall rules)", "small": "∙ Cloud security policy\n∙ Enable cloud provider security baseline controls", "medium": "∙ Cloud security program\n∙ CSPM tool (e.g., Microsoft Defender for Cloud)", "large": "∙ Enterprise CSPM/CWPP (e.g., Wiz, Prisma Cloud)\n∙ Cloud security architecture review", "enterprise": "∙ Enterprise CNAPP (e.g., Wiz, Prisma Cloud, CrowdStrike Falcon)\n∙ DevSecOps cloud integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "3.4.1" ] } }, { "control_id": "CLD-05", "title": "Virtual Machine Images", "family": "CLD", "description": "Mechanisms exist to ensure the integrity of virtual machine images at all times.", "scf_question": "Does the organization ensure the integrity of virtual machine images at all times?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cloud Security (CLD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CLD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cloud management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the integrity of virtual machine images at all times.", "4": "Compliance (CPL) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Enable default security settings on cloud accounts (MFA, basic firewall rules)", "small": "∙ Cloud security policy\n∙ Enable cloud provider security baseline controls", "medium": "∙ Cloud security program\n∙ CSPM tool (e.g., Microsoft Defender for Cloud)", "large": "∙ Enterprise CSPM/CWPP (e.g., Wiz, Prisma Cloud)\n∙ Cloud security architecture review", "enterprise": "∙ Enterprise CNAPP (e.g., Wiz, Prisma Cloud, CrowdStrike Falcon)\n∙ DevSecOps cloud integration" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "emea-deu-c5-2020": [ "PSS-11" ] } }, { "control_id": "CLD-06", "title": "Multi-Tenant Environments", "family": "CLD", "description": "Mechanisms exist to ensure multi-tenant owned or managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users.", "scf_question": "Does the organization ensure multi-tenant owned or managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure multi-tenant owned or managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ System Security & Privacy Plan (SSPP)", "small": "∙ System Security & Privacy Plan (SSPP)", "medium": "∙ Architectural review board\n∙ System Security & Privacy Plan (SSPP)\n∙ Security architecture roadmaps", "large": "∙ Steering committee\n∙ Architectural review board\n∙ System Security & Privacy Plan (SSPP)\n∙ Security architecture roadmaps", "enterprise": "∙ Steering committee\n∙ Architectural review board\n∙ System Security & Privacy Plan (SSPP)\n∙ Security architecture roadmaps" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "general-iso-27002-2022": [ "5.23" ], "general-iso-27018-2025": [ "5.23" ], "general-nist-800-171-r2": [ "3.1.22" ], "general-nist-800-171a": [ "3.1.22[a]", "3.1.22[b]", "3.1.22[c]", "3.1.22[d]", "3.1.22[e]" ], "general-pci-dss-4-0-1": [ "A1.1", "A1.1.1", "A1.1.2", "A1.1.3", "A1.1.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "A1.1.1", "A1.1.2", "A1.1.3", "A1.1.4" ], "general-shared-assessments-sig-2025": [ "N.2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.EUSSE" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.IV" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.22" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iv)" ], "emea-deu-c5-2020": [ "OPS-24" ], "emea-isr-cmo-1-0": [ "10.1", "11.3" ], "apac-aus-ism-2024-june": [ "ISM-1529" ], "apac-jpn-ismap": [ "9.5.1.P", "9.5.1.1.P", "9.5.1.2.P", "9.5.1.3.P", "9.5.1.4.P" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP53", "HML53" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP45" ], "apac-nzl-ism-3-9": [ "23.1.55.C.01", "23.1.55.C.02", "23.1.55.C.03", "23.2.20.C.01" ] } }, { "control_id": "CLD-06.1", "title": "Customer Responsibility Matrix (CRM)", "family": "CLD", "description": "Mechanisms exist to formally document a Customer Responsibility Matrix (CRM), delineating assigned responsibilities for security, compliance and resilience controls between the Cloud Service Provider (CSP) and its customers.", "scf_question": "Does the organization formally document a Customer Responsibility Matrix (CRM), delineating assigned responsibilities for security, compliance and resilience controls between the Cloud Service Provider (CSP) and its customers?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cloud Security (CLD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CLD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cloud management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ A Shared Responsibility Matrix (SRM), or similar Customer Responsibility Matrix (CRM), is documented for each Cloud Service Provider (CSP) instance.", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.\n▪ A Shared Responsibility Matrix (SRM), or similar Customer Responsibility Matrix (CRM), is documented for each Cloud Service Providers (CSPs) instance that takes into account differences between Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) methodologies.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to formally document a Customer Responsibility Matrix (CRM), delineating assigned responsibilities for security, compliance and resilience controls between the Cloud Service Provider (CSP) and its customers.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Customer Responsibility Matrix (CRM)\n∙ Shared Responsibility Matrix (SRM)\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "small": "∙ Customer Responsibility Matrix (CRM)\n∙ Shared Responsibility Matrix (SRM)\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "medium": "∙ Customer Responsibility Matrix (CRM)\n∙ Shared Responsibility Matrix (SRM)\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "large": "∙ Customer Responsibility Matrix (CRM)\n∙ Shared Responsibility Matrix (SRM)\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "enterprise": "∙ Customer Responsibility Matrix (CRM)\n∙ Shared Responsibility Matrix (SRM)\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix" }, "risks": [ "R-AM-3", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cloud Security", "crosswalks": { "general-iso-27001-2022": [ "4.3(c)" ], "general-iso-27002-2022": [ "5.23" ], "general-iso-27018-2025": [ "5.23" ], "general-mpa-csbp-5-3-1": [ "TS-1.11" ], "general-pci-dss-4-0-1": [ "12.4.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.4.1" ], "apac-jpn-ismap": [ "6.3.1.1.PB" ], "apac-nzl-ism-3-9": [ "23.1.55.C.01", "23.1.55.C.02", "23.1.55.C.03" ] } }, { "control_id": "CLD-06.2", "title": "Multi-Tenant Event Logging Capabilities", "family": "CLD", "description": "Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate security event logging capabilities for its customers that are consistent with applicable statutory, regulatory and/or contractual obligations.", "scf_question": "Does the organization ensure Multi-Tenant Service Providers (MTSP) facilitate security event logging capabilities for its customers that are consistent with applicable statutory, regulatory and/or contractual obligations?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure Multi-Tenant Service Providers (MTSP) facilitate security event logging capabilities for its customers that are consistent with applicable statutory, regulatory and/or contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AM-3", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "general-pci-dss-4-0-1": [ "A1.2", "A1.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "A1.2.1" ], "apac-nzl-ism-3-9": [ "23.5.11.C.01", "23.5.12.C.01", "23.5.12.C.02" ] } }, { "control_id": "CLD-06.3", "title": "Multi-Tenant Forensics Capabilities", "family": "CLD", "description": "Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt forensic investigations in the event of a suspected or confirmed security incident.", "scf_question": "Does the organization ensure Multi-Tenant Service Providers (MTSP) facilitate prompt forensic investigations in the event of a suspected or confirmed security incident?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt forensic investigations in the event of a suspected or confirmed security incident.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AM-3", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "general-pci-dss-4-0-1": [ "A1.2", "A1.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "A1.2.2" ] } }, { "control_id": "CLD-06.4", "title": "Multi-Tenant Incident Response Capabilities", "family": "CLD", "description": "Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt response to suspected or confirmed security incidents and vulnerabilities, including timely notification to affected customers.", "scf_question": "Does the organization ensure Multi-Tenant Service Providers (MTSP) facilitate prompt response to suspected or confirmed security incidents and vulnerabilities, including timely notification to affected customers?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cloud Security (CLD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CLD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cloud management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ A Shared Responsibility Matrix (SRM), or similar Customer Responsibility Matrix (CRM), is documented for each Cloud Service Provider (CSP) instance.", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt response to suspected or confirmed security incidents and vulnerabilities, including timely notification to affected customers.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AM-3", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "general-pci-dss-4-0-1": [ "A1.2", "A1.2.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "A1.2.3" ], "apac-nzl-ism-3-9": [ "23.5.12.C.01", "23.5.12.C.02" ] } }, { "control_id": "CLD-07", "title": "Data Handling & Portability", "family": "CLD", "description": "Mechanisms exist to ensure cloud providers use secure protocols for the import, export and management of data in cloud-based Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization ensure cloud providers use secure protocols for the import, export and management of data in cloud-based Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cloud Security (CLD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CLD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cloud management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure cloud providers use secure protocols for the import, export and management of data in cloud-based Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AM-3", "R-EX-5", "R-GV-1", "R-IR-3" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "general-csa-cmm-4-1-0": [ "IPY-03" ], "emea-deu-c5-2020": [ "PI-01", "PI-02" ] } }, { "control_id": "CLD-08", "title": "Standardized Virtualization Formats", "family": "CLD", "description": "Mechanisms exist to ensure interoperability by requiring cloud providers to use industry-recognized formats and provide documentation of custom changes for review.", "scf_question": "Does the organization ensure interoperability by requiring cloud providers to use industry-recognized formats and provide documentation of custom changes for review?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cloud Security (CLD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CLD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cloud management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure interoperability by requiring cloud providers to use industry-recognized formats and provide documentation of custom changes for review.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AM-3", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-5", "R-GV-1", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "emea-deu-c5-2020": [ "PSS-11" ] } }, { "control_id": "CLD-09", "title": "Geolocation Requirements for Processing, Storage and Service Locations", "family": "CLD", "description": "Mechanisms exist to control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations.", "scf_question": "Does the organization control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-AST-06", "E-AST-23", "E-DCH-15" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cloud Security (CLD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CLD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cloud management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Geolocation requirements for sensitive/regulated data types identify restrictions on transfer of data to third-countries or international organizations.", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to govern geolocation requirements for sensitive/regulated data types, including the transfer of data to third-countries or international organizations.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations.", "4": "Compliance (CPL) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Cloud Security (CLD) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data Protection Impact Assessment (DPIA)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Data Protection Impact Assessment (DPIA)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Data Protection Impact Assessment (DPIA)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Data Protection Impact Assessment (DPIA)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Data Protection Impact Assessment (DPIA)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF9" ], "general-csa-cmm-4-1-0": [ "DSP-19" ], "general-govramp": [ "SA-09(05)" ], "general-govramp-high": [ "SA-09(05)" ], "general-iso-27002-2022": [ "5.23" ], "general-iso-27018-2025": [ "5.23" ], "general-nist-800-53-r4": [ "SA-9(5)" ], "general-nist-800-53-r5-2": [ "SA-09(05)", "SA-09(08)" ], "general-nist-800-53-r5-2-privacy": [ "SA-09(05)", "SA-09(08)" ], "general-nist-800-82-r3": [ "SA-09(05)", "SA-09(08)" ], "general-nist-800-161-r1": [ "SA-9(5)" ], "general-nist-800-161-r1-level-3": [ "SA-9(5)" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.7.4" ], "usa-federal-gsa-fedramp-5-low": [ "SA-09(05)", "SA-09(08)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-09(05)", "SA-09(08)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-09(05)", "SA-09(08)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-09(05)", "SA-09(08)" ], "usa-federal-irs-1075-2021": [ "SA-9(CE-5)", "SA-9(CE-8)" ], "usa-federal-cms-marse-2-0": [ "SA-9(5)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-3.c" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-09 (05)" ], "emea-deu-c5-2020": [ "PI-02", "PSS-12" ], "emea-ken-pda-2019": [ "25(h)" ], "emea-qat-pdppl-2020": [ "15" ], "emea-sau-cscc-1-2019": [ "4-2-1-1" ], "emea-sau-ecc-1-2018": [ "4-1-3-2", "4-2-3-3" ], "emea-sau-sacs-002-2022": [ "TPC-30" ], "apac-aus-privacy-principles-2026": [ "APP 8" ], "apac-aus-ism-2024-june": [ "ISM-1572" ], "apac-chn-pipl-2021": [ "38", "39", "40" ], "apac-ind-sebi-2024": [ "PR.DS.S2" ], "apac-jpn-ppi-2020": [ "24(1)" ], "apac-nzl-ism-3-9": [ "22.1.22.C.01", "22.1.22.C.02", "22.1.22.C.03", "22.1.22.C.04", "22.1.22.C.05", "22.1.22.C.06", "23.4.11.C.01", "23.4.11.C.02" ], "americas-arg-ppd-2018": [ "12.1", "12.2" ], "americas-bra-lgpd-2018": [ "33", "34" ] } }, { "control_id": "CLD-10", "title": "Sensitive Data In Public Cloud Providers", "family": "CLD", "description": "Mechanisms exist to limit and manage the storage of sensitive/regulated data in public cloud providers.", "scf_question": "Does the organization limit and manage the storage of sensitive/regulated data in public cloud providers?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-08" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cloud Security (CLD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CLD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cloud management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Cloud Security (CLD) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cloud management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cloud management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Cloud-based Technology Assets, Applications and/or Services (TAAS) are governed according to the same processes used for on-premises TAAS, where no formal, dedicated cloud governance process exists.", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to limit and manage the storage of sensitive/regulated data in public cloud providers.", "4": "Compliance (CPL) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data Protection Impact Assessment (DPIA)\n∙ Security and network architecture diagrams\n∙ Data Flow Diagram (DFD)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Data Protection Impact Assessment (DPIA)\n∙ Security and network architecture diagrams\n∙ Data Flow Diagram (DFD)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Data Protection Impact Assessment (DPIA)\n∙ Security and network architecture diagrams\n∙ Data Flow Diagram (DFD)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Data Protection Impact Assessment (DPIA)\n∙ Security and network architecture diagrams\n∙ Data Flow Diagram (DFD)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Data Protection Impact Assessment (DPIA)\n∙ Security and network architecture diagrams\n∙ Data Flow Diagram (DFD)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "general-csa-cmm-4-1-0": [ "DSP-17" ], "general-nist-800-171-r2": [ "3.1.22" ], "general-nist-800-171a": [ "3.1.22[a]", "3.1.22[b]", "3.1.22[c]", "3.1.22[d]", "3.1.22[e]" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.IV" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.22" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iv)" ], "emea-isr-cmo-1-0": [ "11.6" ], "apac-nzl-ism-3-9": [ "2.3.23.C.01", "22.1.22.C.04", "22.1.22.C.05" ] } }, { "control_id": "CLD-11", "title": "Cloud Access Security Broker (CASB)", "family": "CLD", "description": "Mechanisms exist to utilize a Cloud Access Security Broker (CASB), or similar technology, to provide boundary protection and monitoring functions that both provide access to the cloud and protect the organization from misuse of cloud resources.", "scf_question": "Does the organization utilize a Cloud Access Security Broker (CASB), or similar technology, to provide boundary protection and monitoring functions that both provide access to the cloud and protect the organization from misuse of cloud resources?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize a Cloud Access Security Broker (CASB), or similar technology, to provide boundary protection and monitoring functions that both provide access to the cloud and protect the organization from misuse of cloud resources.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cloud Access Security Broker (CASB)", "small": "∙ Cloud Access Security Broker (CASB)", "medium": "∙ Cloud Access Security Broker (CASB)", "large": "∙ Cloud Access Security Broker (CASB)", "enterprise": "∙ Cloud Access Security Broker (CASB)" }, "risks": [ "R-AC-4", "R-AM-3", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1-POF5" ], "general-csa-iot-2": [ "CLS-12" ], "general-shared-assessments-sig-2025": [ "P.8" ], "emea-deu-c5-2020": [ "COS-04" ], "emea-isr-cmo-1-0": [ "9.10", "11.8", "16.4" ], "apac-nzl-ism-3-9": [ "22.1.24.C.01", "22.1.24.C.02", "22.1.24.C.03", "22.1.24.C.04" ] } }, { "control_id": "CLD-12", "title": "Side Channel Attack Prevention", "family": "CLD", "description": "Mechanisms exist to prevent \"side channel attacks\" when using a Content Delivery Network (CDN) by restricting access to the origin server's IP address to the CDN and an authorized management network.", "scf_question": "Does the organization prevent \"side channel attacks\" when using a Content Delivery Network (CDN) by restricting access to the origin server's IP address to the CDN and an authorized management network?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent \"side channel attacks\" when using a Content Delivery Network (CDN) by restricting access to the origin server's IP address to the CDN and an authorized management network.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-4", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "general-csa-iot-2": [ "CLS-02", "CLS-12" ], "general-pci-dss-4-0-1": [ "12.4.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.4.2" ], "general-shared-assessments-sig-2025": [ "N.11" ], "apac-aus-ism-2024-june": [ "ISM-1438", "ISM-1439" ] } }, { "control_id": "CLD-13", "title": "Hosted Assets, Applications & Services", "family": "CLD", "description": "Mechanisms exist to specify applicable security, compliance and resilience that must be implemented on external Technology Assets, Applications and/or Services (TAAS), consistent with the contractual obligations established with the External Service Providers (ESP) owning, operating and/or maintaining external TAAS.", "scf_question": "Does the organization specify applicable security, compliance and resilience that must be implemented on external Technology Assets, Applications and/or Services (TAAS), consistent with the contractual obligations established with the External Service Providers (ESP) owning, operating and/or maintaining external TAAS?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to specify applicable security, compliance and resilience that must be implemented on external Technology Assets, Applications and/or Services (TAAS), consistent with the contractual obligations established with the External Service Providers (ESP) owning, operating and/or maintaining external TAAS.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cloud Security", "crosswalks": { "general-nist-800-207": [ "NIST Tenet 1" ] } }, { "control_id": "CLD-13.1", "title": "Authorized Individuals For Hosted Assets, Applications & Services", "family": "CLD", "description": "Mechanisms exist to authorize specified individuals to access External Service Providers (ESP) owned, operated and/or maintained external Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization authorize specified individuals to access External Service Providers (ESP) owned, operated and/or maintained external Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to authorize specified individuals to access External Service Providers (ESP) owned, operated and/or maintained external Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": {} }, { "control_id": "CLD-13.2", "title": "Sensitive / Regulated Data On Hosted Assets, Applications & Services", "family": "CLD", "description": "Mechanisms exist to define formal processes to store, process and/or transmit sensitive/regulated data using External Service Providers (ESP) owned, operated and/or maintained external Technology Assets, Applications and/or Services (TAAS), in accordance with all applicable statutory, regulatory and/or contractual obligations.", "scf_question": "Does the organization define formal processes to store, process and/or transmit sensitive/regulated data using External Service Providers (ESP) owned, operated and/or maintained external Technology Assets, Applications and/or Services (TAAS), in accordance with all applicable statutory, regulatory and/or contractual obligations?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define formal processes to store, process and/or transmit sensitive/regulated data using External Service Providers (ESP) owned, operated and/or maintained external Technology Assets, Applications and/or Services (TAAS), in accordance with all applicable statutory, regulatory and/or contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": {} }, { "control_id": "CLD-14", "title": "Prohibition On Unverified Hosted Assets, Applications & Services", "family": "CLD", "description": "Mechanisms exist to prohibit access to, or usage of, hosted Technology Assets, Applications and/or Services (TAAS) until applicable security, compliance and/or resilience control implementation is verified.", "scf_question": "Does the organization prohibit access to, or usage of, hosted Technology Assets, Applications and/or Services (TAAS) until applicable security, compliance and/or resilience control implementation is verified?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit access to, or usage of, hosted Technology Assets, Applications and/or Services (TAAS) until applicable security, compliance and/or resilience control implementation is verified.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cloud Security", "crosswalks": {} }, { "control_id": "CLD-15", "title": "Software Defined Storage (SDS)", "family": "CLD", "description": "Automated mechanisms exist to utilize Software Defined Storage (SDS) to scale access management permissions to Technology Assets, Applications, Services and/or Data (TAASD).", "scf_question": "Does the organization utilize Software Defined Storage (SDS) to scale access management permissions to Technology Assets, Applications, Services and/or Data (TAASD)?", "relative_weight": 3, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cloud Security (CLD) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CLD domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cloud management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cloud Security (CLD) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CLD domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CLD domain capabilities are well-documented and kept current by process owners.\n▪ A cloud governance team, or similar function, is appropriately staffed and supported to implement and maintain CLD domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cloud governance operations (e.g., multi-cloud governance tools, policy enforcement, cost management, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CLD domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically utilize Software Defined Storage (SDS) to scale access management permissions to TAASD.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Enable default security settings on cloud accounts (MFA, basic firewall rules)", "small": "∙ Cloud security policy\n∙ Enable cloud provider security baseline controls", "medium": "∙ Cloud security program\n∙ CSPM tool (e.g., Microsoft Defender for Cloud)", "large": "∙ Enterprise CSPM/CWPP (e.g., Wiz, Prisma Cloud)\n∙ Cloud security architecture review", "enterprise": "∙ Enterprise CNAPP (e.g., Wiz, Prisma Cloud, CrowdStrike Falcon)\n∙ DevSecOps cloud integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cloud Security", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "4.7", "4.7.1", "4.7.2", "4.7.3", "4.7.4", "4.7.5", "4.7.6", "4.7.7" ] } }, { "control_id": "CPL-01", "title": "Statutory, Regulatory & Contractual Compliance", "family": "CPL", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "scf_question": "Does the organization facilitate the identification and implementation of relevant statutory, regulatory and contractual controls?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-CPL-01", "E-GOV-10" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Compliance (CPL) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CPL domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Compliance management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Compliance efforts are narrowly-limited to certain compliance requirements.\n▪ IT and/or cybersecurity personnel use an informal process to govern statutory, regulatory and contractual compliance obligations.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity perform an informal annual review of existing compliance requirements and research evolving or new requirements.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "medium": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Steering committee", "large": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Steering committee", "enterprise": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Steering committee" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF9" ], "general-aicpa-tsc-2017": [ "CC1.5", "CC2.2", "CC2.3", "CC2.3-POF5", "CC3.1-POF5", "CC3.1-POF8", "CC3.1-POF9", "CC3.1-POF14" ], "general-cobit-2019": [ "MEA03.01" ], "general-coso-2013": [ "14", "15" ], "general-csa-cmm-4-1-0": [ "A&A-04", "GRC-07" ], "general-csa-iot-2": [ "CLS-04", "GVN-02", "GVN-04", "LGL-01", "LGL-03", "LGL-04", "LGL-05", "LGL-06", "LGL-07", "LGL-08", "OPA-05" ], "general-govramp": [ "PL-01" ], "general-govramp-low": [ "PL-01" ], "general-govramp-low-plus": [ "PL-01" ], "general-govramp-mod": [ "PL-01" ], "general-govramp-high": [ "PL-01" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.9" ], "general-iso-22301-2019": [ "4.2.2(a)", "4.2.2(b)", "4.2.2(c)" ], "general-iso-27001-2022": [ "4.1", "9.1", "9.2.1", "9.2.2" ], "general-iso-27002-2022": [ "5.31", "8.34" ], "general-iso-27017-2015": [ "18.1.1" ], "general-iso-27018-2025": [ "5.1(b)", "5.31", "6.3(b)", "8.34" ], "general-iso-27701-2025": [ "4.1", "4.2(a)", "4.2(b)", "4.2(c)" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-42001-2023": [ "4.1" ], "general-mpa-csbp-5-3-1": [ "OR-5.0" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.1" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 1.1", "GV-1.1-001", "MG-4.3-003" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P5" ], "general-nist-800-53-r4": [ "PL-1", "PM-8" ], "general-nist-800-53-r5-2": [ "PL-01", "PM-08" ], "general-nist-800-53-r5-2-privacy": [ "PL-01", "PM-08" ], "general-nist-800-53-r5-2-low": [ "PL-01" ], "general-nist-800-66-r2": [ "164.314(a)" ], "general-nist-800-82-r3": [ "PL-01", "PM-08" ], "general-nist-800-82-r3-low": [ "PL-01", "PM-08" ], "general-nist-800-82-r3-mod": [ "PL-01", "PM-08" ], "general-nist-800-82-r3-high": [ "PL-01", "PM-08" ], "general-nist-800-161-r1": [ "PL-1", "PM-8" ], "general-nist-800-161-r1-cscrm": [ "PL-1" ], "general-nist-800-161-r1-level-1": [ "PM-8" ], "general-nist-800-161-r1-level-2": [ "PL-1" ], "general-nist-800-171-r2": [ "NFO - PL-1" ], "general-nist-800-171-r3": [ "03.04.11.a", "03.12.01" ], "general-nist-800-218": [ "PO.1", "PO.1.2" ], "general-nist-csf-2-0": [ "GV.OC", "GV.OC-03", "GV.SC-05", "PR" ], "general-pci-dss-4-0-1": [ "12.4", "12.4.2", "A3.1", "A3.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.4.2" ], "general-scf-dpmp-2025": [ "2.4", "11.6" ], "general-shared-assessments-sig-2025": [ "L.1" ], "general-tisax-6-0-3": [ "1.1.1", "1.2.1", "7.1.1", "7.1.2" ], "general-un-155-2021": [ "7.1.1" ], "general-un-ece-wp-29-2020": [ "7.1.1" ], "usa-federal-dow-cert-rmm-1-2": [ "COMP:SG1", "COMP:SG1.SP1", "COMP:SG1.SP2", "COMP:SG1.SP3", "COMP:SG2", "COMP:SG2.SP1", "COMP:SG2.SP2", "COMP:SG2.SP3", "COMP:GG1", "COMP:GG1.GP1", "COMP:GG2", "COMP:GG2.GP2" ], "usa-federal-law-coppa-2024": [ "Sec. 6502.(a)(1)" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNL.GPAUD" ], "usa-federal-fbi-cjis-6-0": [ "4.1.1", "4.2.1", "4.2.2", "4.3", "PL-1" ], "usa-federal-doe-c2m2-2-1": [ "PROGRAM-1g" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.7.c", "III.5.a", "III.5.b.i" ], "usa-federal-dow-zt-roadmap-1-1": [ "6.6.1" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)(1)(i)", "252.204-7012(b)(1)(ii)", "252.204-7012(k)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(1)(ii)", "609.930(d)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(b)", "11.10(c)" ], "usa-federal-gsa-fedramp-5-low": [ "PL-01", "PM-08" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-01", "PM-08" ], "usa-federal-gsa-fedramp-5-high": [ "PL-01", "PM-08" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-01", "PM-08" ], "usa-federal-law-ferpa-2010": [ "1232h(c)(1)(C)(i)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)", "155.260(b)(3)(i)", "155.260(b)(3)(ii)", "155.260(b)(3)(iii)", "155.260(b)(3)(iii)(A)", "155.260(b)(3)(iii)(B)", "155.260(b)(3)(iii)(C)", "155.260(e)(1)", "155.260(e)(2)", "155.260(e)(3)", "155.260(e)(4)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(c)", "164.306(d)(1)", "164.306(d)(2)", "164.314(a)(1)", "164.314(a)(2)(ii)", "164.504(g)(1)", "164.530(i)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(c)", "164.306(d)(1)", "164.306(d)(2)", "164.314(a)(1)", "164.314(a)(2)(ii)" ], "usa-federal-irs-1075-2021": [ "2.E.6.1", "PL-1" ], "usa-federal-cms-marse-2-0": [ "PL-1", "PM-8" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.9", "CIP-003-8 1.2.6" ], "usa-federal-nispom-2020": [ "§117.18(f)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.d", "9-5", "11-2", "11-3.b(2)", "11-6", "13-3", "13-3.a", "13-4" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "II.B.2", "II.B.3" ], "usa-state-ca-ccpa-cpra-2026": [ "7013(h)", "7022(d)", "7023(e)", "7050(b)", "7072(b)", "7123(b)(3)", "7200(a)", "7200(b)" ], "usa-state-co-privacy-act-2021": [ "6-1-1305(1)", "6-1-1305(2)", "6-1-1305(2)(b)", "6-1-1305(2)(c)", "6-1-1308(6)" ], "usa-state-il-ipa-2009": [ "15", "25", "35(a)(1)", "37(a)(1)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(b)(6)", "500.2(d)", "500.2(e)", "500.17(a)(2)", "500.17(b)(1)", "500.17(b)(1)(i)", "500.17(b)(1)(i)(a)", "500.17(b)(1)(i)(b)", "500.17(b)(1)(ii)", "500.17(b)(1)(ii)(a)", "500.17(b)(1)(ii)(b)", "500.17(b)(1)(ii)(c)", "500.17(b)(2)", "500.17(b)(3)", "500.17(c)" ], "usa-state-or-cpa-2023": [ "Section 7(1)(b)" ], "usa-state-tx-cdpa-2025": [ "541.101(b)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AT-02-SID", "AT-03-SID", "PL-01" ], "usa-state-tx-sb820-2019": [ "11.175(c)" ], "usa-state-tx-sb2610-2025": [ "542.004(a)(4)(A)", "542.004(a)(4)(B)", "542.004(a)(4)(C)", "542.004(b)", "542.004(b)(2)", "542.004(b)(2)(A)", "542.004(b)(2)(B)", "542.004(b)(2)(C)", "542.004(b)(2)(D)", "542.004(b)(3)", "542.004(c)" ], "usa-state-tx-txramp-2-0-level-1": [ "PL-01" ], "usa-state-tx-txramp-2-0-level-2": [ "PL-01" ], "usa-state-va-cdpa-2023": [ "59.1-581.E" ], "usa-state-vt-act-171-2018": [ "2446(a)(2)", "2446(a)(3)", "2446(a)(3)(A)", "2446(a)(3)(B)", "2446(a)(3)(B)(i)", "2446(a)(3)(B)(ii)", "2446(a)(3)(B)(iii)", "2446(a)(3)(C)", "2446(a)(3)(D)", "2446(a)(3)(E)", "2446(a)(3)(F)", "2446(a)(3)(G)" ], "emea-eu-ai-act-2024": [ "Article 16(l)", "Article 17.1(a)", "Article 21.3", "Article 40.1" ], "emea-eu-eba-ict-srm-2025": [ "3.1(1)", "3.8(92)", "3.8(93)", "3.8(94)", "3.8(95)", "3.8(96)", "3.8(97)", "3.8(98)" ], "emea-eu-dora-2023": [ "Article 4.1", "Article 4.2", "Article 4.3", "Article 5.4" ], "emea-eu-nis2-2022": [ "Article 21.1" ], "emea-us-psd2-2015": [ "3", "29" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-fdpa-2017": [ "Sec 9", "Sec 9a", "Annex" ], "emea-deu-bsrit-2017": [ "12.5" ], "emea-deu-c5-2020": [ "SP-01", "PI-02", "COM-01" ], "emea-grc-pirppd-1997": [ "10" ], "emea-hun-isdfi-2011": [ "7" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-cmo-1-0": [ "1.3" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "26", "31", "33", "34", "35" ], "emea-ken-pda-2019": [ "4(a)", "4(b)(i)", "4(b)(ii)", "51(1)", "51(2)(a)", "51(2)(b)", "51(2)(c)", "52(1)(a)", "52(1)(b)", "52(1)(c)", "52(2)", "52(3)", "54", "55(1)(a)", "55(1)(b)", "55(2)" ], "emea-nga-dpr-2019": [ "2.1(2)", "2.1(3)", "3.1(16)", "4.1(1)", "4.1(6)", "4.1(7)" ], "emea-nor-pda-2018": [ "13", "14" ], "emea-pol-act-29-1997": [ "1", "36" ], "emea-qat-pdppl-2020": [ "2" ], "emea-rus-federal-law-27-2006": [ "7", "19" ], "emea-sau-cscc-1-2019": [ "1-4" ], "emea-sau-cgiot-2024": [ "1-2-3", "1-6-1", "2-6-1", "2-7-1" ], "emea-sau-ecc-1-2018": [ "1-7-1", "1-7-2" ], "emea-sau-pdpl-2023": [ "Article 2.1", "Article 30.3" ], "emea-sau-sacs-002-2022": [ "TPC-20", "TPC-21", "TPC-43" ], "emea-sau-sama-csf-1-2017": [ "3.2.2", "3.2.3", "3.3.13" ], "emea-srb-act-9-2018": [ "5.1", "13", "49", "59" ], "emea-zaf-popia-2013": [ "2", "3", "9", "19", "21" ], "emea-esp-boe-a-2022-7191": [ "Article 3.1", "Article 39" ], "emea-esp-decree-311-2022": [ "3.1", "39" ], "emea-esp-ccn-stic-825-2023": [ "7.1.5 [OP.PL.5]" ], "emea-che-fadp-2025": [ "7" ], "emea-tur-lppd-2016": [ "12" ], "emea-gbr-def-stan-05-138-2024": [ "0001", "0002", "2314" ], "emea-gbr-def-stan-05-138-l0-2024": [ "0001", "2314" ], "emea-gbr-def-stan-05-138-l1-2024": [ "0001", "2314" ], "emea-gbr-def-stan-05-138-l2-2024": [ "0001", "0002", "2314" ], "emea-gbr-def-stan-05-138-l3-2024": [ "0001", "0002", "2314" ], "apac-aus-privacy-act-1998": [ "APP Part 11" ], "apac-aus-ism-2024-june": [ "ISM-0078", "ISM-0854" ], "apac-aus-ps-cps-230-2023": [ "28" ], "apac-aus-ps-cps-234-2019": [ "31", "35", "35(a)", "35(b)", "36" ], "apac-chn-cybersecurity-law-2017": [ "Article 9", "Article 10", "Article 21", "Article 23", "Article 26", "Article 27", "Article 34", "Article 34(5)", "Article 41", "Article 47" ], "apac-chn-data-security-law-2021": [ "46" ], "apac-chn-csnip-2012": [ "4" ], "apac-chn-pipl-2021": [ "32", "37", "38(4)", "42" ], "apac-hkg-pdo-2022": [ "Principle 4" ], "apac-ind-dpdpa-2023": [ "7(c)", "7(d)", "7(e)", "8(1)", "8(4)" ], "apac-ind-privacy-rules-2011": [ "8" ], "apac-ind-sebi-2024": [ "GV.OC.S2", "PR.IP.S13", "RS.MA.S5" ], "apac-jpn-ppi-2020": [ "20", "21", "22", "26(1)", "26(1)(i)", "26(1)(ii)", "26(2)", "26(3)", "26(4)", "26-2(1)", "26-2(1)(i)", "26-2(1)(ii)", "26-2(2)", "26-2(3)", "36", "37", "38", "39", "51(1)", "51(2)", "52(1)", "53(2)", "53(3)", "53(1)", "53(4)", "54", "55" ], "apac-jpn-ismap": [ "4.4.2.1", "5.1.1.3", "18", "18.1", "18.1.1", "18.1.1.1", "18.1.1.2", "18.1.1.3", "18.1.1.4.P", "18.1.1.5.P", "18.1.1.6.P", "18.1.1.7.P", "18.1.5.7.PB" ], "apac-mys-pdpa-2010": [ "9" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP29", "HML29" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP25" ], "apac-nzl-ism-3-9": [ "1.1.64.C.01", "1.1.65.C.01", "1.1.66.C.01", "1.1.66.C.02", "1.1.67.C.01" ], "apac-phl-dpa-2012": [ "25" ], "apac-sgp-pdpa-2012": [ "24" ], "apac-sgp-cyber-hygiene-practice-2019": [ "3.1(a)", "3.1(b)", "3.1(c)" ], "apac-sgp-mas-trm-2021": [ "3.2.3" ], "apac-kor-pipa-2011": [ "3", "29" ], "apac-twn-pdpa-2025": [ "27" ], "americas-arg-ppd-2018": [ "10.1", "10.2" ], "americas-bhs-dpa-2003": [ "6" ], "americas-bra-lgpd-2018": [ "7.1", "7.2", "7.3", "7.4", "7.5", "7.6", "7.7", "7.8", "7.9", "7.10" ], "americas-can-osfi-b13-2022": [ "1.3.1" ], "americas-can-itsp-10-171-2025": [ "03.04.11.A", "03.12.01" ], "americas-can-pipeda-2000": [ "Principle 7" ], "americas-chl-act-19628-1999": [ "7" ], "americas-col-law-1581-2012": [ "4" ], "americas-mex-fdpa-2010": [ "19" ] } }, { "control_id": "CPL-01.1", "title": "Non-Compliance Oversight", "family": "CPL", "description": "Mechanisms exist to document and review instances of non-compliance with statutory, regulatory and/or contractual obligations to develop appropriate risk mitigation actions.", "scf_question": "Does the organization document and review instances of non-compliance with statutory, regulatory and/or contractual obligations to develop appropriate risk mitigation actions?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-CPL-05" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity perform an informal annual review of existing compliance requirements and research evolving or new requirements.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document and review instances of non-compliance with statutory, regulatory and/or contractual obligations to develop appropriate risk mitigation actions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "small": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "medium": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF6", "M1.2-POF7", "M9.1-POF4", "M9.1-POF5" ], "general-aicpa-tsc-2017": [ "CC1.1-POF4", "CC1.5", "CC4.2", "CC4.2-POF1", "CC4.2-POF2", "CC4.2-POF3" ], "general-bsi-200-1-1-0": [ "7.4" ], "general-cobit-2019": [ "MEA01.02", "MEA01.05", "MEA02.04" ], "general-coso-2013": [ "17" ], "general-csa-cmm-4-1-0": [ "A&A-05", "A&A-06" ], "general-csa-iot-2": [ "GVN-04" ], "general-iso-22301-2019": [ "10.1.1", "10.1.2", "10.1.2(a)", "10.1.2(a)(1)", "10.1.2(a)(2)", "10.1.2(b)", "10.1.2(b)(1)", "10.1.2(b)(2)", "10.1.2(b)(3)", "10.1.2(c)", "10.1.2(d)", "10.1.2(e)", "10.1.3", "10.1.3(a)", "10.1.3(b)" ], "general-iso-27001-2022": [ "9.1", "9.1(a)", "9.1(b)", "9.1(c)", "9.1(d)", "9.1(e)", "9.1(f)", "10.2", "10.2(a)", "10.2(a)(1)", "10.2(a)(2)", "10.2(b)", "10.2(b)(1)", "10.2(b)(2)", "10.2(b)(3)", "10.2(c)", "10.2(d)", "10.2(e)", "10.2(f)", "10.2(g)" ], "general-iso-27701-2025": [ "10.2", "10.2(a)", "10.2(b)", "10.2(c)", "10.2(d)", "10.2(e)" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31010-2009": [ "4.3.6", "5.6" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.E(2)(b)" ], "general-nist-800-171-r3": [ "03.12.02.a.01" ], "general-pci-dss-4-0-1": [ "12.4.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.4.2" ], "general-scf-dpmp-2025": [ "11.6" ], "general-tisax-6-0-3": [ "1.5.1" ], "usa-federal-dow-cert-rmm-1-2": [ "COMP:SG3.SP3" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.PEPAR" ], "usa-federal-doe-c2m2-2-1": [ "RISK-2l", "ARCHITECTURE-1i" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(1)(ii)" ], "usa-federal-irs-1075-2021": [ "2.D.9" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(b)(3)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)(6)" ], "emea-eu-ai-act-2024": [ "Article 10.2(h)", "Article 16(j)", "Article 20.1", "Article 41.5" ], "emea-eu-nis2-2022": [ "Article 21.4" ], "emea-sau-cgiot-2024": [ "1-7-3" ], "emea-sau-otcc-1-2022": [ "1-6", "1-6-1" ], "apac-aus-ps-cps-230-2023": [ "30", "31" ], "apac-aus-ps-cps-234-2019": [ "29", "35", "35(a)", "35(b)", "36" ], "apac-chn-pipl-2021": [ "54" ], "apac-jpn-ppi-2020": [ "40(1)", "40(2)", "40(3)" ], "apac-jpn-ismap": [ "4.6.1.1", "4.7.1.1", "4.7.1.2" ], "apac-nzl-ism-3-9": [ "1.1.68.C.01", "1.1.69.C.01", "1.1.69.C.02" ], "apac-sgp-mas-trm-2021": [ "3.2.3", "4.5.2", "4.5.3" ], "americas-bmu-mba-coc-2020": [ "5.7" ], "amaericas-can-osfi-self-assessment": [ "6.10", "6.14" ], "americas-can-osfi-b13-2022": [ "1.3.1" ], "americas-can-itsp-10-171-2025": [ "03.12.02.A.01" ] } }, { "control_id": "CPL-01.2", "title": "Compliance Scope", "family": "CPL", "description": "Mechanisms exist to document and validate the scope of security, compliance and resilience controls that are determined to meet statutory, regulatory and/or contractual compliance obligations.", "scf_question": "Does the organization document and validate the scope of security, compliance and resilience controls that are determined to meet statutory, regulatory and/or contractual compliance obligations?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-AST-02", "E-CPL-02", "E-GOV-10" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity perform an informal annual review of existing compliance requirements and research evolving or new requirements.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to perform compliance scoping of control applicability for statutory, regulatory and/or contractual compliance obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document and validate the scope of security, compliance and resilience controls that are determined to meet statutory, regulatory and/or contractual compliance obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "small": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "medium": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "large": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)", "enterprise": "∙ Unified Scoping Guide (https://unified-scoping-guide.com)" }, "risks": [ "R-AC-1", "R-AM-3", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Compliance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF11", "CC5.2-POF2" ], "general-cobit-2019": [ "MEA04.04" ], "general-csa-cmm-4-1-0": [ "GRC-07", "LOG-07" ], "general-iec-tr-60601-4-5-2021": [ "4.1" ], "general-iec-62443-4-1-2018": [ "SM-5" ], "general-iso-22301-2019": [ "4.3.1", "4.3.1(a)", "4.3.1(b)", "4.3.1(c)", "4.3.2", "4.3.2(a)" ], "general-iso-27001-2022": [ "4.3", "4.3(a)", "4.3(b)", "4.3(c)", "9.1" ], "general-iso-27701-2025": [ "4.3" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-42001-2023": [ "4.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.1", "GOVERN 1.3", "MAP 3.3" ], "general-nist-800-37-r2": [ "TASK P-11" ], "general-nist-800-171-r3": [ "03.04.11.a", "03.15.02.a.04" ], "general-nist-800-172": [ "3.11.5e", "3.14.3e" ], "general-nist-800-218": [ "PO.1" ], "general-nist-csf-2-0": [ "GV.SC-05" ], "general-pci-dss-4-0-1": [ "12.5", "12.5.1", "12.5.2", "A3.2", "A3.2.1", "A3.2.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.5.1", "12.5.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.5.1", "12.5.2" ], "general-scf-dpmp-2025": [ "11.6" ], "general-tisax-6-0-3": [ "1.2.1" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.5E", "SI.L3-3.14.3E" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(b)(2)", "7123(b)(3)" ], "usa-state-tx-sb2610-2025": [ "542.002", "542.002(1)", "542.002(2)" ], "emea-eu-dora-2023": [ "Article 23" ], "emea-eu-gdpr-2016": [ "Article 3.1", "Article 3.2", "Article 3.2(a)", "Article 3.2(b)", "Article 3.3" ], "emea-sau-pdpl-2023": [ "Article 2.2" ], "emea-esp-boe-a-2022-7191": [ "Article 38.2" ], "emea-esp-decree-311-2022": [ "38.2" ], "apac-jpn-ismap": [ "4.4.4", "4.4.4.1" ], "americas-can-osfi-b13-2022": [ "1.3.1" ], "americas-can-itsp-10-171-2025": [ "03.04.11.A", "03.15.02.A.04" ] } }, { "control_id": "CPL-01.3", "title": "Ability To Demonstrate Conformity", "family": "CPL", "description": "Mechanisms exist to ensure the organization is able to demonstrate security, compliance and/or resilience capability conformity with applicable cybersecurity and data protection laws, regulations and/or contractual obligations.", "scf_question": "Does the organization ensure the organization is able to demonstrate security, compliance and/or resilience capability conformity with applicable cybersecurity and data protection laws, regulations and/or contractual obligations?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the organization is able to demonstrate security, compliance and/or resilience capability conformity with applicable cybersecurity and data protection laws, regulations and/or contractual obligations.", "4": "Compliance (CPL) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Compliance", "crosswalks": { "general-bsi-200-1-1-0": [ "9" ], "general-cobit-2019": [ "MEA01.02", "MEA03.03" ], "general-iso-21434-2021": [ "RC-05-16" ], "general-iso-29100-2024": [ "6.12" ], "general-scf-dpmp-2025": [ "11.6" ], "usa-federal-dow-cert-rmm-1-2": [ "COMP:SG3.SP1", "COMP:SG3.SP2" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-1i" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.7.b", "III.5.a" ], "usa-federal-eo-14028": [ "4e(ii)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "IV.C.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7122(c)", "7123(b)(3)" ], "usa-state-or-cpa-2023": [ "Section 8(3)" ], "usa-state-tx-sb2610-2025": [ "542.004(a)(2)", "542.004(b)(1)", "542.004(b)(1)(A)", "542.004(b)(1)(B)", "542.004(b)(1)(C)", "542.004(b)(1)(D)", "542.004(b)(1)(E)", "542.004(b)(1)(F)", "542.004(b)(1)(G)", "542.004(b)(1)(H)", "542.004(b)(1)(I)", "542.004(b)(1)(J)" ], "emea-eu-ai-act-2024": [ "Article 11.1", "Article 16(k)", "Article 21.1", "Article 22.3", "Article 22.3(a)" ], "emea-eu-cyber-resilience-act-2022": [ "Article 10.13" ], "emea-eu-gdpr-2016": [ "Article 5.2", "Article 12.1", "Article 30.4", "Article 31" ], "emea-sau-pdpl-2023": [ "Article 30.4.a" ], "apac-ind-sebi-2024": [ "PR.IP.S17" ], "apac-jpn-ismap": [ "4.5.4.3", "18.2.1.11.P", "18.2.1.12.P" ] } }, { "control_id": "CPL-01.4", "title": "Conformity Assessment", "family": "CPL", "description": "Mechanisms exist to conduct assessments to demonstrate security, compliance and/or resilience capability conformity with applicable cybersecurity and data protection laws, regulations and/or contractual obligations.", "scf_question": "Does the organization conduct assessments to demonstrate security, compliance and/or resilience capability conformity with applicable cybersecurity and data protection laws, regulations and/or contractual obligations?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to assigned cybersecurity and/or data protection controls to comply with specific compliance requirements.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct assessments to demonstrate security, compliance and/or resilience capability conformity with applicable cybersecurity and data protection laws, regulations and/or contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Compliance", "crosswalks": { "general-bsi-200-1-1-0": [ "9" ], "general-cobit-2019": [ "MEA02.03", "MEA03.04" ], "general-iso-27017-2015": [ "18.2.3" ], "general-iso-29100-2024": [ "6.12" ], "general-nist-600-1-gen-ai-profile": [ "MP-3.4-003" ], "general-scf-dpmp-2025": [ "11.6" ], "general-un-155-2021": [ "7.2.2.1", "7.2.2.2" ], "general-un-ece-wp-29-2020": [ "7.2.2.1", "7.2.2.2" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-1i" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(1)(ii)", "609.930(c)(6)(iii)", "609.935(c)" ], "usa-federal-law-sox-2002": [ "404(a)", "404(a)(2)", "404(b)" ], "usa-state-ca-ccpa-cpra-2026": [ "7122(a)", "7122(b)", "7122(d)", "7122(e)", "7122(f)", "7123(a)", "7123(b)", "7123(b)(2)", "7123(c)" ], "usa-state-va-cdpa-2023": [ "59.1-579.B.4" ], "emea-eu-ai-act-2024": [ "Article 16(f)", "Article 43.1", "Article 43.1(a)", "Article 43.1(b)(a)", "Article 43.1(b)(b)", "Article 43.1(b)(c)", "Article 43.1(b)(d)", "Article 43.2", "Article 43.3", "Article 43.4" ], "emea-eu-cyber-resilience-act-2022": [ "Article 10.2", "Article 10.7", "Article 13.2(a)", "Article 24.1", "Article 24.1(a)", "Article 24.1(b)", "Article 24.1(c)" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 6 Module A.1" ], "emea-eu-nis2-annex-2024": [ "2.2.1", "2.2.3" ], "emea-gbr-caf-4-0": [ "A2.c" ], "apac-jpn-ismap": [ "4.5.4.3", "4.6.2.2" ] } }, { "control_id": "CPL-01.5", "title": "Declaration of Conformity", "family": "CPL", "description": "Mechanisms exist to generate a declaration of conformity for each conformity assessment, where the document:\n(1) Is concise;\n(2) Unambiguously reflects the current status;\n(3) Is physically or electronically signed; and\n(4) Where possible, is machine readable.", "scf_question": "Does the organization generate a declaration of conformity for each conformity assessment, where the document:\n(1) Is concise;\n(2) Unambiguously reflects the current status;\n(3) Is physically or electronically signed; and\n(4) Where possible, is machine readable?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ A formal report is generated for each security assessment/audit with sufficient details to understand the organization's ability to demonstrate conformity with its requirements.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to generate a declaration of conformity for each conformity assessment, where the document:\n(1) Is concise;\n(2) Unambiguously reflects the current status;\n(3) Is physically or electronically signed; and\n(4) Where possible, is machine readable.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "general-cobit-2019": [ "MEA03.04" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.I" ], "usa-federal-dow-cert-rmm-1-2": [ "COMP:SG3" ], "usa-federal-eo-14028": [ "4e(v)", "4e(ix)", "4e(x)" ], "usa-federal-cms-marse-2-0": [ "CA-7-IS.2" ], "usa-federal-nispom-2020": [ "§117.18(c)(1)(i)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(e)", "7123(e)(1)", "7123(e)(2)", "7123(e)(3)", "7123(e)(4)", "7123(e)(5)", "7123(e)(6)", "7123(e)(7)", "7123(e)(8)", "7123(e)(9)", "7123(e)(10)", "7123(f)" ], "emea-eu-ai-act-2024": [ "Article 16(g)", "Article 47.1", "Article 47.2", "Article 47.3", "Article 47.4" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 4", "Annex 4.1", "Annex 4.2", "Annex 4.3", "Annex 4.4", "Annex 4.5", "Annex 4.6", "Annex 4.7", "Annex 4.8", "Annex 6 Module A.4", "Annex 6 Module A.4.2", "Annex 6 Module C.3.2" ] } }, { "control_id": "CPL-01.6", "title": "Assessment Team Subject Matter Expertise", "family": "CPL", "description": "Mechanisms exist to ensure individuals performing audits and/or assessments have reasonable:\n(1) Professional qualifications to perform the audit and/or assessment; and\n(2) Subject matter expertise to perform review, interview and test activities for in-scope People, Processes, Technologies, Data and/or Facilities (PPTDF).", "scf_question": "Does the organization ensure individuals performing audits and/or assessments have reasonable:\n(1) Professional qualifications to perform the audit and/or assessment; and\n(2) Subject matter expertise to perform review, interview and test activities for in-scope People, Processes, Technologies, Data and/or Facilities (PPTDF)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Compliance (CPL) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CPL domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Compliance management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Compliance efforts are narrowly-limited to certain compliance requirements.\n▪ IT and/or cybersecurity personnel use an informal process to govern statutory, regulatory and contractual compliance obligations.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure individuals performing audits and/or assessments have reasonable:\n(1) Professional qualifications to perform the audit and/or assessment; and\n(2) Subject matter expertise to perform review, interview and test activities for in-scope People, Processes, Technologies, Data and/or Facilities (PPTDF).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-14", "MT-15", "MT-17" ], "family_name": "Compliance", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7122(a)(1)", "7122(d)" ] } }, { "control_id": "CPL-01.7", "title": "Designated Certifying Official", "family": "CPL", "description": "Mechanisms exist to designate an individual the authority to make statements of conformity on behalf of the organization.", "scf_question": "Does the organization designate an individual the authority to make statements of conformity on behalf of the organization?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to designate an individual the authority to make statements of conformity on behalf of the organization.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-6" ], "threats": [ "MT-8", "MT-9", "MT-11", "MT-14" ], "errata": "- new control (SOX)", "family_name": "Compliance", "crosswalks": { "usa-federal-law-sox-2002": [ "302(a)", "302(a)(4)", "302(a)(4)(A)", "302(a)(4)(B)", "302(a)(4)(C)", "302(a)(4)(D)" ] } }, { "control_id": "CPL-01.8", "title": "Conformity Attestations", "family": "CPL", "description": "Mechanisms exist for the certifying official to attest to the accuracy of conformity attestations, based on applicable laws, regulations and/or contractual criteria.", "scf_question": "Does the organization's certifying official attest to the accuracy of conformity attestations, based on applicable laws, regulations and/or contractual criteria", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists for the certifying official to attest to the accuracy of conformity attestations, based on applicable laws, regulations and/or contractual criteria.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-6" ], "threats": [ "MT-8", "MT-9", "MT-11", "MT-14" ], "errata": "- new control (SOX)", "family_name": "Compliance", "crosswalks": { "usa-federal-law-sox-2002": [ "302(a)(1)", "302(a)(2)", "302(a)(3)", "302(a)(5)", "302(a)(5)(A)", "302(a)(5)(B)", "302(a)(6)" ] } }, { "control_id": "CPL-02", "title": "Security, Compliance & Resilience Controls Oversight", "family": "CPL", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "scf_question": "Does the organization provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-07", "E-CPL-09", "E-GOV-04", "E-GOV-05", "E-GOV-06", "E-GOV-13", "E-RSK-03" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity personnel use an entity-defined set of controls to conduct cybersecurity and data protection control assessments.\n▪ A formal report is generated for each security assessment/audit with sufficient details to understand the organization's ability to demonstrate conformity with its requirements.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "medium": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Steering committee", "large": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Steering committee", "enterprise": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Steering committee" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Compliance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF8", "S7.5-POF1", "M9.1-POF6" ], "general-aicpa-tsc-2017": [ "CC1.1", "CC1.1-POF3", "CC2.2", "CC2.3", "CC4.2-POF1", "CC4.2-POF2", "CC4.2-POF3" ], "general-cobit-2019": [ "MEA02.01", "MEA02.02", "MEA04.02" ], "general-coso-2013": [ "1", "14", "15" ], "general-csa-cmm-4-1-0": [ "A&A-02", "A&A-05", "CEK-09" ], "general-csa-iot-2": [ "GVN-04", "LGL-03" ], "general-govramp": [ "CA-07", "CA-07(01)" ], "general-govramp-low": [ "CA-07" ], "general-govramp-low-plus": [ "CA-07", "CA-07(01)" ], "general-govramp-mod": [ "CA-07", "CA-07(01)" ], "general-govramp-high": [ "CA-07", "CA-07(01)" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.9" ], "general-iso-21434-2021": [ "RQ-05-17" ], "general-iso-27001-2022": [ "8.1", "10.1" ], "general-iso-27002-2022": [ "5.31", "5.36", "6.8", "8.8", "8.34" ], "general-iso-27017-2015": [ "12.7.1", "18.2.2" ], "general-iso-27018-2025": [ "5.31", "5.36", "6.8", "8.8", "8.34" ], "general-iso-27701-2025": [ "9.2.2", "9.2.2(a)", "9.2.2(b)", "9.2.2(c)" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31000-2018": [ "6.6" ], "general-mitre-att&ck-16-1": [ "T1001", "T1001.001", "T1001.002", "T1001.003", "T1003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1008", "T1021.002", "T1021.005", "T1029", "T1030", "T1036", "T1036.003", "T1036.005", "T1036.007", "T1037", "T1037.002", "T1037.003", "T1037.004", "T1037.005", "T1041", "T1046", "T1048", "T1048.001", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1053.006", "T1055.009", "T1056.002", "T1059", "T1059.005", "T1059.007", "T1059.010", "T1068", "T1070", "T1070.001", "T1070.002", "T1070.003", "T1070.007", "T1070.008", "T1070.009", "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1072", "T1078", "T1078.001", "T1078.003", "T1078.004", "T1080", "T1090", "T1090.001", "T1090.002", "T1090.003", "T1095", "T1102", "T1102.001", "T1102.002", "T1102.003", "T1104", "T1105", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1111", "T1132", "T1132.001", "T1132.002", "T1176", "T1185", "T1187", "T1189", "T1190", "T1195", "T1195.001", "T1195.002", "T1197", "T1201", "T1203", "T1204", "T1204.001", "T1204.002", "T1204.003", "T1205", "T1205.001", "T1210", "T1211", "T1212", "T1213", "T1213.001", "T1213.002", "T1213.003", "T1213.004", "T1213.005", "T1218", "T1218.002", "T1218.010", "T1218.011", "T1218.012", "T1218.015", "T1219", "T1221", "T1222", "T1222.001", "T1222.002", "T1489", "T1498", "T1498.001", "T1498.002", "T1499", "T1499.001", "T1499.002", "T1499.003", "T1499.004", "T1528", "T1530", "T1537", "T1539", "T1542.004", "T1542.005", "T1543", "T1543.002", "T1546.003", "T1546.004", "T1546.013", "T1546.016", "T1547.003", "T1547.013", "T1548", "T1548.003", "T1548.006", "T1550.003", "T1552", "T1552.001", "T1552.002", "T1552.004", "T1552.005", "T1553.003", "T1555", "T1555.001", "T1555.002", "T1556", "T1556.001", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1557.004", "T1558", "T1558.002", "T1558.003", "T1558.004", "T1558.005", "T1562", "T1562.001", "T1562.002", "T1562.004", "T1562.006", "T1563.001", "T1564.004", "T1564.010", "T1565", "T1565.001", "T1565.003", "T1566", "T1566.001", "T1566.002", "T1566.003", "T1567", "T1568", "T1568.002", "T1569", "T1569.002", "T1570", "T1571", "T1572", "T1573", "T1573.001", "T1573.002", "T1574", "T1574.004", "T1574.007", "T1574.008", "T1574.009", "T1574.013", "T1574.014", "T1598", "T1598.001", "T1598.002", "T1598.003", "T1599", "T1599.001", "T1602", "T1602.001", "T1602.002", "T1622", "T1647" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(4)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.5" ], "general-nist-privacy-framework-1-0": [ "GV.MT-P4", "PR.PO-P5" ], "general-nist-800-37-r2": [ "TASK P-7" ], "general-nist-800-39": [ "TASK 4-2" ], "general-nist-800-53-r4": [ "CA-7", "CA-7(1)", "PM-14" ], "general-nist-800-53-r5-2": [ "CA-07", "CA-07(01)", "PM-14" ], "general-nist-800-53-r5-2-privacy": [ "CA-07", "CA-07(01)", "PM-14" ], "general-nist-800-53-r5-2-low": [ "CA-07" ], "general-nist-800-53-r5-2-mod": [ "CA-07(01)" ], "general-nist-800-66-r2": [ "164.316(b)" ], "general-nist-800-82-r3": [ "CA-07", "CA-07(01)", "PM-14" ], "general-nist-800-82-r3-low": [ "CA-07", "PM-14" ], "general-nist-800-82-r3-mod": [ "CA-07", "PM-14" ], "general-nist-800-82-r3-high": [ "CA-07", "PM-14" ], "general-nist-800-161-r1": [ "CA-7", "PM-14" ], "general-nist-800-161-r1-level-1": [ "PM-14" ], "general-nist-800-161-r1-level-2": [ "PM-14" ], "general-nist-800-171-r2": [ "3.12.1", "3.12.3" ], "general-nist-800-171-r3": [ "03.12.01", "03.12.03" ], "general-nist-800-171a": [ "3.12.1[a]", "3.12.1[b]", "3.12.3" ], "general-nist-800-171a-r3": [ "A.03.12.03[01]", "A.03.12.03[03]", "A.03.12.03[04]" ], "general-nist-csf-2-0": [ "GV.OC-03" ], "general-pci-dss-4-0-1": [ "10.7", "10.7.1", "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.7.1", "10.7.2", "10.7.3" ], "general-scf-dpmp-2025": [ "11.4" ], "general-tisax-6-0-3": [ "1.5.1", "5.2.6" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:GG2.GP8", "AM:GG2.GP8", "COMM:GG2.GP8", "COMP:SG4", "COMP:GG2.GP8", "CTRL:GG2.GP8", "EC:GG2.GP8", "EF:GG2.GP8", "EXD:GG2.GP8", "FRM:GG2.GP8", "HRM:GG2.GP8", "ID:GG2.GP8", "IMC:GG2.GP8", "KIM:GG2.GP8", "MA:GG2.GP8", "MON:GG2.GP8", "OPD:GG2.GP8", "OPF:GG2.GP8", "OTA:GG2.GP8", "PM:GG2.GP8", "RISK:GG2.GP8", "RRD:GG2.GP8", "RRM:GG2.GP8", "RTSE:GG2.GP8", "SC:GG2.GP8", "TM:GG2.GP8", "VAR:GG2.GP8", "GG2.GP8" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.PEPAR" ], "usa-federal-fbi-cjis-6-0": [ "CA-7", "CA-7(1)" ], "usa-federal-doe-c2m2-2-1": [ "RISK-4c", "ARCHITECTURE-1i", "PROGRAM-2h" ], "usa-federal-dow-cmmc-2-level-2": [ "CAL2.-3.12.1", "CAL2.-3.12.3" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(6)", "609.930(c)(6)(i)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(a)", "11.10(b)", "11.10(c)" ], "usa-federal-gsa-fedramp-5-low": [ "CA-07", "CA-07(01)", "PM-14" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-07", "CA-07(01)", "PM-14" ], "usa-federal-gsa-fedramp-5-high": [ "CA-07", "CA-07(01)", "PM-14" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-07", "CA-07(01)", "PM-14" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(d)(1)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)(viii)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(d)(3)(i)", "164.316(b)(2)(iii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(d)(3)(i)", "164.316(b)(2)(iii)" ], "usa-federal-irs-1075-2021": [ "2.D.3", "2.D.8", "3.3.1.i", "CA-7", "PM-14" ], "usa-federal-cms-marse-2-0": [ "CA-7", "CA-7.1", "CA-7.2", "CA-7.3", "CA-7.4", "CA-7.5", "CA-7.6", "CA-7.7", "CA-7.8", "CA-7-IS", "CA-7-IS.1", "CA-7-IS.2", "CA-7-IS.3", "CA-7(1)", "PM-14" ], "usa-state-ca-ccpa-cpra-2026": [ "7122(a)(3)", "7122(f)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)3", "17.03(2)(h)", "17.03(2)(i)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(A)(3)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CA-07", "PM-14" ], "usa-state-tx-txramp-2-0-level-1": [ "CA-07" ], "usa-state-tx-txramp-2-0-level-2": [ "CA-07" ], "usa-state-vt-act-171-2018": [ "2447(b)(2)(C)", "2447(b)(8)(A)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.6(41)", "3.4.6(42)", "3.4.6(43)", "3.4.6(43)(a)", "3.4.6(43)(b)", "3.4.6(44)", "3.4.6(45)", "3.4.6(46)", "3.4.6(47)", "3.4.6(48)" ], "emea-eu-gdpr-2016": [ "Article 32.1(d)" ], "emea-us-psd2-2015": [ "3" ], "emea-deu-fdpa-2017": [ "Sec 9", "Sec 9a", "Annex" ], "emea-deu-bsrit-2017": [ "5.6" ], "emea-deu-c5-2020": [ "SP-03" ], "emea-grc-pirppd-1997": [ "10" ], "emea-hun-isdfi-2011": [ "7" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-cmo-1-0": [ "1.3", "3.1" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "31", "33", "34", "35" ], "emea-nga-dpr-2019": [ "4.1(5)(a)", "4.1(5)(b)", "4.1(5)(c)", "4.1(5)(d)", "4.1(5)(e)", "4.1(5)(f)", "4.1(5)(g)", "4.1(5)(h)", "4.1(5)(i)", "4.1(5)(j)", "4.1(6)", "4.1(7)" ], "emea-nor-pda-2018": [ "13", "14" ], "emea-pol-act-29-1997": [ "1", "36" ], "emea-rus-federal-law-27-2006": [ "7", "19" ], "emea-sau-cscc-1-2019": [ "1-4" ], "emea-sau-cgiot-2024": [ "1-7-3" ], "emea-sau-ecc-1-2018": [ "1-3-2" ], "emea-sau-otcc-1-2022": [ "1-6", "1-6-1" ], "emea-sau-sama-csf-1-2017": [ "3.2.4" ], "emea-zaf-popia-2013": [ "8", "19", "21" ], "emea-esp-boe-a-2022-7191": [ "Article 10.1", "Article 10.2", "Article 10.3" ], "emea-esp-decree-311-2022": [ "10.1", "10.2", "10.3" ], "emea-esp-ccn-stic-825-2023": [ "9" ], "emea-che-fadp-2025": [ "7" ], "emea-tur-lppd-2016": [ "12" ], "emea-gbr-def-stan-05-138-2024": [ "1206" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1206" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1206" ], "apac-aus-privacy-act-1998": [ "APP Part 11" ], "apac-aus-ps-cps-230-2023": [ "29", "30", "58(b)", "58(c)" ], "apac-aus-ps-cps-234-2019": [ "27", "27(a)", "27(b)", "27(c)", "27(d)", "27(e)", "29" ], "apac-chn-csnip-2012": [ "4" ], "apac-chn-pipl-2021": [ "54" ], "apac-hkg-pdo-2022": [ "Principle 4" ], "apac-ind-privacy-rules-2011": [ "8" ], "apac-ind-sebi-2024": [ "EV.ST.S4" ], "apac-jpn-ppi-2020": [ "21" ], "apac-jpn-ismap": [ "4.6.1.1", "4.6.2.2", "4.6.2.6", "12.7", "12.7.1.8", "12.7.1.9" ], "apac-mys-pdpa-2010": [ "9" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP67", "HML66" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP58" ], "apac-nzl-ism-3-9": [ "6.1.7.C.01", "23.2.18.C.01" ], "apac-phl-dpa-2012": [ "25", "29" ], "apac-sgp-pdpa-2012": [ "24" ], "apac-sgp-mas-trm-2021": [ "3.2.3" ], "apac-twn-pdpa-2025": [ "27" ], "americas-bmu-mba-coc-2020": [ "5.7" ], "amaericas-can-osfi-self-assessment": [ "6.10" ], "americas-can-itsp-10-171-2025": [ "03.12.01", "03.12.03" ], "americas-can-pipeda-2000": [ "Principle 7" ], "americas-chl-act-19628-1999": [ "7" ] } }, { "control_id": "CPL-02.1", "title": "Internal Audit Function", "family": "CPL", "description": "Mechanisms exist to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of the organization's technology and information governance processes.", "scf_question": "Does the organization implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of its technology and information governance processes?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-04", "E-CPL-07" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of the organization's technology and information governance processes.", "4": "Compliance (CPL) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Internal audit program", "small": "∙ Internal audit program", "medium": "∙ Internal audit program", "large": "∙ Internal audit program", "enterprise": "∙ Internal audit program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.1-POF1", "CC4.1-POF2", "CC4.1-POF3", "CC4.1-POF4", "CC4.1-POF5", "CC4.1-POF6", "CC4.1-POF7", "CC4.1-POF8" ], "general-bsi-200-1-1-0": [ "7.4" ], "general-cobit-2019": [ "APO02.04", "MEA02.01", "MEA02.02", "MEA04.02" ], "general-csa-cmm-4-1-0": [ "A&A-05", "CEK-09" ], "general-csa-iot-2": [ "GVN-04" ], "general-iso-22301-2019": [ "9.2.1", "9.2.1(a)", "9.2.1(a)(1)", "9.2.1(a)(2)", "9.2.1(b)", "9.2.2", "9.2.2(a)", "9.2.2(b)", "9.2.2(c)", "9.2.2(d)", "9.2.2(e)", "9.2.2(f)", "9.2.2(g)" ], "general-iso-27001-2022": [ "9.2.1", "9.2.1(a)(1)", "9.2.1(a)(2)", "9.2.1(b)", "9.2.2", "9.2.2(a)", "9.2.2(b)", "9.2.2(c)" ], "general-iso-27002-2022": [ "5.35", "8.34" ], "general-iso-27017-2015": [ "12.7.1", "18.2.1" ], "general-iso-27018-2025": [ "5.35", "8.34" ], "general-iso-27701-2025": [ "9.2.1", "9.2.1(a)", "9.2.1(b)" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-42001-2023": [ "9.2.1", "9.2.1(a)", "9.2.1(a)(1)", "9.2.1(a)(2)", "9.2.1(b)", "9.2.2", "9.2.2(a)", "9.2.2(b)", "9.2.2(c)" ], "general-nist-800-171-r2": [ "3.12.1" ], "general-nist-800-171-r3": [ "03.12.01" ], "general-nist-800-171a-r3": [ "A.03.12.01.ODP[01]" ], "general-tisax-6-0-3": [ "1.5.1", "5.2.6" ], "usa-federal-dow-cmmc-2-level-2": [ "CAL2.-3.12.1" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(6)" ], "usa-state-ca-ccpa-cpra-2026": [ "7122(a)(3)" ], "usa-state-nv-regulation-5-2024": [ "5.260.5(b)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(11)", "3.3.6(25)" ], "emea-eu-nis2-annex-2024": [ "2.3.2" ], "emea-sau-cscc-1-2019": [ "1-4-2", "2-13-4" ], "emea-sau-ecc-1-2018": [ "1-8-1", "1-8-3" ], "emea-sau-sama-csf-1-2017": [ "3.2.5" ], "emea-esp-boe-a-2022-7191": [ "Article 31.1", "Article 31.2", "Article 31.3", "Article 31.4", "Article 31.5", "Article 31.6", "Article 31.7", "Article 41.1", "Article 41.2" ], "emea-esp-decree-311-2022": [ "31.1", "31.2", "31.3", "31.4", "31.5", "31.6", "31.7", "41.1", "41.2" ], "apac-aus-ps-cps-230-2023": [ "46", "60" ], "apac-aus-ps-cps-234-2019": [ "31", "32", "33", "34", "34(a)", "34(b)" ], "apac-chn-pipl-2021": [ "54" ], "apac-ind-dpdpa-2023": [ "10(2)(b)" ], "apac-jpn-ismap": [ "4.6.2.2", "4.6.2.4" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP67", "HML66" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP58" ], "apac-sgp-mas-trm-2021": [ "15.1.1", "15.1.2", "15.1.3", "15.1.4" ], "americas-bmu-mba-coc-2020": [ "5.4", "5.6" ], "amaericas-can-osfi-self-assessment": [ "6.17", "6.18", "6.19", "6.20" ], "americas-can-itsp-10-171-2025": [ "03.12.01" ] } }, { "control_id": "CPL-02.2", "title": "Periodic Audits", "family": "CPL", "description": "Mechanisms exist to conduct periodic audits of security, compliance and resilience controls to evaluate conformity with the organization's documented policies, standards and procedures.", "scf_question": "Does the organization conduct periodic audits of security, compliance and resilience controls to evaluate conformity with the organization's documented policies, standards and procedures?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity personnel use an entity-defined set of controls to conduct cybersecurity and data protection control assessments.\n▪ Specialized assessments are conducted for specific statutory, regulatory and/or contractual compliance obligations, as well as business-critical TAASD.\n▪ IT and/or cybersecurity use an impartial member of its team or a third-party assessor to perform an independent assessment of cybersecurity and data protection controls.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct periodic audits of security, compliance and resilience controls to evaluate conformity with the organization's documented policies, standards and procedures.", "4": "Compliance (CPL) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Compliance (CPL) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": {}, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Compliance", "crosswalks": { "general-cobit-2019": [ "MEA02.04" ], "general-csa-cmm-4-1-0": [ "A&A-02" ], "general-iso-21434-2021": [ "RQ-05-17" ], "general-iso-27701-2025": [ "9.2.2" ], "general-iso-29100-2024": [ "6.12" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(6)" ], "usa-state-nv-regulation-5-2024": [ "5.260.5(b)" ], "emea-eu-gdpr-2016": [ "Article 32.1(d)" ], "emea-eu-nis2-annex-2024": [ "2.3.2", "2.3.4" ], "emea-sau-cgiot-2024": [ "1-7-1" ], "emea-gbr-def-stan-05-138-2024": [ "1206" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1206" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1206" ], "apac-ind-dpdpa-2023": [ "10(2)(c)(ii)" ], "apac-ind-sebi-2024": [ "DE.CM.S5" ] } }, { "control_id": "CPL-02.3", "title": "Corrective Action", "family": "CPL", "description": "Mechanisms exist to take corrective action to remediate instances of non-conformity with applicable statutory, regulatory, and/or contractual compliance obligations.", "scf_question": "Does the organization take corrective action to remediate instances of non-conformity with applicable statutory, regulatory, and/or contractual compliance obligations?", "relative_weight": 7, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Compliance (CPL) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CPL domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Compliance management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Compliance efforts are narrowly-limited to certain compliance requirements.\n▪ IT and/or cybersecurity personnel use an informal process to govern statutory, regulatory and contractual compliance obligations.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to take corrective action to remediate instances of non-conformity with applicable statutory, regulatory, and/or contractual compliance obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": {}, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "general-iso-29100-2024": [ "6.12" ], "emea-eu-ai-act-2024": [ "Article 79.4", "Article 80.4", "Article 80.5", "Article 82.2", "Article 93.1(a)", "Article 93.1(b)", "Article 93.1(c)" ], "emea-eu-cyber-resilience-act-2022": [ "Article 10.12", "Article 13.6", "Article 14.4" ] } }, { "control_id": "CPL-03", "title": "Security, Compliance & Resilience Assessments", "family": "CPL", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "scf_question": "Does the organization regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-CPL-05", "E-CPL-07" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Compliance (CPL) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CPL domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Compliance management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Compliance efforts are narrowly-limited to certain compliance requirements.\n▪ IT and/or cybersecurity personnel use an informal process to govern statutory, regulatory and contractual compliance obligations. \n▪ IT and/or cybersecurity personnel self-identify a set of controls that are used to conduct cybersecurity and data privacy control assessments. \n▪ For specific statutory, regulatory and/or contractual obligations, stakeholders may contract with a third-party auditor/assessor to perform an independent assessment of cybersecurity and data protection controls.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity personnel use an entity-defined set of controls to conduct cybersecurity and data protection control assessments.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "4": "Compliance (CPL) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "small": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "medium": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "large": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "enterprise": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Compliance", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.5", "S7.5-POF1" ], "general-aicpa-tsc-2017": [ "CC1.1-POF3", "CC4.1" ], "general-cobit-2019": [ "MEA02.01", "MEA02.02" ], "general-coso-2013": [ "16" ], "general-csa-cmm-4-1-0": [ "A&A-02", "A&A-03", "A&A-05", "CEK-09" ], "general-csa-iot-2": [ "GVN-04" ], "general-govramp": [ "CA-02" ], "general-govramp-low": [ "CA-02" ], "general-govramp-low-plus": [ "CA-02" ], "general-govramp-mod": [ "CA-02" ], "general-govramp-high": [ "CA-02" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.9" ], "general-iso-27001-2022": [ "8.1", "9.1", "9.1(a)", "9.1(b)", "9.1(c)", "9.1(d)", "9.1(e)", "9.1(f)" ], "general-iso-27002-2022": [ "5.35", "5.36", "8.34" ], "general-iso-27017-2015": [ "18.2.1", "18.2.2" ], "general-iso-27018-2025": [ "5.35", "5.35(a)", "5.36", "8.34" ], "general-iso-31010-2009": [ "5.3.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(4)", "4.C(5)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.5" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P5", "CT.DM-P9" ], "general-nist-800-53-r4": [ "CA-2" ], "general-nist-800-53-r5-2": [ "CA-02" ], "general-nist-800-53-r5-2-privacy": [ "CA-02" ], "general-nist-800-53-r5-2-low": [ "CA-02" ], "general-nist-800-66-r2": [ "164.316(b)" ], "general-nist-800-82-r3": [ "CA-02" ], "general-nist-800-82-r3-low": [ "CA-02" ], "general-nist-800-82-r3-mod": [ "CA-02" ], "general-nist-800-82-r3-high": [ "CA-02" ], "general-nist-800-161-r1": [ "CA-2" ], "general-nist-800-161-r1-cscrm": [ "CA-2" ], "general-nist-800-161-r1-level-2": [ "CA-2" ], "general-nist-800-161-r1-level-3": [ "CA-2" ], "general-nist-800-171-r2": [ "3.12.1" ], "general-nist-800-171-r3": [ "03.12.01", "03.12.03" ], "general-nist-800-171a-r3": [ "A.03.12.01" ], "general-nist-800-172": [ "3.11.5e" ], "general-nist-csf-2-0": [ "ID.IM-01", "ID.IM-02" ], "general-pci-dss-4-0-1": [ "10.7", "10.7.1", "10.7.2", "10.7.3", "11.1", "12.4.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.7.1", "10.7.2", "10.7.3", "12.4.2" ], "general-scf-dpmp-2025": [ "11.3" ], "general-tisax-6-0-3": [ "1.5.2", "5.2.6" ], "usa-federal-fbi-cjis-6-0": [ "CA-2" ], "usa-federal-dow-cmmc-2-level-2": [ "CAL2.-3.12.1" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.5E" ], "usa-federal-dow-zt-roadmap-1-1": [ "6.6.1" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(a)", "11.10(b)", "11.10(c)" ], "usa-federal-gsa-fedramp-5-low": [ "CA-02" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-02" ], "usa-federal-gsa-fedramp-5-high": [ "CA-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-02" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(d)(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(d)(3)(i)", "164.316(b)(1)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(d)(3)(i)", "164.316(b)(1)(ii)" ], "usa-federal-irs-1075-2021": [ "CA-2" ], "usa-federal-cms-marse-2-0": [ "CA-2" ], "usa-state-ca-ccpa-cpra-2026": [ "7120(a)", "7122(b)" ], "usa-state-nv-regulation-5-2024": [ "5.260.5(c)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(c)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CA-02", "CA-02-SID" ], "usa-state-tx-txramp-2-0-level-1": [ "CA-02" ], "usa-state-tx-txramp-2-0-level-2": [ "CA-02" ], "emea-eu-eba-ict-srm-2025": [ "3.3.6(26)", "3.3.6(27)", "3.4.6(41)", "3.4.6(42)", "3.4.6(43)", "3.4.6(43)(a)", "3.4.6(43)(b)", "3.4.6(44)", "3.4.6(45)", "3.4.6(46)", "3.4.6(47)", "3.4.6(48)" ], "emea-eu-nis2-2022": [ "Article 21.1" ], "emea-us-psd2-2015": [ "3", "29" ], "emea-deu-bsrit-2017": [ "5.6" ], "emea-deu-c5-2020": [ "COM-03" ], "emea-hun-isdfi-2011": [ "7" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-cmo-1-0": [ "3.1" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "31" ], "emea-nor-pda-2018": [ "13", "14" ], "emea-pol-act-29-1997": [ "1", "36" ], "emea-qat-pdppl-2020": [ "11.7", "11.8" ], "emea-rus-federal-law-27-2006": [ "7" ], "emea-sau-cscc-1-2019": [ "1-4-1", "2-13-4" ], "emea-sau-ecc-1-2018": [ "1-3-2", "1-8-1" ], "emea-sau-otcc-1-2022": [ "1-6", "1-6-1", "1-6-2" ], "emea-sau-sama-csf-1-2017": [ "3.2.4", "3.2.5" ], "emea-zaf-popia-2013": [ "8", "19", "21" ], "emea-esp-boe-a-2022-7191": [ "Article 31.1", "Article 31.2", "Article 31.3", "Article 31.4", "Article 31.5", "Article 31.6", "Article 31.7" ], "emea-esp-decree-311-2022": [ "31.1", "31.2", "31.3", "31.4", "31.5", "31.6", "31.7" ], "apac-aus-ps-cps-234-2019": [ "30" ], "apac-chn-pipl-2021": [ "38(1)", "38(2)", "40" ], "apac-ind-sebi-2024": [ "EV.ST.S5" ], "apac-jpn-ppi-2020": [ "40(1)", "40(2)", "40(3)" ], "apac-jpn-ismap": [ "4.6.2.3", "4.6.2.5", "12.7.1", "12.7.1.1", "12.7.1.2", "12.7.1.3", "12.7.1.4", "12.7.1.5", "12.7.1.6", "12.7.1.7", "18.2", "18.2.2", "18.2.2.1", "18.2.2.2", "18.2.2.3", "18.2.2.4", "18.2.2.5", "18.2.2.6", "18.2.2.7", "18.2.2.8" ], "apac-mys-pdpa-2010": [ "9" ], "apac-nzl-ism-3-9": [ "4.3.16.C.01", "6.1.7.C.01", "6.1.9.C.01", "23.2.18.C.01" ], "apac-phl-dpa-2012": [ "25" ], "apac-sgp-pdpa-2012": [ "24" ], "apac-sgp-mas-trm-2021": [ "4.5.1" ], "amaericas-can-osfi-self-assessment": [ "6.10" ], "americas-can-itsp-10-171-2025": [ "03.12.01", "03.12.03" ], "americas-chl-act-19628-1999": [ "7" ] } }, { "control_id": "CPL-03.1", "title": "Independent Assessors", "family": "CPL", "description": "Mechanisms exist to utilize independent assessors to evaluate security, compliance and resilience at planned intervals or when the Technology Asset, Application and/or Service (TAAS) undergoes significant changes.", "scf_question": "Does the organization utilize independent assessors to evaluate security, compliance and resilience at planned intervals or when the Technology Asset, Application and/or Service (TAAS) undergoes significant changes?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-07" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Compliance (CPL) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CPL domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Compliance management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Compliance efforts are narrowly-limited to certain compliance requirements.\n▪ IT and/or cybersecurity personnel use an informal process to govern statutory, regulatory and contractual compliance obligations. \n▪ For specific statutory, regulatory and/or contractual obligations, stakeholders may contract with a third-party auditor/assessor to perform an independent assessment of cybersecurity and data protection controls.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity use an impartial member of its team or a third-party assessor to perform an independent assessment of cybersecurity and data protection controls.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize independent assessors to evaluate security, compliance and resilience at planned intervals or when the Technology Asset, Application and/or Service (TAAS) undergoes significant changes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)", "small": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)", "medium": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)", "large": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)", "enterprise": "∙ Information Assurance Program (IAP)\n∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Compliance", "crosswalks": { "general-cobit-2019": [ "MEA04.01" ], "general-csa-cmm-4-1-0": [ "A&A-02", "A&A-05", "CEK-09" ], "general-govramp": [ "CA-07(01)" ], "general-govramp-low-plus": [ "CA-07(01)" ], "general-govramp-mod": [ "CA-07(01)" ], "general-govramp-high": [ "CA-07(01)" ], "general-iso-27002-2022": [ "5.35" ], "general-iso-27017-2015": [ "18.2.1" ], "general-iso-27018-2025": [ "5.35" ], "general-iso-42001-2023": [ "9.2.2(b)" ], "general-nist-800-53-r4": [ "CA-7(1)" ], "general-nist-800-53-r5-2": [ "CA-07(01)" ], "general-nist-800-53-r5-2-privacy": [ "CA-07(01)" ], "general-nist-800-53-r5-2-mod": [ "CA-07(01)" ], "general-nist-800-82-r3": [ "CA-07(01)" ], "general-nist-800-82-r3-mod": [ "CA-07(01)" ], "general-nist-800-82-r3-high": [ "CA-07(01)" ], "general-nist-800-171-r2": [ "NFO - CA-7(1)" ], "usa-federal-dow-cert-rmm-1-2": [ "COMP:SG4.SP1" ], "usa-federal-fbi-cjis-6-0": [ "CA-7(1)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(6)(ii)" ], "usa-federal-gsa-fedramp-5-low": [ "CA-07(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-07(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CA-07(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-07(01)" ], "usa-federal-irs-1075-2021": [ "CA-7(CE-1)" ], "usa-federal-cms-marse-2-0": [ "CA-7(1)" ], "usa-state-ca-ccpa-cpra-2026": [ "7122(a)(2)" ], "usa-state-nv-regulation-5-2024": [ "5.260.3" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(c)" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 6 Module H.3.1", "Annex 6 Module H.3.5" ], "emea-eu-eba-ict-srm-2025": [ "3.3.6(25)", "3.4.6(41)", "3.4.6(42)", "3.4.6(43)(a)", "3.4.6(43)(b)" ], "emea-eu-nis2-annex-2024": [ "2.3.1" ], "emea-us-psd2-2015": [ "3" ], "emea-deu-c5-2020": [ "COM-03" ], "emea-sau-cscc-1-2019": [ "1-4-2" ], "emea-sau-cgiot-2024": [ "1-7-2" ], "emea-sau-ecc-1-2018": [ "1-8-2" ], "emea-sau-otcc-1-2022": [ "1-6-1", "1-6-2" ], "emea-sau-sacs-002-2022": [ "TPC-20", "TPC-21" ], "emea-zaf-popia-2013": [ "60" ], "emea-esp-boe-a-2022-7191": [ "Article 38.1" ], "emea-esp-decree-311-2022": [ "38.1" ], "emea-esp-ccn-stic-825-2023": [ "9" ], "apac-aus-ism-2024-june": [ "ISM-0100" ], "apac-aus-ps-cps-234-2019": [ "30" ], "apac-chn-cybersecurity-law-2017": [ "Article 38" ], "apac-chn-pipl-2021": [ "38(1)", "38(2)", "40" ], "apac-ind-dpdpa-2023": [ "10(2)(b)" ], "apac-ind-sebi-2024": [ "PR.IP.S14" ], "apac-jpn-ismap": [ "4.6.2.5", "18.2.1", "18.2.1.3", "18.2.1.4", "18.2.1.5", "18.2.1.6", "18.2.1.7", "18.2.1.8", "18.2.1.9.P", "18.2.1.10.P", "18.2.1.13.P" ], "apac-nzl-ism-3-9": [ "6.1.8.C.01" ], "amaericas-can-osfi-self-assessment": [ "6.13", "6.25" ] } }, { "control_id": "CPL-03.2", "title": "Functional Review Of Security, Compliance & Resilience Controls", "family": "CPL", "description": "Mechanisms exist to regularly review Technology Assets, Applications and/or Services (TAAS) for adherence to the organization's security, compliance and/or resilience policies and standards.", "scf_question": "Does the organization regularly review Technology Assets, Applications and/or Services (TAAS) for adherence to the organization's security, compliance and/or resilience policies and standards?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-CPL-08" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity personnel use an entity-defined set of controls to conduct cybersecurity and data protection control assessments.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to regularly review Technology Assets, Applications and/or Services (TAAS) for adherence to the organization's security, compliance and/or resilience policies and standards.", "4": "Compliance (CPL) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)\n∙ Regular/yearly policy and standards review process", "small": "∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)\n∙ Regular/yearly policy and standards review process", "medium": "∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)\n∙ Regular/yearly policy and standards review process", "large": "∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)\n∙ Regular/yearly policy and standards review process", "enterprise": "∙ Control Validation Testing (CVT) / Security Test & Evaluation (STE)\n∙ Regular/yearly policy and standards review process" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Compliance", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.5" ], "general-aicpa-tsc-2017": [ "CC4.1", "CC7.2-POF4" ], "general-cobit-2019": [ "MEA02.01", "MEA02.02" ], "general-coso-2013": [ "16" ], "general-csa-cmm-4-1-0": [ "A&A-05", "CEK-09" ], "general-csa-iot-2": [ "GVN-04" ], "general-govramp": [ "CA-02", "RA-03" ], "general-govramp-low": [ "CA-02", "RA-03" ], "general-govramp-low-plus": [ "CA-02", "RA-03" ], "general-govramp-mod": [ "CA-02", "RA-03" ], "general-govramp-high": [ "CA-02", "RA-03" ], "general-iso-27002-2022": [ "5.35", "5.36", "8.8" ], "general-iso-27017-2015": [ "18.2.1", "18.2.2", "18.2.3" ], "general-iso-27018-2025": [ "5.35", "5.36", "8.8" ], "general-iso-31010-2009": [ "5.3.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(4)", "4.C(5)" ], "general-nist-privacy-framework-1-0": [ "CT.DM-P9" ], "general-nist-800-53-r4": [ "CA-2", "RA-3" ], "general-nist-800-53-r5-2": [ "CA-02", "RA-03" ], "general-nist-800-53-r5-2-privacy": [ "CA-02", "RA-03" ], "general-nist-800-53-r5-2-low": [ "CA-02", "RA-03" ], "general-nist-800-66-r2": [ "164.308(a)(8)" ], "general-nist-800-82-r3": [ "CA-02", "RA-03" ], "general-nist-800-82-r3-low": [ "CA-02", "RA-03" ], "general-nist-800-82-r3-mod": [ "CA-02", "RA-03" ], "general-nist-800-82-r3-high": [ "CA-02", "RA-03" ], "general-nist-800-161-r1": [ "CA-2", "RA-3" ], "general-nist-800-161-r1-cscrm": [ "CA-2", "RA-3" ], "general-nist-800-161-r1-level-1": [ "RA-3" ], "general-nist-800-161-r1-level-2": [ "CA-2", "RA-3" ], "general-nist-800-161-r1-level-3": [ "CA-2", "RA-3" ], "general-nist-800-171-r3": [ "03.04.08.c", "03.12.03" ], "general-nist-800-171a-r3": [ "A.03.12.03[02]" ], "general-nist-csf-2-0": [ "ID.IM-01", "ID.IM-02" ], "general-pci-dss-4-0-1": [ "1.2.7", "10.7", "10.7.1", "10.7.2", "10.7.3", "11.1", "12.4.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.7" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.7", "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.7", "10.7.1", "10.7.2", "10.7.3", "12.4.2" ], "general-tisax-6-0-3": [ "1.5.2", "5.2.6" ], "usa-federal-fbi-cjis-6-0": [ "CA-2", "RA-3" ], "usa-federal-doe-c2m2-2-1": [ "RISK-4c", "ARCHITECTURE-1i" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(1)(ii)", "609.930(c)(6)(iii)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(a)", "11.10(b)", "11.10(c)", "11.300(e)" ], "usa-federal-gsa-fedramp-5-low": [ "CA-02", "RA-03" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-02", "RA-03" ], "usa-federal-gsa-fedramp-5-high": [ "CA-02", "RA-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-02", "RA-03" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(d)(3)(i)", "164.306(e)", "164.308(a)(8)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(d)(3)(i)", "164.306(e)", "164.308(a)(8)" ], "usa-federal-irs-1075-2021": [ "CA-2", "RA-3" ], "usa-federal-cms-marse-2-0": [ "CA-2", "RA-3" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 R3", "CIP-006-6 3.1" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CA-02", "RA-03" ], "usa-state-tx-txramp-2-0-level-1": [ "CA-02", "RA-03" ], "usa-state-tx-txramp-2-0-level-2": [ "CA-02", "RA-03" ], "emea-eu-eba-ict-srm-2025": [ "3.3.6(26)", "3.3.6(27)", "3.4.6(41)", "3.4.6(42)", "3.4.6(43)", "3.4.6(43)(a)", "3.4.6(43)(b)", "3.4.6(44)", "3.4.6(45)", "3.4.6(46)", "3.4.6(47)", "3.4.6(48)" ], "emea-eu-nis2-2022": [ "Article 21.1" ], "emea-us-psd2-2015": [ "3" ], "emea-deu-bsrit-2017": [ "5.6" ], "emea-deu-c5-2020": [ "COM-01" ], "emea-isr-cmo-1-0": [ "3.1", "3.3", "12.30" ], "emea-qat-pdppl-2020": [ "11.7", "11.8" ], "emea-sau-cscc-1-2019": [ "1-4-1" ], "emea-sau-cgiot-2024": [ "1-7-1" ], "emea-sau-ecc-1-2018": [ "1-8-1" ], "emea-esp-boe-a-2022-7191": [ "Article 31.1", "Article 31.2", "Article 31.3", "Article 31.4", "Article 31.5", "Article 31.6", "Article 31.7", "Article 38.1" ], "emea-esp-decree-311-2022": [ "31.1", "31.2", "31.3", "31.4", "31.5", "31.6", "31.7", "38.1" ], "emea-gbr-def-stan-05-138-2024": [ "1206" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1206" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1206" ], "apac-chn-pipl-2021": [ "54" ], "apac-ind-sebi-2024": [ "DE.CM.S5" ], "apac-jpn-ismap": [ "18.2.3", "18.2.3.1", "18.2.3.2", "18.2.3.3", "18.2.3.4", "18.2.3.5" ], "apac-nzl-ism-3-9": [ "6.1.7.C.01", "6.1.9.C.01", "23.2.18.C.01" ], "apac-sgp-mas-trm-2021": [ "4.5.1" ], "americas-bmu-mba-coc-2020": [ "5.7" ], "americas-can-itsp-10-171-2025": [ "03.04.08.C", "03.12.03" ] } }, { "control_id": "CPL-03.3", "title": "Assessor Access", "family": "CPL", "description": "Mechanisms exist to grant assessors minimum necessary access to conduct conformity assessments, including:\n(1) Logical access to design, development, production, inspection and testing artifacts; and \n(2) Physical access to facilities.", "scf_question": "Does the organization grant assessors minimum necessary access to conduct conformity assessments, including:\n(1) Logical access to design, development, production, inspection and testing artifacts; and \n(2) Physical access to facilities?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to grant assessors minimum necessary access to conduct conformity assessments, including:\n(1) Logical access to design, development, production, inspection and testing artifacts; and \n(2) Physical access to facilities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "usa-federal-tsa-security-directive-1580-82-2022-01": [ "IV.C.2", "IV.C.2.a", "IV.C.2.b", "IV.C.2.c", "IV.C.2.d", "IV.C.2.e", "IV.C.2.e.i", "IV.C.2.e.ii", "IV.C.2.e.iii", "IV.C.2.e.iv", "IV.C.2.f" ], "emea-eu-cyber-resilience-act-2022": [ "Article 13.8", "Article 14.5" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 6 Module H.4.2" ] } }, { "control_id": "CPL-03.4", "title": "Assessment Methods", "family": "CPL", "description": "Mechanisms exist to define acceptable methods to conduct a cybersecurity and/or data protection assessment.", "scf_question": "Does the organization define acceptable methods to conduct a cybersecurity and/or data protection assessment?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define acceptable methods to conduct a cybersecurity and/or data protection assessment.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": {} }, { "control_id": "CPL-03.5", "title": "Assessment Rigor", "family": "CPL", "description": "Mechanisms exist to define the level of assessment rigor necessary to conduct a cybersecurity and/or data protection assessment.", "scf_question": "Does the organization define the level of assessment rigor necessary to conduct a cybersecurity and/or data protection assessment?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define the level of assessment rigor necessary to conduct a cybersecurity and/or data protection assessment.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": {} }, { "control_id": "CPL-03.6", "title": "Evidence Request List (ERL)", "family": "CPL", "description": "Mechanisms exist to define an Evidence Request List (ERL) prior to the start of a cybersecurity and/or data protection assessment.", "scf_question": "Does the organization define an Evidence Request List (ERL) prior to the start of a cybersecurity and/or data protection assessment?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define an Evidence Request List (ERL) prior to the start of a cybersecurity and/or data protection assessment.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": {} }, { "control_id": "CPL-03.7", "title": "Evidence Sampling", "family": "CPL", "description": "Mechanisms exist to define evidence sampling criteria for cybersecurity and/or data protection assessments.", "scf_question": "Does the organization define evidence sampling criteria for cybersecurity and/or data protection assessments?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Compliance (CPL) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CPL domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Compliance management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Compliance efforts are narrowly-limited to certain compliance requirements.\n▪ IT and/or cybersecurity personnel use an informal process to govern statutory, regulatory and contractual compliance obligations. \n▪ IT and/or cybersecurity personnel self-identify a set of controls that are used to conduct cybersecurity and data privacy control assessments.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define evidence sampling criteria for cybersecurity and/or data protection assessments.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": {} }, { "control_id": "CPL-04", "title": "Audit Activities", "family": "CPL", "description": "Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.", "scf_question": "Does the organization thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Internal audit program", "small": "∙ Internal audit program", "medium": "∙ Internal audit program", "large": "∙ Internal audit program", "enterprise": "∙ Internal audit program" }, "risks": [ "R-BC-1", "R-EX-1", "R-EX-2", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.1" ], "general-coso-2013": [ "16" ], "general-csa-cmm-4-1-0": [ "A&A-05" ], "general-iso-27002-2022": [ "5.35", "8.34" ], "general-iso-27017-2015": [ "12.7.1", "18.2.1" ], "general-iso-27018-2025": [ "5.35", "8.34" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.5" ], "emea-us-psd2-2015": [ "3" ], "emea-deu-c5-2020": [ "COM-02", "COM-03" ] } }, { "control_id": "CPL-05", "title": "Legal Assessment of Investigative Inquires", "family": "CPL", "description": "Mechanisms exist to determine whether a government agency has an applicable and valid legal basis to request data from the organization and what further steps need to be taken, if necessary.", "scf_question": "Does the organization determine whether a government agency has an applicable and valid legal basis to request data from the organization and what further steps need to be taken, if necessary?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity personnel work with the organization's legal counsel for guidance on how to respond to legal orders (e.g., court orders, investigations, etc.).", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to determine whether a government agency has an applicable and valid legal basis to request data from the organization and what further steps need to be taken, if necessary.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Legal review", "small": "∙ Legal review", "medium": "∙ Legal review", "large": "∙ Legal review", "enterprise": "∙ Legal review" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "general-csa-cmm-4-1-0": [ "DSP-18" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(e)", "500.17(a)(2)" ], "usa-state-tn-tipa-2025": [ "47-18-3206(c)" ], "emea-eu-ai-act-2024": [ "Article 21.1", "Article 22.3(c)", "Article 22.3(d)", "Article 24.5", "Article 24.6", "Article 91.4", "Article 91.5", "Article 92.4", "Article 92.5" ], "emea-deu-c5-2020": [ "INQ-01" ], "apac-chn-cybersecurity-law-2017": [ "Article 72" ], "apac-chn-pipl-2021": [ "41" ] } }, { "control_id": "CPL-05.1", "title": "Investigation Request Notifications", "family": "CPL", "description": "Mechanisms exist to notify customers about investigation request notifications, unless the applicable legal basis for a government agency's action prohibits notification (e.g., potential criminal prosecution).", "scf_question": "Does the organization notify customers about investigation request notifications, unless the applicable legal basis for a government agency's action prohibits notification (e.g., potential criminal prosecution)?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to notify customers about investigation request notifications, unless the applicable legal basis for a government agency's action prohibits notification (e.g., potential criminal prosecution).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "general-csa-cmm-4-1-0": [ "DSP-18" ], "emea-deu-c5-2020": [ "INQ-02" ], "apac-chn-pipl-2021": [ "18" ] } }, { "control_id": "CPL-05.2", "title": "Investigation Access Restrictions", "family": "CPL", "description": "Mechanisms exist to support official investigations by provisioning government investigators with \"least privileges\" and \"least functionality\" to ensure that government investigators only have access to the Technology Assets, Applications, Services and/or Data (TAASD) needed to perform the investigation.", "scf_question": "Does the organization support official investigations by provisioning government investigators with \"least privileges\" and \"least functionality\" to ensure that government investigators only have access to the Technology Assets, Applications, Services and/or Data (TAASD) needed to perform the investigation?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to support official investigations by provisioning government investigators with \"least privileges\" and \"least functionality\" to ensure that government investigators only have access to the TAASD needed to perform the investigation.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)", "small": "∙ Role Based Access Control (RBAC)", "medium": "∙ Role Based Access Control (RBAC)", "large": "∙ Role Based Access Control (RBAC)", "enterprise": "∙ Role Based Access Control (RBAC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "general-csa-cmm-4-1-0": [ "DSP-18" ], "usa-federal-doc-data-privacy-framework-2023": [ "III.5.b.ii" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(e)", "500.17(a)(2)" ], "usa-state-or-ors-646a-2025": [ "646A.586(3)" ], "usa-state-tn-tipa-2025": [ "47-18-3206(c)" ], "emea-eu-ai-act-2024": [ "Article 21.2" ], "emea-deu-c5-2020": [ "INQ-03", "INQ-04" ], "apac-chn-cybersecurity-law-2017": [ "Article 28", "Article 55", "Article 56" ], "apac-chn-pipl-2021": [ "61(4)", "63", "63(1)", "63(2)", "63(3)", "63(4)", "64" ] } }, { "control_id": "CPL-06", "title": "Government Surveillance", "family": "CPL", "description": "Mechanisms exist to constrain the host government from having unrestricted and non-monitored access to the organization's Technology Assets, Applications, Services and/or Data (TAASD) that could potentially violate other applicable statutory, regulatory and/or contractual obligations.", "scf_question": "Does the organization constrain the host government from having unrestricted and non-monitored access to its Technology Assets, Applications, Services and/or Data (TAASD) that could potentially violate other applicable statutory, regulatory and/or contractual obligations?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Compliance (CPL) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CPL domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Compliance management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Compliance efforts are narrowly-limited to certain compliance requirements.\n▪ IT and/or cybersecurity personnel use an informal process to govern statutory, regulatory and contractual compliance obligations.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to constrain the host government from having unrestricted and non-monitored access to the organization's TAASD that could potentially violate other applicable statutory, regulatory and/or contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Legal review\n∙ Least functionality enforcement\n∙ Legal privilege enforcement", "small": "∙ Legal review\n∙ Least functionality enforcement\n∙ Legal privilege enforcement", "medium": "∙ Legal review\n∙ Least functionality enforcement\n∙ Legal privilege enforcement\n∙ Board of Directors (BoD) review", "large": "∙ Legal review\n∙ Least functionality enforcement\n∙ Legal privilege enforcement\n∙ Board of Directors (BoD) review", "enterprise": "∙ Legal review\n∙ Least functionality enforcement\n∙ Legal privilege enforcement\n∙ Board of Directors (BoD) review" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "apac-chn-cybersecurity-law-2017": [ "Article 28", "Article 29" ], "apac-chn-data-security-law-2021": [ "24", "27", "31", "33", "44" ], "apac-chn-pipl-2021": [ "11", "12", "26", "38(4)", "40", "47(5)", "60", "61(4)", "63(3)", "63(4)", "64" ] } }, { "control_id": "CPL-07", "title": "Grievances", "family": "CPL", "description": "Mechanisms exist to govern the intake and analysis of grievances related to the organization's cybersecurity and/or data protection practices.", "scf_question": "Does the organization govern the intake, analysis, assignment and remediation of grievances related to its cybersecurity and/or data protection practices?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Compliance (CPL) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CPL domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Compliance management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Compliance efforts are narrowly-limited to certain compliance requirements.\n▪ IT and/or cybersecurity personnel use an informal process to govern statutory, regulatory and contractual compliance obligations.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern the intake and analysis of grievances related to the organization's cybersecurity and/or data protection practices.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "apac-ind-dpdpa-2023": [ "13(1)" ], "apac-jpn-ismap": [ "18.1.2.13.PB" ] } }, { "control_id": "CPL-07.1", "title": "Grievance Response", "family": "CPL", "description": "Mechanisms exist to respond to legitimate grievances related to the organization's cybersecurity and/or data protection practices.", "scf_question": "Does the organization respond to legitimate grievances related to its cybersecurity and/or data protection practices?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to respond to legitimate grievances related to the organization's cybersecurity and/or data protection practices.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "apac-ind-dpdpa-2023": [ "13(2)" ] } }, { "control_id": "CPL-08", "title": "Localized Representation", "family": "CPL", "description": "Mechanisms exist to appoint localized representation with a physical presence in localities, as required by applicable laws and/or regulations.", "scf_question": "Does the organization appoint localized representation with a physical presence in localities, as required by applicable laws and/or regulations?", "relative_weight": 2, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to appoint localized representation with a physical presence in localities, as required by applicable laws and/or regulations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 22.1", "Article 22.2", "Article 22.3", "Article 23.1(d)", "Article 54.1" ], "emea-eu-cyber-resilience-act-2022": [ "Article 12.1" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 6 Module A.5", "Annex 6 Module C.4" ] } }, { "control_id": "CPL-08.1", "title": "Representative Powers", "family": "CPL", "description": "Mechanisms exist to contract localized representation to perform specified functions in regard to representing statutory and/or regulatory compliance matters.", "scf_question": "Does the organization contract localized representation to perform specified functions in regard to representing statutory and/or regulatory compliance matters?", "relative_weight": 2, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to contract localized representation to perform specified functions in regard to representing statutory and/or regulatory compliance matters.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": { "emea-eu-ai-act-2024": [ "Article 54.2", "Article 54.3", "Article 54.3(a)", "Article 54.3(b)", "Article 54.3(c)", "Article 54.3(d)", "Article 54.4", "Article 54.5" ], "emea-eu-cyber-resilience-act-2022": [ "Article 12.3", "Article 12.3(a)", "Article 12.3(b)", "Article 12.3(c)" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 6 Module A.5", "Annex 6 Module C.4" ] } }, { "control_id": "CPL-09", "title": "Control Reciprocity", "family": "CPL", "description": "Mechanisms exist to define instances of control reciprocity within assessment boundaries.", "scf_question": "Does the organization define instances of control reciprocity within assessment boundaries?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define instances of control reciprocity within assessment boundaries.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-GV-6", "R-GV-7" ], "threats": [ "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": {} }, { "control_id": "CPL-10", "title": "Control Inheritance", "family": "CPL", "description": "Mechanisms exist to define instances of control inheritance within assessment boundaries.", "scf_question": "Does the organization define instances of control inheritance within assessment boundaries?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define instances of control inheritance within assessment boundaries.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-GV-6", "R-GV-7" ], "threats": [ "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": {} }, { "control_id": "CPL-11", "title": "Dual Use Technology", "family": "CPL", "description": "Mechanisms exist to govern technologies and/or data that have potential:\n(1) \"Dual-use” capabilities for civil and military;\n(2) Use by terrorists; and/or \n(3) Weapons of Mass Destruction (WMD) applications.", "scf_question": "Does the organization govern technologies and/or data that have potential:\n(1) \"Dual-use” capabilities for civil and military;\n(2) Use by terrorists; and/or \n(3) Weapons of Mass Destruction (WMD) applications?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern technologies and/or data that have potential:\n(1) \"Dual-use” capabilities for civil and military;\n(2) Use by terrorists; and/or \n(3) Weapons of Mass Destruction (WMD) applications.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": {} }, { "control_id": "CPL-11.1", "title": "USML or CCL Identification", "family": "CPL", "description": "Mechanisms exist to identify if the organization handles United States Munitions List (USML) or Commerce Control List (CCL):\n(1) Items;\n(2) Technical data; and/or\n(3) Provides defense services.", "scf_question": "Does the organization identify if the organization handles United States Munitions List (USML) or Commerce Control List (CCL):\n(1) Items;\n(2) Technical data; and/or\n(3) Provides defense services?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify if the organization handles United States Munitions List (USML) or Commerce Control List (CCL):\n(1) Items;\n(2) Technical data; and/or\n(3) Provides defense services.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": {} }, { "control_id": "CPL-11.2", "title": "Export-Controlled Access Restrictions", "family": "CPL", "description": "Mechanisms exist to restrict logical and physical access to United States (US) export-controlled data to US: \n(1) Citizens; and/or\n(2) Green Card holders.", "scf_question": "Does the organization restrict logical and physical access to United States (US) export-controlled data to US: \n(1) Citizens; and/or\n(2) Green Card holders?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict logical and physical access to United States (US) export-controlled data to US: \n(1) Citizens; and/or\n(2) Green Card holders.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": {} }, { "control_id": "CPL-11.3", "title": "Export Activities Documentation", "family": "CPL", "description": "Mechanisms exist to generate detailed logs of export-controlled data including:\n(1) Logical and physical access; and\n(2) Export activities.", "scf_question": "Does the organization generate detailed logs of export-controlled data including:\n(1) Logical and physical access; and\n(2) Export activities?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to generate detailed logs of export-controlled data including:\n(1) Logical and physical access; and\n(2) Export activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Compliance", "crosswalks": {} }, { "control_id": "CPL-12", "title": "Statement of Applicability (SOA)", "family": "CPL", "description": "Mechanisms exist to produce a Statement of Applicability (SOA), or similar document, for compliance-related scoping activities.", "scf_question": "Does the organization produce a Statement of Applicability (SOA), or similar document, for compliance-related scoping activities?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-10" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Compliance (CPL) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CPL domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Compliance management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Compliance efforts are narrowly-limited to certain compliance requirements.\n▪ IT and/or cybersecurity personnel use an informal process to govern statutory, regulatory and contractual compliance obligations.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ External compliance requirements for cybersecurity and data privacy are identified and documented, based on applicable laws, regulations and contractual obligations.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to produce a Statement of Applicability (SOA), or similar document, for compliance-related scoping activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-GV-1", "R-GV-2" ], "threats": [ "MT-8", "MT-9", "MT-14", "MT-15" ], "family_name": "Compliance", "crosswalks": { "general-iso-27701-2025": [ "6.1.3(e)" ] } }, { "control_id": "CPL-13", "title": "Work Products", "family": "CPL", "description": "Mechanisms exist to produce work products (e.g., process artifacts) that demonstrate the ability to comply with applicable requirements.", "scf_question": "Does the organization produce work products (e.g., process artifacts) that demonstrate the ability to comply with applicable requirements?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to produce work products (e.g., process artifacts) that demonstrate the ability to comply with applicable requirements.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-6" ], "threats": [ "MT-8", "MT-9", "MT-11", "MT-14" ], "errata": "- new control (CERT-RMM 1.2)", "family_name": "Compliance", "crosswalks": { "general-iso-21434-2021": [ "RC-05-16", "RQ-06-09", "RQ-06-12", "RQ-06-18", "RQ-06-23" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:GG1.GP1", "ADM:GG3.GP2", "AM:GG1.GP1", "AM:GG3.GP2", "COMM:GG1.GP1", "COMM:GG3.GP2", "COMP:GG1.GP1", "COMP:GG3.GP2", "CTRL:GG1.GP1", "CTRL:GG3.GP2", "EC:GG1.GP1", "EC:GG3.GP2", "EF:GG1.GP1", "EF:GG3.GP2", "EXD:GG1.GP1", "EXD:GG3.GP2", "FRM:GG1.GP1", "FRM:GG3.GP2", "HRM:GG1.GP1", "HRM:GG3.GP2", "ID:GG1.GP1", "ID:GG3.GP2", "IMC:GG1.GP1", "IMC:GG3.GP2", "KIM:GG1.GP1", "KIM:GG3.GP2", "MA:GG1.GP1", "MA:GG3.GP2", "MON:GG1.GP1", "MON:GG3.GP2", "OPD:GG1.GP1", "OPD:GG3.GP2", "OPF:GG1.GP1", "OPF:GG3.GP2", "OTA:GG1.GP1", "OTA:GG3.GP2", "PM:GG1.GP1", "PM:GG3.GP2", "RISK:GG1.GP1", "RISK:GG3.GP2", "RRD:GG1.GP1", "RRD:GG3.GP2", "RRM:GG1.GP1", "RRM:GG3.GP2", "RTSE:GG1.GP1", "RTSE:GG3.GP2", "SC:GG1.GP1", "SC:GG3.GP2", "TM:GG1.GP1", "TM:GG3.GP2", "VAR:GG1.GP1", "VAR:GG3.GP2", "GG1.GP1", "GG3.GP2" ] } }, { "control_id": "CPL-13.1", "title": "Defensible Evidence of Due Diligence", "family": "CPL", "description": "Mechanisms exist to produce evidence of due diligence activities performed, capable of withstanding external audit or regulatory scrutiny.", "scf_question": "Does the organization produce evidence of due diligence activities performed, capable of withstanding external audit or regulatory scrutiny?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to produce evidence of due diligence activities performed, capable of withstanding external audit or regulatory scrutiny.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-6", "R-IR-1" ], "threats": [ "MT-8", "MT-9", "MT-11", "MT-14" ], "errata": "- new control", "family_name": "Compliance", "crosswalks": { "apac-jpn-ismap": [ "4.6.2.7" ] } }, { "control_id": "CPL-13.2", "title": "Defensible Evidence of Due Care", "family": "CPL", "description": "Mechanisms exist to produce evidence of due care activities performed, capable of withstanding external audit or regulatory scrutiny.", "scf_question": "Does the organization produce evidence of due care activities performed, capable of withstanding external audit or regulatory scrutiny?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Compliance (CPL) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Compliance management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Compliance management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Compliance (CPL) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CPL domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CPL domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain CPL domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CPL domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to produce evidence of due care activities performed, capable of withstanding external audit or regulatory scrutiny.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document applicable regulatory requirements in a checklist", "small": "∙ Compliance checklist\n∙ Annual compliance review", "medium": "∙ Compliance management program\n∙ Regulatory mapping\n∙ Compliance calendar", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Compliance team", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Dedicated compliance team\n∙ Automated compliance monitoring" }, "risks": [ "R-AC-1", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-6", "R-IR-1" ], "threats": [ "MT-8", "MT-9", "MT-11", "MT-14" ], "errata": "- new control", "family_name": "Compliance", "crosswalks": { "apac-jpn-ismap": [ "4.6.2.7" ] } }, { "control_id": "CFG-01", "title": "Configuration Management Program", "family": "CFG", "description": "Mechanisms exist to facilitate the implementation of configuration management controls.", "scf_question": "Does the organization facilitate the implementation of configuration management controls?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-01", "E-AST-27" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of configuration management controls.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Configuration Management (CM) program\n∙ Change control program", "small": "∙ Configuration Management (CM) program\n∙ Change control program", "medium": "∙ Configuration Management (CM) program\n∙ Change control program", "large": "∙ Configuration Management (CM) program\n∙ Change control program", "enterprise": "∙ Configuration Management (CM) program\n∙ Change control program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.1-POF8" ], "general-aicpa-tsc-2017": [ "CC7.1", "CC7.1-POF1", "CC8.1-POF6", "CC8.1-POF12" ], "general-cis-csc-8-1": [ "2.0", "4.0", "4.1", "4.2" ], "general-cis-csc-8-1-ig1": [ "4.1", "4.2" ], "general-cis-csc-8-1-ig2": [ "4.1", "4.2" ], "general-cis-csc-8-1-ig3": [ "4.1", "4.2" ], "general-cobit-2019": [ "BAI10.01" ], "general-csa-cmm-4-1-0": [ "UEM-03", "UEM-07" ], "general-csa-iot-2": [ "CCM-02", "CCM-08" ], "general-govramp": [ "CM-01", "CM-09" ], "general-govramp-core": [ "CM-09" ], "general-govramp-low": [ "CM-01" ], "general-govramp-low-plus": [ "CM-01", "CM-09" ], "general-govramp-mod": [ "CM-01", "CM-09" ], "general-govramp-high": [ "CM-01", "CM-09" ], "general-iec-tr-60601-4-5-2021": [ "4.2", "5.1" ], "general-iso-27002-2022": [ "8.3", "8.9", "8.12" ], "general-iso-27017-2015": [ "9.4.1" ], "general-iso-27018-2025": [ "8.9", "8.12" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P1" ], "general-nist-800-53-r4": [ "CM-1", "CM-9" ], "general-nist-800-53-r5-2": [ "CM-01", "CM-09" ], "general-nist-800-53-r5-2-privacy": [ "CM-01", "CM-09" ], "general-nist-800-53-r5-2-low": [ "CM-01" ], "general-nist-800-53-r5-2-mod": [ "CM-09" ], "general-nist-800-66-r2": [ "164.308(a)(1)" ], "general-nist-800-82-r3": [ "CM-01", "CM-09" ], "general-nist-800-82-r3-low": [ "CM-01" ], "general-nist-800-82-r3-mod": [ "CM-01", "CM-09" ], "general-nist-800-82-r3-high": [ "CM-01", "CM-09" ], "general-nist-800-161-r1": [ "CM-1", "CM-9" ], "general-nist-800-161-r1-cscrm": [ "CM-1" ], "general-nist-800-161-r1-flowdown": [ "CM-9" ], "general-nist-800-161-r1-level-1": [ "CM-1" ], "general-nist-800-161-r1-level-2": [ "CM-1", "CM-9" ], "general-nist-800-161-r1-level-3": [ "CM-1", "CM-9" ], "general-nist-800-171-r2": [ "NFO - CM-1", "NFO - CM-9" ], "general-nist-800-171-r3": [ "03.04.01.a" ], "general-nist-800-171a-r3": [ "A.03.04.03.a" ], "general-nist-800-207": [ "NIST Tenet 5" ], "general-nist-csf-2-0": [ "PR.PS", "PR.PS-01", "PR.PS-05" ], "general-owasp-top-10-2025": [ "A05:2025" ], "general-pci-dss-4-0-1": [ "2.1", "2.2", "8.5" ], "general-scf-dpmp-2025": [ "7.12" ], "general-sparta": [ "CM0023" ], "general-swift-cscf-2025": [ "1.3", "2.3" ], "general-tisax-6-0-3": [ "5.3.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.CMANA" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.A", "2.O", "2.Q" ], "usa-federal-fbi-cjis-6-0": [ "CM-1", "CM-9" ], "usa-federal-gsa-fedramp-5-low": [ "CM-01", "CM-09" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-01", "CM-09" ], "usa-federal-gsa-fedramp-5-high": [ "CM-01", "CM-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-01", "CM-09" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(1)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(1)(i)" ], "usa-federal-irs-1075-2021": [ "CM-1", "CM-9" ], "usa-federal-cms-marse-2-0": [ "CM-1", "CM-1-IS", "CM-1-IS.1", "CM-9", "CM-9.a", "CM-9.b", "CM-9.c", "CM-9.d" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.7", "CIP-010-3 R1" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.C" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(B)", "7123(c)(5)", "7123(c)(11)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-01" ], "usa-state-tx-txramp-2-0-level-1": [ "CM-01" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-01", "CM-09" ], "emea-eu-dora-2023": [ "Article 9.3(a)", "Article 9.3(b)", "Article 9.3(c)", "Article 9.3(d)" ], "emea-eu-nis2-annex-2024": [ "6.3.1", "6.3.2" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "6.8" ], "emea-deu-c5-2020": [ "AM-03" ], "emea-isr-cmo-1-0": [ "3.3", "9.22", "9.23", "14.1" ], "emea-sau-cscc-1-2019": [ "2-3-1-6" ], "emea-sau-ecc-1-2018": [ "1-6-2-2", "2-4-4", "2-5-4" ], "emea-sau-sacs-002-2022": [ "TPC-2" ], "emea-esp-boe-a-2022-7191": [ "Article 30.1", "Article 30.2" ], "emea-esp-decree-311-2022": [ "30.1", "30.2" ], "emea-esp-ccn-stic-825-2023": [ "7.3.3 [OP.EXP.3]" ], "emea-gbr-caf-4-0": [ "B4", "B4.c" ], "emea-gbr-cap-1850-2020": [ "B4" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "2" ], "apac-ind-sebi-2024": [ "PR.IP.S3" ], "apac-nzl-ism-3-9": [ "4.3.19.C.01", "12.2.5.C.01", "12.2.5.C.02", "12.2.6.C.01", "12.2.6.C.02", "18.1.10.C.01", "18.1.10.C.02", "18.1.10.C.03", "18.1.10.C.04" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.3(a)" ], "apac-sgp-mas-trm-2021": [ "7.2.1", "7.2.2", "7.3.1", "7.3.2", "7.3.3" ], "americas-bmu-mba-coc-2020": [ "6.1" ], "americas-can-osfi-b13-2022": [ "3.2.8" ], "americas-can-itsp-10-171-2025": [ "03.04.01.A" ] } }, { "control_id": "CFG-01.1", "title": "Assignment of Responsibility", "family": "CFG", "description": "Mechanisms exist to implement a segregation of duties for configuration management that prevents developers from performing production configuration management duties.", "scf_question": "Does the organization implement a segregation of duties for configuration management that prevents developers from performing production configuration management duties?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement a segregation of duties for configuration management that prevents developers from performing production configuration management duties.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "small": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "medium": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "large": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-iso-27002-2022": [ "8.9" ], "general-iso-27018-2025": [ "8.9" ], "general-nist-800-53-r4": [ "CM-9(1)" ], "general-nist-800-53-r5-2": [ "CM-09(01)" ], "general-nist-800-82-r3": [ "CM-09(01)" ], "general-nist-800-161-r1": [ "CM-9(1)" ], "general-nist-800-161-r1-level-2": [ "CM-9(1)" ], "general-nist-800-161-r1-level-3": [ "CM-9(1)" ], "general-pci-dss-4-0-1": [ "2.1" ], "apac-nzl-ism-3-9": [ "4.3.19.C.01" ] } }, { "control_id": "CFG-02", "title": "Secure Baseline Configurations", "family": "CFG", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "scf_question": "Does the organization develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-12", "E-AST-13", "E-AST-14", "E-AST-15", "E-AST-16", "E-AST-17", "E-AST-18", "E-AST-19", "E-AST-20", "E-AST-21" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).\n▪ The restrictiveness of the SBCs are commensurate with the criticality of the TAAS and/or sensitivity of the data being protected, in accordance with applicable laws, regulations and frameworks.\n▪ Tailored SBC are created for higher-risk operating environments and/or for TAAS that store, process or transmit sensitive/regulated data.", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1-POF7", "CC6.7-POF1", "CC7.1", "CC7.1-POF1", "CC8.1", "CC8.1-POF6", "CC8.1-POF12" ], "general-cis-csc-8-1": [ "4.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "10.3", "10.4", "10.5", "16.7" ], "general-cis-csc-8-1-ig1": [ "4.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "10.3" ], "general-cis-csc-8-1-ig2": [ "4.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "10.3", "10.4", "10.5", "16.7" ], "general-cis-csc-8-1-ig3": [ "4.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "10.3", "10.4", "10.5", "16.7" ], "general-cobit-2019": [ "BAI10.02" ], "general-csa-cmm-4-1-0": [ "AIS-02", "CCC-06", "I&S-04", "UEM-07" ], "general-csa-iot-2": [ "CLS-05", "IOT-02", "IOT-03", "IOT-07", "SNT-01", "SWS-01", "SWS-08" ], "general-govramp": [ "CM-02", "CM-06", "SA-08" ], "general-govramp-core": [ "CM-02", "CM-06" ], "general-govramp-low": [ "CM-02", "CM-06" ], "general-govramp-low-plus": [ "CM-02", "CM-06" ], "general-govramp-mod": [ "CM-02", "CM-06", "SA-08" ], "general-govramp-high": [ "CM-02", "CM-06", "SA-08" ], "general-iec-tr-60601-4-5-2021": [ "4.2", "5.1" ], "general-iec-62443-2-1-2024": [ "CM 1.3", "NET 2.1(a)", "NET 2.1(c)", "NET 2.3", "NET 3.3", "COMP 1.1", "USER 1.7", "USER 1.8" ], "general-iec-62443-3-3-2013": [ "SR 2.2", "SR 7.6" ], "general-iec-62443-4-2-2019": [ "CR 2.2", "CR 7.6" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.2", "3.5.3.3", "3.5.3.4", "3.5.3.5" ], "general-iso-27002-2022": [ "8.3", "8.5", "8.9", "8.12", "8.25", "8.26" ], "general-iso-27017-2015": [ "9.4.1", "9.4.2", "14.1.1" ], "general-iso-27018-2025": [ "8.5", "8.9", "8.12", "8.25", "8.26" ], "general-mitre-att&ck-16-1": [ "T1001", "T1001.001", "T1001.002", "T1001.003", "T1003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1008", "T1011", "T1011.001", "T1020.001", "T1021", "T1021.001", "T1021.002", "T1021.003", "T1021.004", "T1021.005", "T1021.006", "T1021.008", "T1027", "T1027.010", "T1029", "T1030", "T1036", "T1036.001", "T1036.003", "T1036.005", "T1036.007", "T1036.010", "T1037", "T1037.002", "T1037.003", "T1037.004", "T1037.005", "T1046", "T1047", "T1048", "T1048.001", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1053", "T1053.002", "T1053.003", "T1053.005", "T1053.006", "T1055", "T1055.008", "T1056.003", "T1059", "T1059.001", "T1059.002", "T1059.003", "T1059.004", "T1059.005", "T1059.006", "T1059.007", "T1059.008", "T1059.010", "T1059.011", "T1068", "T1070", "T1070.001", "T1070.002", "T1070.003", "T1070.007", "T1070.008", "T1070.009", "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1072", "T1078", "T1078.002", "T1078.003", "T1078.004", "T1080", "T1087", "T1087.001", "T1087.002", "T1090", "T1090.001", "T1090.002", "T1090.003", "T1091", "T1092", "T1095", "T1098", "T1098.001", "T1098.002", "T1098.003", "T1098.004", "T1098.005", "T1098.007", "T1102", "T1102.001", "T1102.002", "T1102.003", "T1104", "T1105", "T1106", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1111", "T1114", "T1114.002", "T1114.003", "T1119", "T1127", "T1127.001", "T1127.002", "T1129", "T1132", "T1132.001", "T1132.002", "T1133", "T1134", "T1134.001", "T1134.002", "T1134.003", "T1134.005", "T1135", "T1136", "T1136.001", "T1136.002", "T1136.003", "T1137", "T1137.001", "T1137.002", "T1137.003", "T1137.004", "T1137.005", "T1137.006", "T1176", "T1185", "T1187", "T1189", "T1190", "T1195", "T1195.001", "T1195.003", "T1197", "T1199", "T1201", "T1204", "T1204.001", "T1204.002", "T1204.003", "T1205", "T1205.001", "T1210", "T1211", "T1212", "T1213", "T1213.001", "T1213.002", "T1213.004", "T1213.005", "T1216", "T1216.001", "T1216.002", "T1218", "T1218.001", "T1218.002", "T1218.003", "T1218.004", "T1218.005", "T1218.007", "T1218.008", "T1218.009", "T1218.012", "T1218.013", "T1218.014", "T1218.015", "T1219", "T1220", "T1221", "T1222", "T1222.001", "T1222.002", "T1482", "T1484", "T1485", "T1486", "T1489", "T1490", "T1491", "T1491.001", "T1491.002", "T1495", "T1498", "T1498.001", "T1498.002", "T1499", "T1499.001", "T1499.002", "T1499.003", "T1499.004", "T1505", "T1505.001", "T1505.002", "T1505.003", "T1505.004", "T1505.005", "T1525", "T1528", "T1530", "T1537", "T1539", "T1542", "T1542.001", "T1542.003", "T1542.004", "T1542.005", "T1543", "T1543.001", "T1543.002", "T1543.003", "T1543.004", "T1546", "T1546.002", "T1546.003", "T1546.004", "T1546.006", "T1546.008", "T1546.010", "T1546.013", "T1546.014", "T1546.016", "T1547.002", "T1547.003", "T1547.005", "T1547.006", "T1547.007", "T1547.008", "T1547.009", "T1547.013", "T1548", "T1548.001", "T1548.002", "T1548.003", "T1548.004", "T1548.006", "T1550", "T1550.001", "T1550.002", "T1550.003", "T1552", "T1552.001", "T1552.002", "T1552.003", "T1552.004", "T1552.005", "T1552.006", "T1552.007", "T1553", "T1553.001", "T1553.003", "T1553.004", "T1553.005", "T1553.006", "T1554", "T1555.004", "T1555.005", "T1556", "T1556.001", "T1556.002", "T1556.003", "T1556.004", "T1556.008", "T1556.009", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1557.004", "T1558", "T1558.001", "T1558.002", "T1558.003", "T1558.004", "T1559", "T1559.001", "T1559.002", "T1559.003", "T1560", "T1560.001", "T1561", "T1561.001", "T1561.002", "T1562", "T1562.001", "T1562.002", "T1562.003", "T1562.004", "T1562.006", "T1562.009", "T1562.010", "T1562.011", "T1562.012", "T1563", "T1563.001", "T1563.002", "T1564.002", "T1564.006", "T1564.007", "T1564.009", "T1565", "T1565.001", "T1565.002", "T1565.003", "T1566", "T1566.001", "T1566.002", "T1569", "T1569.002", "T1570", "T1571", "T1572", "T1573", "T1573.001", "T1573.002", "T1574", "T1574.001", "T1574.004", "T1574.005", "T1574.006", "T1574.007", "T1574.008", "T1574.009", "T1574.010", "T1574.013", "T1574.014", "T1578", "T1578.001", "T1578.002", "T1578.003", "T1590.002", "T1598", "T1598.002", "T1598.003", "T1599", "T1599.001", "T1601", "T1601.001", "T1601.002", "T1602", "T1602.001", "T1602.002", "T1609", "T1610", "T1611", "T1612", "T1613", "T1622", "T1647", "T1648", "T1653" ], "general-mpa-csbp-5-3-1": [ "TS-1.1", "TS-1.2", "TS-2.3", "TS-2.4", "TS-2.6", "TS-2.8" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.3-001" ], "general-nist-privacy-framework-1-0": [ "CT.DP-P4", "PR.PO-P1", "PR.PT-P2" ], "general-nist-800-53-r4": [ "CM-2", "CM-2(3)", "CM-6", "SA-8" ], "general-nist-800-53-r5-2": [ "CM-02", "CM-06", "PL-10", "SA-08", "SA-15(05)" ], "general-nist-800-53-r5-2-privacy": [ "CM-02", "CM-06", "SA-08", "SA-15(05)" ], "general-nist-800-53-r5-2-low": [ "CM-02", "CM-06", "PL-10", "SA-08" ], "general-nist-800-66-r2": [ "164.312(a)", "164.312(e)(1)" ], "general-nist-800-82-r3": [ "CM-02", "CM-06", "PL-10", "SA-08", "SA-15(05)" ], "general-nist-800-82-r3-low": [ "CM-02", "CM-06", "PL-10", "SA-08" ], "general-nist-800-82-r3-mod": [ "CM-02", "CM-06", "PL-10", "SA-08" ], "general-nist-800-82-r3-high": [ "CM-02", "CM-06", "PL-10", "SA-08" ], "general-nist-800-160-vol-2-r1": [ "SA-15(05)" ], "general-nist-800-161-r1": [ "CM-2", "CM-6", "PL-10", "SA-8" ], "general-nist-800-161-r1-cscrm": [ "CM-2", "CM-6", "PL-10", "SA-8" ], "general-nist-800-161-r1-flowdown": [ "CM-2", "CM-6" ], "general-nist-800-161-r1-level-1": [ "SA-8" ], "general-nist-800-161-r1-level-2": [ "CM-2", "CM-6", "PL-10", "SA-8" ], "general-nist-800-161-r1-level-3": [ "CM-2", "CM-6", "PL-10", "SA-8" ], "general-nist-800-171-r2": [ "3.3.3", "3.4.1", "3.4.2" ], "general-nist-800-171-r3": [ "03.01.01.h", "03.01.08.a", "03.01.08.b", "03.01.09", "03.01.10.a", "03.01.10.b", "03.01.10.c", "03.01.11", "03.01.12.a", "03.01.16.a", "03.01.18.a", "03.04.01.a", "03.04.02.a", "03.04.06.a", "03.04.06.b", "03.04.06.d", "03.05.07.d", "03.05.07.e", "03.05.07.f", "03.05.12.d", "03.08.07.a", "03.13.12.b" ], "general-nist-800-171a": [ "3.4.1[a]", "3.4.1[b]", "3.4.1[c]", "3.4.2[a]", "3.4.2[b]" ], "general-nist-800-171a-r3": [ "A.03.01.03[01]", "A.03.01.16.a[03]", "A.03.01.16.c", "A.03.01.18.a[02]", "A.03.03.08.a[02]", "A.03.04.01.a[01]", "A.03.04.01.a[02]", "A.03.04.02.a[01]", "A.03.04.02.a[02]", "A.03.04.06.ODP[01]", "A.03.04.06.ODP[02]", "A.03.04.06.ODP[03]", "A.03.04.06.ODP[04]", "A.03.04.06.ODP[05]", "A.03.04.06.b[01]", "A.03.04.06.b[02]", "A.03.04.06.b[03]", "A.03.04.06.b[04]", "A.03.04.06.b[05]", "A.03.05.04[01]", "A.03.05.04[02]", "A.03.05.07.c", "A.03.05.07.d", "A.03.05.07.e", "A.03.05.07.f", "A.03.07.05.b[02]" ], "general-nist-800-207": [ "NIST Tenet 5" ], "general-nist-800-218": [ "PO.5.2", "PW.9.1" ], "general-nist-csf-2-0": [ "PR.DS-10", "PR.PS", "PR.PS-05" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A04:2025", "A05:2025", "A06:2025", "A09:2025", "A10:2025" ], "general-pci-dss-4-0-1": [ "1.1", "1.2.1", "1.2.6", "2.2", "2.2.1", "8.3.2", "8.5", "10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.6", "10.6.1", "10.6.2", "10.6.3", "11.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.1", "1.2.6", "2.2.1", "8.3.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.2.6" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.1", "8.3.2", "10.2.1.2", "10.2.1.4", "10.2.1.5", "10.2.2", "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.1", "1.2.6", "2.2.1", "8.3.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.1", "1.2.6", "2.2.1", "8.3.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.6.1", "10.6.2", "10.6.3" ], "general-scf-dpmp-2025": [ "7.12" ], "general-shared-assessments-sig-2025": [ "N.11" ], "general-sparta": [ "CM0037", "CM0047" ], "general-swift-cscf-2025": [ "1.3", "2.3", "2.10", "4.1", "5.2" ], "general-tisax-6-0-3": [ "3.1.4" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.LCTPR" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.E", "2.A", "2.B", "2.G", "2.H", "2.K", "2.N", "2.O", "2.V" ], "usa-federal-fbi-cjis-6-0": [ "CM-2", "CM-6", "PL-10", "SA-8" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-3a", "ASSET-3b", "ASSET-3c", "SITUATION-1c", "SITUATION-1d", "ARCHITECTURE-2e", "ARCHITECTURE-3b", "ARCHITECTURE-3d", "ARCHITECTURE-3e", "ARCHITECTURE-3f", "ARCHITECTURE-3g", "ARCHITECTURE-3h", "ARCHITECTURE-3l" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.3", "CML2.-3.4.1", "CML2.-3.4.2" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.8.2", "2.5.1", "6.6.2", "6.6.3" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(d)", "11.50(a)", "11.50(a)(1)", "11.50(a)(2)", "11.50(a)(3)", "11.50(b)", "11.70", "11.200(a)(1)", "11.200(b)" ], "usa-federal-gsa-fedramp-5-low": [ "CM-02", "CM-06", "PL-10", "SA-08", "SA-15(05)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-02", "CM-06", "PL-10", "SA-08", "SA-15(05)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-02", "CM-06", "PL-10", "SA-08", "SA-15(05)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-02", "CM-06", "PL-10", "SA-08", "SA-15(05)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(6)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(a)(2)(iii)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(a)(2)(iii)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)" ], "usa-federal-irs-1075-2021": [ "3.3.8.b", "CM-2", "CM-2(IRS-Defined)", "CM-6", "CM-6(IRS-Defined)", "SA-8" ], "usa-federal-cms-marse-2-0": [ "AC-3-IS.1", "AC-3-IS.2", "AC-3-IS.3", "AC-3-IS.4", "AC-6-IS.5", "AC-8-IS.1", "AC-8-IS.2", "AC-8-IS.3", "AC-17-IS.2", "AC-18-IS.1", "AC-18-IS.1.a", "AC-18-IS.1.b", "AC-18-IS.1.c", "AC-18-IS.1.d", "AC-18-IS.1.e", "AC-18-IS.1.f", "AC-18-IS.1.g", "AC-18-IS.1.h", "AC-18-IS.1.i", "AC-18-IS.1.j", "AC-18-IS.1.k", "AC-18-IS.1.l", "AC-19-IS.2", "AC-19(5)-IS", "AU-2-IS.1", "AU-2-IS.1.a", "AU-2-IS.1.b", "AU-2-IS.1.c", "AU-2-IS.1.d", "AU-2-IS.1.e", "AU-2-IS.1.f", "AU-2-IS.1.g", "AU-2-IS.1.h", "AU-2-IS.1.i", "AU-2-IS.1.j", "AU-2-IS.1.k", "AU-2-IS.1.l", "AU-2-IS.1.m", "AU-2-IS.1.n", "AU-2-IS.1.o", "AU-2-IS.1.p", "AU-2-IS.1.q", "AU-2-IS.1.r", "AU-2-IS.1.s", "AU-2-IS.1.t", "AU-2-IS.1.u", "AU-2-IS.1.v", "AU-2-IS.1.w", "AU-2-IS.1.x", "AU-2-IS.1.y", "AU-2-IS.2", "AU-2-IS.2.a", "AU-2-IS.2.b", "AU-2-IS.2.c", "AU-2-IS.2.d", "AU-2-IS.2.e", "AU-2-IS.2.f", "AU-2-IS.2.g", "AU-2-IS.2.h", "AU-2-IS.3", "AU-8(1)-IS.2", "AU-8(1)-IS.3", "CM-2", "CM-6", "CM-6.a", "CM-6.b", "CM-6-IS.2", "CM-6-IS.3", "CM-7-IS.2", "CP-10-IS.1.c", "IA-2(11)-IS", "SA-8", "SA-11-IS.2" ], "usa-federal-nerc-cip-2024": [ "CIP-010-4 1.1", "CIP-010-4 1.1.1", "CIP-010-4 1.1.2", "CIP-010-4 1.1.3", "CIP-010-4 1.1.4", "CIP-010-4 1.1.5", "CIP-010-4 2.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(B)", "7123(c)(5)", "7123(c)(5)(A)", "7123(c)(5)(B)", "7123(c)(11)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.6(a)", "500.7(a)(5)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-07-SID.3", "AC-07-SID.3.a", "AC-07-SID.3.b", "AC-07-SID.3.c", "AC-07-SID.3.d", "AC-07-SID.3.e", "AC-07-SID.3.f", "AC-07-SID.3.g", "AC-18-SID.1", "CM-02", "CM-06", "PL-10", "PL-10-SID", "PL-10-SID.1", "PL-10-SID.2", "SA-08" ], "usa-state-tx-txramp-2-0-level-1": [ "CM-02", "CM-06" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-02", "CM-06", "SA-08" ], "emea-eu-ai-act-2024": [ "Article 17.1(e)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(36)(b)" ], "emea-eu-dora-2023": [ "Article 9.3(a)", "Article 9.3(b)", "Article 9.3(c)", "Article 9.3(d)" ], "emea-eu-nis2-2022": [ "Article 21.5" ], "emea-eu-nis2-annex-2024": [ "6.3.2(a)", "6.3.2(b)", "6.3.3", "12.3.2(b)" ], "emea-deu-bsrit-2017": [ "6.8" ], "emea-deu-c5-2020": [ "AM-02", "AM-03", "OPS-23" ], "emea-isr-cmo-1-0": [ "3.3", "4.9", "4.12", "4.15", "6.1", "9.21", "12.13", "12.24", "12.29", "13.5", "13.6", "14.2", "15.6" ], "emea-sau-cscc-1-2019": [ "1-3-2-3", "2-3-1-7" ], "emea-sau-cgiot-2024": [ "1-2-2", "2-5-1", "2-6-3", "2-14-2", "2-15-2" ], "emea-sau-ecc-1-2018": [ "1-3-3", "2-4-1", "2-4-2", "5-1-3-7" ], "emea-sau-otcc-1-2022": [ "2-2-1-5", "2-3-1-1", "2-3-1-7" ], "emea-sau-sacs-002-2022": [ "TPC-10", "TPC-13", "TPC-14", "TPC-15", "TPC-16", "TPC-17", "TPC-22", "TPC-38", "TPC-56", "TPC-63", "TPC-87" ], "emea-esp-boe-a-2022-7191": [ "Article 20(d)" ], "emea-esp-decree-311-2022": [ "20(d)" ], "emea-esp-ccn-stic-825-2023": [ "7.3.2 [OP.EXP.2]" ], "emea-uae-niaf-2023": [ "3.2.1" ], "emea-gbr-caf-4-0": [ "B4", "B4.b" ], "emea-gbr-cap-1850-2020": [ "B4" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "2" ], "emea-gbr-def-stan-05-138-2024": [ "2204", "2310", "2400", "2401", "2418" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2204", "2310", "2400", "2401", "2418" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2204", "2310", "2400", "2401", "2418" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2204", "2310", "2400", "2401", "2418" ], "apac-aus-essential-8-2024": [ "ML1-P6", "ML1-P7", "ML2-P5", "ML2-P6", "ML2-P7", "ML3-P4", "ML3-P5", "ML3-P6", "ML3-P7" ], "apac-aus-ism-2024-june": [ "ISM-0341", "ISM-0343", "ISM-0345", "ISM-0380", "ISM-0383", "ISM-0567", "ISM-1316", "ISM-1318", "ISM-1319", "ISM-1321", "ISM-1406", "ISM-1407", "ISM-1408", "ISM-1409", "ISM-1418", "ISM-1491", "ISM-1492", "ISM-1562", "ISM-1584", "ISM-1604", "ISM-1608", "ISM-1621", "ISM-1622", "ISM-1623", "ISM-1624", "ISM-1654", "ISM-1655", "ISM-1710", "ISM-1745" ], "apac-ind-sebi-2024": [ "PR.IP.S1" ], "apac-jpn-ismap": [ "8.3.1.9" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP54", "HHSP60", "HHSP65", "HML16", "HML54", "HML60", "HML64" ], "apac-nzl-hisf-microsmall-2023": [ "HMS09" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP14", "HSUP46", "HSUP52" ], "apac-nzl-ism-3-9": [ "14.1.8.C.01", "14.1.9.C.01", "14.1.9.C.02", "14.1.10.C.01", "14.1.10.C.02", "14.3.7.C.01", "23.2.21.C.01" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.3(a)" ], "apac-sgp-mas-trm-2021": [ "11.2.5", "11.3.1", "11.3.2" ], "amaericas-can-osfi-self-assessment": [ "4.16", "4.20" ], "americas-can-osfi-b13-2022": [ "3.2.8" ], "americas-can-itsp-10-171-2025": [ "03.01.01.H", "03.01.08.A", "03.01.08.B", "03.01.09", "03.01.10.A", "03.01.10.B", "03.01.10.C", "03.01.11", "03.01.12.A", "03.01.16.A", "03.01.18.A", "03.04.01.A", "03.04.02.A", "03.04.06.A", "03.04.06.B", "03.04.06.D", "03.05.07.D", "03.05.07.E", "03.05.07.F", "03.05.12.D", "03.08.07.A", "03.13.12.B" ] } }, { "control_id": "CFG-02.1", "title": "Reviews & Updates", "family": "CFG", "description": "Mechanisms exist to review and update baseline configurations:\n(1) At least annually;\n(2) When required due to so; or\n(3) As part of system component installations and upgrades.", "scf_question": "Does the organization review and update baseline configurations:\n (1) At least annually;\n (2) When required due to so; or\n (3) As part of system component installations and upgrades?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-12" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).\n▪ IT and/or cybersecurity personnel perform an annual review of existing configurations to ensure security objectives are still being met.", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to review and update baseline configurations:\n(1) At least annually;\n(2) When required due to so; or\n(3) As part of system component installations and upgrades.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Configuration Management (CM) program\n∙ Change control program", "small": "∙ Configuration Management (CM) program\n∙ Change control program", "medium": "∙ Configuration Management (CM) program\n∙ Change control program", "large": "∙ Configuration Management (CM) program\n∙ Change control program", "enterprise": "∙ Configuration Management (CM) program\n∙ Change control program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC8.1" ], "general-cis-csc-8-1": [ "4.1" ], "general-cis-csc-8-1-ig1": [ "4.1" ], "general-cis-csc-8-1-ig2": [ "4.1" ], "general-cis-csc-8-1-ig3": [ "4.1" ], "general-cobit-2019": [ "BAI10.05" ], "general-csa-cmm-4-1-0": [ "CCC-06" ], "general-govramp": [ "CM-02" ], "general-govramp-core": [ "CM-02" ], "general-govramp-low": [ "CM-02" ], "general-govramp-low-plus": [ "CM-02" ], "general-govramp-mod": [ "CM-02" ], "general-govramp-high": [ "CM-02" ], "general-iso-27002-2022": [ "8.9" ], "general-iso-27018-2025": [ "8.9" ], "general-mpa-csbp-5-3-1": [ "TS-2.4" ], "general-nist-800-53-r4": [ "CM-2(1)", "CM-2(3)" ], "general-nist-800-53-r5-2": [ "CM-02" ], "general-nist-800-53-r5-2-privacy": [ "CM-02" ], "general-nist-800-53-r5-2-low": [ "CM-02" ], "general-nist-800-82-r3": [ "CM-02" ], "general-nist-800-82-r3-low": [ "CM-02" ], "general-nist-800-82-r3-mod": [ "CM-02" ], "general-nist-800-82-r3-high": [ "CM-02" ], "general-nist-800-161-r1": [ "CM-2" ], "general-nist-800-161-r1-cscrm": [ "CM-2" ], "general-nist-800-161-r1-flowdown": [ "CM-2" ], "general-nist-800-161-r1-level-2": [ "CM-2" ], "general-nist-800-161-r1-level-3": [ "CM-2" ], "general-nist-800-171-r2": [ "3.3.3", "NFO - CM-2(1)" ], "general-nist-800-171-r3": [ "03.04.01.b", "03.04.02.b" ], "general-nist-800-171a-r3": [ "A.03.04.01.ODP[01]", "A.03.04.01.b[01]", "A.03.04.01.b[02]", "A.03.04.01.b[03]", "A.03.04.01.b[04]", "A.03.04.06.c" ], "general-nist-800-207": [ "NIST Tenet 5" ], "general-nist-csf-2-0": [ "PR.PS" ], "general-pci-dss-4-0-1": [ "12.4.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.4.2" ], "general-swift-cscf-2025": [ "2.3" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.K", "2.O" ], "usa-federal-fbi-cjis-6-0": [ "CM-2" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-3d", "ASSET-3e" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.3" ], "usa-federal-gsa-fedramp-5-low": [ "CM-02" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-02" ], "usa-federal-gsa-fedramp-5-high": [ "CM-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-02" ], "usa-federal-irs-1075-2021": [ "CM-2", "CM-2(IRS-Defined)" ], "usa-federal-cms-marse-2-0": [ "CM-2", "CM-2(1)", "CM-2(1).a", "CM-2(1).b", "CM-2(1).c", "CM-2(1).d" ], "usa-federal-nerc-cip-2024": [ "CIP-010-4 1.3", "CIP-010-4 2.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(A)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-02" ], "usa-state-tx-txramp-2-0-level-1": [ "CM-02" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-02" ], "emea-eu-nis2-annex-2024": [ "6.3.3" ], "emea-isr-cmo-1-0": [ "3.3", "14.3" ], "emea-sau-cscc-1-2019": [ "2-3-1-6" ], "emea-sau-cgiot-2024": [ "2-14-4" ], "emea-sau-ecc-1-2018": [ "1-6-2-2" ], "emea-sau-otcc-1-2022": [ "2-3-1-2" ], "emea-gbr-def-stan-05-138-2024": [ "2418" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2418" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2418" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2418" ], "apac-aus-essential-8-2024": [ "ML2-P5", "ML3-P5", "ML3-P6" ], "apac-aus-ism-2024-june": [ "ISM-1407", "ISM-1588" ], "apac-ind-sebi-2024": [ "PR.IP.S1" ], "apac-sgp-mas-trm-2021": [ "11.2.5" ], "americas-can-itsp-10-171-2025": [ "03.04.01.B", "03.04.02.B" ] } }, { "control_id": "CFG-02.2", "title": "Automated Central Management & Verification", "family": "CFG", "description": "Automated mechanisms exist to govern and report on baseline configurations of Technology Assets, Applications and/or Services (TAAS) through Continuous Diagnostics and Mitigation (CDM), or similar technologies.", "scf_question": "Does the organization use automated mechanisms to govern and report on baseline configurations of Technology Assets, Applications and/or Services (TAAS) through Continuous Diagnostics and Mitigation (CDM), or similar technologies?", "relative_weight": 7, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically govern and report on baseline configurations of Technology Assets, Applications and/or Services (TAAS) through Continuous Diagnostics and Mitigation (CDM), or similar technologies.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ ManageEngine Vulnerability Manager Plus (https://manageengine.com)", "small": "∙ ManageEngine Vulnerability Manager Plus (https://manageengine.com)", "medium": "∙ ManageEngine Vulnerability Manager Plus (https://manageengine.com)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "large": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "enterprise": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)" }, "risks": [ "R-AM-3", "R-BC-3", "R-GV-1", "R-GV-6", "R-GV-7", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.1-POF1", "CC7.2", "CC8.1", "CC8.1-POF6", "CC8.1-POF11" ], "general-cobit-2019": [ "BAI10.02", "BAI10.04", "BAI10.05" ], "general-csa-cmm-4-1-0": [ "CCC-06", "CCC-07", "CCC-08" ], "general-csa-iot-2": [ "CCM-03", "SWS-02" ], "general-govramp": [ "CM-02(02)", "CM-06(01)" ], "general-govramp-core": [ "CM-02(02)", "CM-06(01)" ], "general-govramp-low-plus": [ "CM-06(01)" ], "general-govramp-mod": [ "CM-02(02)", "CM-06(01)" ], "general-govramp-high": [ "CM-02(02)", "CM-06(01)" ], "general-iec-62443-2-1-2024": [ "CM 1.3" ], "general-iec-62443-3-3-2013": [ "SR 3.3 RE 1", "SR 3.3 RE 2", "SR 7.6 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 7.6(1)" ], "general-mpa-csbp-5-3-1": [ "TS-1.12" ], "general-nist-800-53-r4": [ "CM-2(2)", "CM-6(1)" ], "general-nist-800-53-r5-2": [ "CM-02(02)", "CM-06(01)" ], "general-nist-800-53-r5-2-mod": [ "CM-02(02)" ], "general-nist-800-53-r5-2-high": [ "CM-06(01)" ], "general-nist-800-82-r3": [ "CM-02(02)", "CM-06(01)" ], "general-nist-800-82-r3-mod": [ "CM-02(02)" ], "general-nist-800-82-r3-high": [ "CM-02(02)", "CM-06(01)" ], "general-nist-800-161-r1": [ "CM-6(1)" ], "general-nist-800-161-r1-level-3": [ "CM-6(1)" ], "general-nist-800-171-r3": [ "03.04.02.b", "03.04.03.d" ], "general-nist-800-171a-r3": [ "A.03.04.03.d[01]", "A.03.04.03.d[02]" ], "general-nist-800-172": [ "3.4.2e" ], "general-nist-800-207": [ "NIST Tenet 5" ], "general-sparta": [ "CM0023" ], "general-swift-cscf-2025": [ "2.3" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.CMANA" ], "usa-federal-fbi-cjis-6-0": [ "CM-2(2)" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-3e" ], "usa-federal-dow-cmmc-2-level-3": [ "CM.L3-3.4.2E" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.5.1" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "2.2.2", "2.2.3" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-02(02)", "CM-06(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-02(02)", "CM-06(01)" ], "usa-federal-irs-1075-2021": [ "CM-2(CE-2)" ], "usa-federal-cms-marse-2-0": [ "CM-1-IS.2", "CM-6.d", "CM-6(1)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.2.c" ], "emea-isr-cmo-1-0": [ "3.3", "6.2", "6.4", "9.22", "9.23", "14.3", "14.4" ], "emea-esp-boe-a-2022-7191": [ "Article 21.2" ], "emea-esp-decree-311-2022": [ "21.2" ], "emea-gbr-def-stan-05-138-2024": [ "2415" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2415" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.3(a)", "4.3(b)" ], "apac-sgp-mas-trm-2021": [ "11.3.2" ], "americas-can-itsp-10-171-2025": [ "03.04.02.B", "03.04.03.D" ] } }, { "control_id": "CFG-02.3", "title": "Retention Of Previous Configurations", "family": "CFG", "description": "Mechanisms exist to retain previous versions of baseline configuration to support roll back.", "scf_question": "Does the organization retain previous versions of baseline configuration to support roll back?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).\n▪ Historical versions of configurations are maintained for troubleshooting and forensics purposes.", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to retain previous versions of baseline configuration to support roll back.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document baseline configurations for key systems", "small": "∙ Configuration baseline documentation\n∙ CIS Benchmark hardening guides", "medium": "∙ Configuration management program\n∙ Automated baseline assessment (e.g., CIS-CAT)", "large": "∙ Enterprise CMDB\n∙ Automated configuration compliance scanning", "enterprise": "∙ Enterprise configuration management platform (e.g., Ansible, Puppet)\n∙ CMDB\n∙ Drift detection and remediation" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-govramp": [ "CM-02(03)" ], "general-govramp-low-plus": [ "CM-02(03)" ], "general-govramp-mod": [ "CM-02(03)" ], "general-govramp-high": [ "CM-02(03)" ], "general-nist-800-53-r4": [ "CM-2(3)" ], "general-nist-800-53-r5-2": [ "CM-02(03)" ], "general-nist-800-53-r5-2-mod": [ "CM-02(03)" ], "general-nist-800-82-r3": [ "CM-02(03)" ], "general-nist-800-82-r3-mod": [ "CM-02(03)" ], "general-nist-800-82-r3-high": [ "CM-02(03)" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.BRECO" ], "usa-federal-fbi-cjis-6-0": [ "CM-2(3)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-02(03)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-02(03)" ], "usa-federal-irs-1075-2021": [ "CM-2(CE-3)" ], "usa-federal-cms-marse-2-0": [ "CM-2(3)" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-02 (03)" ], "emea-isr-cmo-1-0": [ "14.5" ], "apac-aus-ism-2024-june": [ "ISM-1510" ] } }, { "control_id": "CFG-02.4", "title": "Development & Test Environment Configurations", "family": "CFG", "description": "Mechanisms exist to manage baseline configurations for development and test environments separately from operational baseline configurations to minimize the risk of unintentional changes.", "scf_question": "Does the organization manage baseline configurations for development and test environments separately from operational baseline configurations to minimize the risk of unintentional changes?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).\n▪ Deviations from approved baseline configurations are handled on a case-by-case basis by IT/cybersecurity personnel. Acceptance of any deviations from baselines must be informed by performance of a risk assessment.\n▪ IT/cybersecurity personnel use an informal process to design, build and maintain secure configurations for test, development, staging and production environments, including the implementation of appropriate cybersecurity and data protection controls.", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).\n▪ The restrictiveness of the SBCs are commensurate with the criticality of the TAAS and/or sensitivity of the data being protected, in accordance with applicable laws, regulations and frameworks.\n▪ Tailored SBC are created for higher-risk operating environments and/or for TAAS that store, process or transmit sensitive/regulated data.", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to manage baseline configurations for development and test environments separately from operational baseline configurations to minimize the risk of unintentional changes.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document baseline configurations for key systems", "small": "∙ Configuration baseline documentation\n∙ CIS Benchmark hardening guides", "medium": "∙ Configuration management program\n∙ Automated baseline assessment (e.g., CIS-CAT)", "large": "∙ Enterprise CMDB\n∙ Automated configuration compliance scanning", "enterprise": "∙ Enterprise configuration management platform (e.g., Ansible, Puppet)\n∙ CMDB\n∙ Drift detection and remediation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-csa-cmm-4-1-0": [ "AIS-02" ], "general-iso-27002-2022": [ "8.25" ], "general-iso-27018-2025": [ "8.25" ], "general-nist-800-53-r4": [ "CM-2(6)" ], "general-nist-800-53-r5-2": [ "CM-02(06)" ], "general-nist-800-82-r3": [ "CM-02(06)" ], "general-nist-800-161-r1": [ "CM-2(6)" ], "general-nist-800-161-r1-level-2": [ "CM-2(6)" ], "general-nist-800-161-r1-level-3": [ "CM-2(6)" ], "general-nist-800-218": [ "PO.5", "PO.5.2" ], "general-pci-dss-4-0-1": [ "6.5.6" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.5.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.5.6" ], "general-shared-assessments-sig-2025": [ "I.1.1" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1" ], "usa-federal-eo-14028": [ "4e(i)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)" ], "emea-isr-cmo-1-0": [ "10.1", "10.2" ], "apac-nzl-ism-3-9": [ "18.1.10.C.01", "18.1.10.C.02", "18.1.10.C.03", "18.1.10.C.04" ], "apac-sgp-mas-trm-2021": [ "5.7.3" ] } }, { "control_id": "CFG-02.5", "title": "Configure Technology Assets, Applications and/or Services (TAAS) for High-Risk Areas", "family": "CFG", "description": "Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) utilized in high-risk areas with more restrictive baseline configurations.", "scf_question": "Does the organization configure Technology Assets, Applications and/or Services (TAAS) utilized in high-risk areas with more restrictive baseline configurations?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-12", "E-AST-13", "E-AST-14", "E-AST-15", "E-AST-16", "E-AST-17", "E-AST-18", "E-AST-19", "E-AST-20", "E-AST-21", "E-AST-33" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).\n▪ The restrictiveness of the SBCs are commensurate with the criticality of the TAAS and/or sensitivity of the data being protected, in accordance with applicable laws, regulations and frameworks.\n▪ Tailored SBC are created for higher-risk operating environments and/or for TAAS that store, process or transmit sensitive/regulated data.", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to configure Technology Assets, Applications and/or Services (TAAS) utilized in high-risk areas with more restrictive baseline configurations.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-cis-csc-8-1": [ "16.7" ], "general-cis-csc-8-1-ig2": [ "16.7" ], "general-cis-csc-8-1-ig3": [ "16.7" ], "general-csa-cmm-4-1-0": [ "AIS-02" ], "general-csa-iot-2": [ "CLS-05", "IOT-02", "SAP-09", "SWS-03" ], "general-govramp": [ "CM-02(07)" ], "general-govramp-mod": [ "CM-02(07)" ], "general-govramp-high": [ "CM-02(07)" ], "general-iso-21434-2021": [ "RQ-05-12" ], "general-iso-27002-2022": [ "8.12" ], "general-iso-27018-2025": [ "8.12" ], "general-nist-800-37-r2": [ "TASK P-6" ], "general-nist-800-53-r4": [ "CM-2(7)" ], "general-nist-800-53-r5-2": [ "CM-02(07)", "CM-07(06)", "CM-07(07)", "CM-07(09)" ], "general-nist-800-53-r5-2-mod": [ "CM-02(07)" ], "general-nist-800-82-r3": [ "CM-02(07)", "CM-07(06)", "CM-07(07)", "CM-07(09)" ], "general-nist-800-82-r3-mod": [ "CM-02(07)" ], "general-nist-800-82-r3-high": [ "CM-02(07)" ], "general-nist-800-160-vol-2-r1": [ "CM-02(07)", "CM-07(06)", "CM-07(07)" ], "general-nist-800-161-r1": [ "CM-7(6)", "CM-7(7)", "CM-7(9)" ], "general-nist-800-161-r1-level-2": [ "CM-7(6)", "CM-7(9)" ], "general-nist-800-161-r1-level-3": [ "CM-7(6)", "CM-7(7)", "CM-7(9)" ], "general-nist-800-171-r2": [ "NFO - CM-2(7)" ], "general-nist-800-171-r3": [ "03.04.01.a", "03.04.02.a", "03.04.06.a", "03.04.06.b", "03.04.06.d", "03.04.12.a" ], "general-nist-800-171a-r3": [ "A.03.04.12.ODP[01]", "A.03.04.12.ODP[02]" ], "general-nist-800-218": [ "PO.5.2" ], "general-nist-csf-2-0": [ "PR.PS" ], "general-pci-dss-4-0-1": [ "1.2.1", "1.5", "1.5.1", "8.5", "10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.6", "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.1", "1.5.1", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-c": [ "10.2.1.2", "10.2.1.4", "10.2.1.5", "10.2.2", "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.1", "1.5.1", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.1", "1.5.1", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.6.1", "10.6.2", "10.6.3" ], "general-sparta": [ "CM0037", "CM0047" ], "general-swift-cscf-2025": [ "2.3", "2.6", "2.10", "4.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.LCTPR" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.W", "2.X" ], "usa-federal-fbi-cjis-6-0": [ "CM-2(7)" ], "usa-federal-doe-c2m2-2-1": [ "SITUATION-1f", "ARCHITECTURE-3k" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-02(07)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-02(07)" ], "usa-federal-irs-1075-2021": [ "CM-2(CE-7)", "CM-2(CE-7).a", "CM-2(CE-7).b", "CM-7(CE-9)", "CM-7(CE-9).a", "CM-7(CE-9).b", "CM-7(CE-9).c" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)" ], "emea-eu-ai-act-2024": [ "Article 14.3(a)" ], "emea-isr-cmo-1-0": [ "4.12", "9.21", "10.7" ], "emea-sau-cscc-1-2019": [ "1-3-2-3", "2-3-1-7" ], "emea-sau-ecc-1-2018": [ "5-1-3-7" ], "emea-sau-otcc-1-2022": [ "2-2-1-5", "2-3-1-7" ], "emea-sau-sacs-002-2022": [ "TPC-10", "TPC-13", "TPC-14", "TPC-15", "TPC-16", "TPC-17", "TPC-22", "TPC-38", "TPC-56", "TPC-63", "TPC-87" ], "emea-gbr-cap-1850-2020": [ "B4" ], "emea-gbr-def-stan-05-138-2024": [ "2312" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2312" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2312" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2312" ], "apac-aus-ism-2024-june": [ "ISM-0534", "ISM-1656", "ISM-1657", "ISM-1658", "ISM-1659", "ISM-1667", "ISM-1668", "ISM-1669", "ISM-1670", "ISM-1671", "ISM-1672", "ISM-1673", "ISM-1674", "ISM-1675", "ISM-1676", "ISM-1677", "ISM-1748", "ISM-1749", "ISM-1800" ], "apac-nzl-ism-3-9": [ "18.1.10.C.01", "18.1.10.C.02", "18.1.10.C.03", "18.1.10.C.04", "23.2.21.C.01" ], "americas-can-osfi-b13-2022": [ "3.2.3" ], "americas-can-itsp-10-171-2025": [ "03.04.01.A", "03.04.02.A", "03.04.06.A", "03.04.06.B", "03.04.06.D", "03.04.12.A" ] } }, { "control_id": "CFG-02.6", "title": "Network Device Configuration File Synchronization", "family": "CFG", "description": "Mechanisms exist to configure network devices to synchronize startup and running configuration files.", "scf_question": "Does the organization configure network devices to synchronize startup and running configuration files?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to configure network devices to synchronize startup and running configuration files.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document baseline configurations for key systems", "small": "∙ Configuration baseline documentation\n∙ CIS Benchmark hardening guides", "medium": "∙ Configuration management program\n∙ Automated baseline assessment (e.g., CIS-CAT)", "large": "∙ Enterprise CMDB\n∙ Automated configuration compliance scanning", "enterprise": "∙ Enterprise configuration management platform (e.g., Ansible, Puppet)\n∙ CMDB\n∙ Drift detection and remediation" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-3", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-pci-dss-4-0-1": [ "1.2.8" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.8" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.8" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.8" ], "emea-isr-cmo-1-0": [ "9.22" ], "apac-nzl-ism-3-9": [ "18.1.10.C.01", "18.1.10.C.02", "18.1.10.C.03", "18.1.10.C.04" ] } }, { "control_id": "CFG-02.7", "title": "Approved Configuration Deviations", "family": "CFG", "description": "Mechanisms exist to document, assess risk and approve or deny deviations to standardized configurations.", "scf_question": "Does the organization document, assess risk and approve or deny deviations to standardized configurations?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-33" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).\n▪ Any deviations from approved baseline configurations are reviewed, approved and documented on a case-by-case basis by IT and/or cybersecurity personnel.\n▪ Deviations to baseline configurations are required to have a risk assessment and the business process owner's acceptance of the risk(s) associated with the deviation.", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document, assess risk and approve or deny deviations to standardized configurations.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Manual exception management process", "small": "∙ Manual exception management process", "medium": "∙ Manual exception management process\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "large": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "enterprise": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-csa-cmm-4-1-0": [ "AIS-02", "CCC-08" ], "general-govramp": [ "CM-06" ], "general-govramp-core": [ "CM-06" ], "general-govramp-low": [ "CM-06" ], "general-govramp-low-plus": [ "CM-06" ], "general-govramp-mod": [ "CM-06" ], "general-govramp-high": [ "CM-06" ], "general-nist-800-53-r4": [ "CM-6" ], "general-nist-800-53-r5-2": [ "CM-06" ], "general-nist-800-53-r5-2-privacy": [ "CM-06" ], "general-nist-800-53-r5-2-low": [ "CM-06" ], "general-nist-800-82-r3": [ "CM-06" ], "general-nist-800-82-r3-low": [ "CM-06" ], "general-nist-800-82-r3-mod": [ "CM-06" ], "general-nist-800-82-r3-high": [ "CM-06" ], "general-nist-800-161-r1": [ "CM-6" ], "general-nist-800-161-r1-cscrm": [ "CM-6" ], "general-nist-800-161-r1-flowdown": [ "CM-6" ], "general-nist-800-161-r1-level-2": [ "CM-6" ], "general-nist-800-161-r1-level-3": [ "CM-6" ], "general-nist-800-171-r3": [ "03.04.01.a", "03.04.02.b" ], "general-nist-800-171a-r3": [ "A.03.04.02.b[01]", "A.03.04.02.b[02]" ], "general-nist-800-172": [ "3.5.2e" ], "general-nist-800-207": [ "NIST Tenet 5" ], "general-swift-cscf-2025": [ "2.10" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.O" ], "usa-federal-fbi-cjis-6-0": [ "CM-6" ], "usa-federal-gsa-fedramp-5-low": [ "CM-06" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-06" ], "usa-federal-gsa-fedramp-5-high": [ "CM-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-06" ], "usa-federal-irs-1075-2021": [ "CM-6", "CM-6(IRS-Defined)" ], "usa-federal-cms-marse-2-0": [ "CM-6", "CM-6.c" ], "usa-federal-nerc-cip-2024": [ "CIP-010-4 1.2", "CIP-010-4 1.4", "CIP-010-4 1.4.3", "CIP-010-4 1.5", "CIP-010-4 1.6" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-06" ], "usa-state-tx-txramp-2-0-level-1": [ "CM-06" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-06" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.3(c)" ], "americas-can-itsp-10-171-2025": [ "03.04.01.A", "03.04.02.B" ] } }, { "control_id": "CFG-02.8", "title": "Respond To Unauthorized Changes", "family": "CFG", "description": "Mechanisms exist to respond to unauthorized changes to configuration settings as security incidents.", "scf_question": "Does the organization respond to unauthorized changes to configuration settings as security incidents?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to verify the functionality of security controls when anomalies or misconfigurations are discovered.", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to respond to unauthorized changes to configuration settings as security incidents.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Incident Response Plan (IRP)", "small": "∙ Incident Response Plan (IRP)", "medium": "∙ Incident Response Plan (IRP)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ Incident Response Plan (IRP)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ Incident Response Plan (IRP)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-cis-csc-8-1": [ "2.3" ], "general-cis-csc-8-1-ig1": [ "2.3" ], "general-cis-csc-8-1-ig2": [ "2.3" ], "general-cis-csc-8-1-ig3": [ "2.3" ], "general-csa-cmm-4-1-0": [ "CCC-09" ], "general-govramp": [ "CM-06(02)" ], "general-govramp-high": [ "CM-06(02)" ], "general-nist-800-53-r4": [ "CM-6(2)" ], "general-nist-800-53-r5-2": [ "CM-06(02)" ], "general-nist-800-53-r5-2-high": [ "CM-06(02)" ], "general-nist-800-82-r3": [ "CM-06(02)" ], "general-nist-800-82-r3-high": [ "CM-06(02)" ], "general-nist-800-161-r1": [ "CM-6(2)" ], "general-nist-800-161-r1-level-3": [ "CM-6(2)" ], "general-nist-800-172": [ "3.4.2e" ], "general-nist-800-207": [ "NIST Tenet 5" ], "general-pci-dss-4-0-1": [ "10.7", "10.7.1", "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.7.1", "10.7.2", "10.7.3" ], "general-swift-cscf-2025": [ "2.3" ], "usa-federal-dow-cmmc-2-level-3": [ "CM.L3-3.4.2E" ], "usa-federal-gsa-fedramp-5-high": [ "CM-06(02)" ], "emea-deu-bsrit-2017": [ "8.6" ], "emea-sau-otcc-1-2022": [ "2-3-1-11" ], "amaericas-can-osfi-self-assessment": [ "4.19", "4.20" ] } }, { "control_id": "CFG-02.9", "title": "Baseline Tailoring", "family": "CFG", "description": "Mechanisms exist to allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to:\n(1) Mission / business functions;\n(2) Operational environment;\n(3) Specific threats or vulnerabilities; or\n(4) Other conditions or situations that could affect mission / business success.", "scf_question": "Does the organization allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to:\n (1) Mission / business functions;\n (2) Operational environment;\n (3) Specific threats or vulnerabilities; or\n (4) Other conditions or situations that could affect mission / business success?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-33", "E-GOV-20" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).\n▪ Deviations from approved baseline configurations are handled on a case-by-case basis by IT/cybersecurity personnel. Acceptance of any deviations from baselines must be informed by performance of a risk assessment.\n▪ As necessary, enhanced security requirements are developed for unattended systems (e.g., kiosks, ATMs, etc.) and point of sale devices.", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).\n▪ Tailored SBC are created for higher-risk operating environments and/or for TAAS that store, process or transmit sensitive/regulated data.\n▪ IT and/or cybersecurity personnel perform an annual review of existing configurations to ensure security objectives are still being met.", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to:\n(1) Mission / business functions;\n(2) Operational environment;\n(3) Specific threats or vulnerabilities; or\n(4) Other conditions or situations that could affect mission / business success.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides\n∙ ManageEngine Vulnerability Manager Plus (https://manageengine.com)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides\n∙ ManageEngine Vulnerability Manager Plus (https://manageengine.com)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides\n∙ ManageEngine Vulnerability Manager Plus (https://manageengine.com)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-csa-cmm-4-1-0": [ "AIS-02" ], "general-iso-21434-2021": [ "PM-06-13", "PM-06-14" ], "general-nist-800-37-r2": [ "TASK P-4", "TASK S-2" ], "general-nist-800-53-r5-2": [ "PL-11" ], "general-nist-800-53-r5-2-low": [ "PL-11" ], "general-nist-800-82-r3": [ "PL-11" ], "general-nist-800-82-r3-low": [ "PL-11" ], "general-nist-800-82-r3-mod": [ "PL-11" ], "general-nist-800-82-r3-high": [ "PL-11" ], "general-nist-800-171-r2": [ "3.3.3" ], "general-nist-800-171-r3": [ "03.03.02.b", "03.04.01.a", "03.04.02.a", "03.04.02.b", "03.04.06.a", "03.04.08.a", "03.04.12.a", "03.13.11" ], "general-nist-800-171a-r3": [ "A.03.03.02.b" ], "general-shared-assessments-sig-2025": [ "N.11" ], "general-swift-cscf-2025": [ "2.3", "2.10" ], "usa-federal-dow-cert-rmm-1-2": [ "OPD:SG1.SP2" ], "usa-federal-fbi-cjis-6-0": [ "PL-11" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-3d", "SITUATION-1f", "ARCHITECTURE-3h" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.3" ], "usa-federal-gsa-fedramp-5-low": [ "PL-11" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-11" ], "usa-federal-gsa-fedramp-5-high": [ "PL-11" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-11" ], "usa-federal-cms-marse-2-0": [ "CM-6-IS.1", "CM-6-IS.1.a", "CM-6-IS.1.b", "CM-6-IS.1.c", "CM-6-IS.1.d" ], "usa-federal-nerc-cip-2024": [ "CIP-010-4 1.4.1", "CIP-010-4 1.6.1", "CIP-010-4 1.6.2" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)", "7123(c)(11)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PL-11", "PL-11-SID", "PL-11-SID.1", "PL-11-SID.2" ], "emea-isr-cmo-1-0": [ "10.7" ], "emea-sau-otcc-1-2022": [ "2-3-1-7" ], "emea-gbr-def-stan-05-138-2024": [ "2418" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2418" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2418" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2418" ], "apac-jpn-ismap": [ "9.5.2.P", "9.5.2.1.PB" ], "apac-nzl-ism-3-9": [ "16.1.50.C.01", "16.1.50.C.02" ], "americas-can-itsp-10-171-2025": [ "03.03.02.B", "03.04.01.A", "03.04.02.A", "03.04.02.B", "03.04.06.A", "03.04.08.A", "03.04.12.A", "03.13.11" ] } }, { "control_id": "CFG-03", "title": "Least Functionality", "family": "CFG", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "scf_question": "Does the organization configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-12", "E-AST-13", "E-AST-14", "E-AST-15", "E-AST-16", "E-AST-17", "E-AST-18", "E-AST-19", "E-AST-20", "E-AST-21" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).\n▪ The restrictiveness of the SBCs are commensurate with the criticality of the TAAS and/or sensitivity of the data being protected, in accordance with applicable laws, regulations and frameworks.", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n∙ Center for Internet Security (CIS) Benchmarks\n∙ Original Equipment Manufacturer (OEM) security guides" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.2-POF3", "CC6.1-POF7", "CC6.7-POF1" ], "general-cis-csc-8-1": [ "4.0", "4.6", "4.8" ], "general-cis-csc-8-1-ig1": [ "4.6" ], "general-cis-csc-8-1-ig2": [ "4.6", "4.8" ], "general-cis-csc-8-1-ig3": [ "4.6", "4.8" ], "general-csa-cmm-4-1-0": [ "AIS-02" ], "general-govramp": [ "CM-07" ], "general-govramp-low": [ "CM-07" ], "general-govramp-low-plus": [ "CM-07" ], "general-govramp-mod": [ "CM-07" ], "general-govramp-high": [ "CM-07" ], "general-iec-62443-3-3-2013": [ "SR 7.7" ], "general-iec-62443-4-2-2019": [ "CR 2.2", "CR 7.7" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.3" ], "general-iso-27002-2022": [ "8.3", "8.9", "8.12" ], "general-iso-27017-2015": [ "9.4.1" ], "general-iso-27018-2025": [ "8.9", "8.12" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.001", "T1003.002", "T1003.005", "T1008", "T1011", "T1011.001", "T1020.001", "T1021", "T1021.001", "T1021.002", "T1021.003", "T1021.005", "T1021.006", "T1021.008", "T1027", "T1036", "T1036.005", "T1036.007", "T1036.008", "T1037", "T1037.001", "T1040", "T1046", "T1047", "T1048", "T1048.001", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1053", "T1053.002", "T1053.005", "T1059", "T1059.005", "T1059.007", "T1059.009", "T1059.010", "T1068", "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1072", "T1078", "T1078.004", "T1080", "T1087", "T1087.001", "T1087.002", "T1090", "T1090.001", "T1090.002", "T1090.003", "T1092", "T1095", "T1098", "T1098.001", "T1098.004", "T1098.007", "T1102", "T1102.001", "T1102.002", "T1102.003", "T1104", "T1105", "T1106", "T1112", "T1127", "T1127.002", "T1129", "T1133", "T1135", "T1136", "T1136.002", "T1136.003", "T1176", "T1187", "T1190", "T1195", "T1195.001", "T1195.002", "T1197", "T1199", "T1204", "T1204.001", "T1204.002", "T1204.003", "T1205", "T1205.001", "T1210", "T1213", "T1213.001", "T1213.002", "T1213.004", "T1213.005", "T1216", "T1216.001", "T1216.002", "T1218", "T1218.001", "T1218.002", "T1218.003", "T1218.004", "T1218.005", "T1218.007", "T1218.008", "T1218.009", "T1218.012", "T1218.013", "T1218.014", "T1218.015", "T1219", "T1220", "T1221", "T1482", "T1484", "T1489", "T1490", "T1498", "T1498.001", "T1498.002", "T1499", "T1499.001", "T1499.002", "T1499.003", "T1499.004", "T1505.004", "T1525", "T1530", "T1537", "T1542.004", "T1542.005", "T1543", "T1546.002", "T1546.006", "T1546.008", "T1546.009", "T1546.010", "T1547.004", "T1547.006", "T1547.007", "T1547.009", "T1548", "T1548.001", "T1548.003", "T1548.004", "T1548.006", "T1552", "T1552.003", "T1552.005", "T1552.007", "T1553", "T1553.001", "T1553.003", "T1553.004", "T1553.005", "T1553.006", "T1555.004", "T1555.006", "T1556", "T1556.002", "T1556.008", "T1556.009", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1559", "T1559.002", "T1559.003", "T1562", "T1562.001", "T1562.002", "T1562.003", "T1562.004", "T1562.006", "T1562.009", "T1562.010", "T1563", "T1563.001", "T1563.002", "T1564.002", "T1564.003", "T1564.006", "T1564.008", "T1564.009", "T1565", "T1565.003", "T1569", "T1569.002", "T1570", "T1571", "T1572", "T1573", "T1573.001", "T1573.002", "T1574", "T1574.001", "T1574.006", "T1574.007", "T1574.008", "T1574.009", "T1574.012", "T1574.014", "T1590.002", "T1599", "T1599.001", "T1601", "T1601.001", "T1601.002", "T1602", "T1602.001", "T1602.002", "T1609", "T1610", "T1611", "T1612", "T1613", "T1622", "T1647", "T1648", "T1653" ], "general-mpa-csbp-5-3-1": [ "TS-2.8", "TS-8.2" ], "general-nist-privacy-framework-1-0": [ "PR.PT-P2" ], "general-nist-800-53-r4": [ "CM-7" ], "general-nist-800-53-r5-2": [ "CM-07" ], "general-nist-800-53-r5-2-low": [ "CM-07" ], "general-nist-800-82-r3": [ "CM-07" ], "general-nist-800-82-r3-low": [ "CM-07" ], "general-nist-800-82-r3-mod": [ "CM-07" ], "general-nist-800-82-r3-high": [ "CM-07" ], "general-nist-800-161-r1": [ "CM-7" ], "general-nist-800-161-r1-cscrm": [ "CM-7" ], "general-nist-800-161-r1-flowdown": [ "CM-7" ], "general-nist-800-161-r1-level-3": [ "CM-7" ], "general-nist-800-171-r2": [ "3.4.6" ], "general-nist-800-171-r3": [ "03.04.02.a", "03.04.06.a", "03.04.06.b", "03.04.06.d", "03.04.08.a" ], "general-nist-800-171a": [ "3.4.6[a]", "3.4.6[b]" ], "general-nist-800-171a-r3": [ "A.03.04.02.ODP[01]", "A.03.04.06.d" ], "general-nist-csf-2-0": [ "PR.PS-05" ], "general-owasp-top-10-2025": [ "A05:2025" ], "general-pci-dss-4-0-1": [ "1.2.5", "1.2.6", "1.4", "1.4.1", "1.4.2", "2.2.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.5", "1.2.6", "1.4.1", "1.4.2", "2.2.4" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.2.5", "1.2.6", "1.4.2" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.4" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.5", "1.2.6", "1.4.1", "1.4.2", "2.2.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.5", "1.2.6", "1.4.1", "1.4.2", "2.2.4" ], "general-sparta": [ "CM0047" ], "general-swift-cscf-2025": [ "2.3", "2.10" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.W" ], "usa-federal-fbi-cjis-6-0": [ "CM-7" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-3d" ], "usa-federal-dow-cmmc-2-level-2": [ "CML2.-3.4.6" ], "usa-federal-gsa-fedramp-5-low": [ "CM-07" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-07" ], "usa-federal-gsa-fedramp-5-high": [ "CM-07" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-07" ], "usa-federal-irs-1075-2021": [ "CM-7", "CM-7(IRS-Defined)" ], "usa-federal-cms-marse-2-0": [ "CM-7", "CM-7.a", "CM-7.b", "CM-7-IS.1" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 1.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(11)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-07" ], "usa-state-tx-txramp-2-0-level-1": [ "CM-07" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-07" ], "emea-eu-nis2-annex-2024": [ "6.7.2(f)" ], "emea-isr-cmo-1-0": [ "4.8", "4.9", "12.9", "12.13" ], "emea-sau-ecc-1-2018": [ "2-5-3-5" ], "emea-sau-otcc-1-2022": [ "2-2-1-5", "2-3-1-4" ], "emea-esp-boe-a-2022-7191": [ "Article 20(a)", "Article 20(b)", "Article 20(c)", "Article 20(d)" ], "emea-esp-decree-311-2022": [ "20(a)", "20(b)", "20(c)", "20(d)" ], "emea-gbr-def-stan-05-138-2024": [ "2204", "2430", "2507" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2204", "2507" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2204", "2430", "2507" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2204", "2430", "2507" ], "apac-aus-ism-2024-june": [ "ISM-0385", "ISM-1006", "ISM-1311", "ISM-1312", "ISM-1392", "ISM-1479", "ISM-1487", "ISM-1488", "ISM-1489", "ISM-1621" ], "apac-ind-sebi-2024": [ "PR.IP.S1" ], "apac-nzl-ism-3-9": [ "18.1.15.C.01", "18.1.15.C.02", "18.1.15.C.03", "18.1.15.C.04" ], "americas-can-osfi-b13-2022": [ "3.2.8" ], "americas-can-itsp-10-171-2025": [ "03.04.02.A", "03.04.06.A", "03.04.06.B", "03.04.06.D", "03.04.08.A" ] } }, { "control_id": "CFG-03.1", "title": "Periodic Review", "family": "CFG", "description": "Mechanisms exist to periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services.", "scf_question": "Does the organization periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations are reviewed only when new operating systems or versions of applications are released.", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Configuration Management (CM) program\n∙ Change control program", "small": "∙ Configuration Management (CM) program\n∙ Change control program", "medium": "∙ Configuration Management (CM) program\n∙ Change control program", "large": "∙ Configuration Management (CM) program\n∙ Change control program", "enterprise": "∙ Configuration Management (CM) program\n∙ Change control program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-csa-cmm-4-1-0": [ "AIS-02" ], "general-govramp": [ "CM-07(01)" ], "general-govramp-mod": [ "CM-07(01)" ], "general-govramp-high": [ "CM-07(01)" ], "general-iso-27002-2022": [ "8.8", "8.27" ], "general-iso-27017-2015": [ "9.2.5", "9.2.6", "12.6.1" ], "general-iso-27018-2025": [ "8.8", "8.27" ], "general-nist-800-53-r4": [ "CM-7(1)" ], "general-nist-800-53-r5-2": [ "CM-07(01)" ], "general-nist-800-53-r5-2-mod": [ "CM-07(01)" ], "general-nist-800-82-r3": [ "CM-07(01)" ], "general-nist-800-82-r3-mod": [ "CM-07(01)" ], "general-nist-800-82-r3-high": [ "CM-07(01)" ], "general-nist-800-161-r1": [ "CM-7(1)" ], "general-nist-800-161-r1-level-2": [ "CM-7(1)" ], "general-nist-800-161-r1-level-3": [ "CM-7(1)" ], "general-nist-800-171-r2": [ "3.4.7" ], "general-nist-800-171-r3": [ "03.04.06.c", "03.04.08.c" ], "general-nist-800-171a": [ "3.4.7[a]", "3.4.7[b]", "3.4.7[c]", "3.4.7[d]", "3.4.7[e]", "3.4.7[f]", "3.4.7[g]", "3.4.7[h]", "3.4.7[i]", "3.4.7[j]", "3.4.7[k]", "3.4.7[l]", "3.4.7[m]", "3.4.7[n]", "3.4.7[o]" ], "general-nist-800-171a-r3": [ "A.03.04.06.ODP[06]" ], "general-pci-dss-4-0-1": [ "1.2.7", "11.6.1", "12.3.1", "12.3.4", "12.4.2", "12.5.2", "12.5.2.1", "12.6.2", "12.6.3" ], "general-pci-dss-4-0-1-saq-a": [ "11.6.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.7", "11.6.1", "12.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.7", "11.6.1", "12.3.1", "12.3.4", "12.5.2", "12.6.2", "12.6.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.7", "11.6.1", "12.3.1", "12.3.4", "12.4.2", "12.5.2", "12.5.2.1", "12.6.2", "12.6.3" ], "usa-federal-fbi-cjis-6-0": [ "CM-7(1)" ], "usa-federal-dow-cmmc-2-level-2": [ "CML2.-3.4.7" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-07(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-07(01)" ], "usa-federal-irs-1075-2021": [ "CM-7(CE-1)", "CM-7(CE-1).a", "CM-7(CE-1).b" ], "usa-federal-cms-marse-2-0": [ "CM-7(1)", "CM-7(1).a", "CM-7(1).b" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-07 (01)" ], "emea-esp-boe-a-2022-7191": [ "Article 21.2" ], "emea-esp-decree-311-2022": [ "21.2" ], "emea-gbr-def-stan-05-138-2024": [ "2430", "2507" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2507" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2430", "2507" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2430", "2507" ], "apac-ind-sebi-2024": [ "DE.CM.S5" ], "americas-can-itsp-10-171-2025": [ "03.04.06.C", "03.04.08.C" ] } }, { "control_id": "CFG-03.2", "title": "Prevent Unauthorized Software Execution", "family": "CFG", "description": "Mechanisms exist to configure systems to prevent the execution of unauthorized software programs.", "scf_question": "Does the organization configure systems to prevent the execution of unauthorized software programs?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-20", "E-AST-21" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to configure systems to prevent the execution of unauthorized software programs.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)", "small": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)", "medium": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-cis-csc-8-1": [ "2.5" ], "general-cis-csc-8-1-ig2": [ "2.5" ], "general-cis-csc-8-1-ig3": [ "2.5" ], "general-govramp": [ "CM-07(02)" ], "general-govramp-mod": [ "CM-07(02)" ], "general-govramp-high": [ "CM-07(02)" ], "general-nist-800-53-r4": [ "CM-7(2)" ], "general-nist-800-53-r5-2": [ "CM-07(02)" ], "general-nist-800-53-r5-2-privacy": [ "CM-07(02)" ], "general-nist-800-53-r5-2-mod": [ "CM-07(02)" ], "general-nist-800-82-r3": [ "CM-07(02)" ], "general-nist-800-160-vol-2-r1": [ "CM-07(02)" ], "general-nist-800-171-r2": [ "3.4.7" ], "general-nist-800-171-r3": [ "03.04.08.b" ], "general-nist-csf-2-0": [ "PR.PS-05" ], "general-tisax-6-0-3": [ "1.3.4" ], "usa-federal-fbi-cjis-6-0": [ "CM-7(2)" ], "usa-federal-dow-cmmc-2-level-2": [ "CML2.-3.4.7" ], "usa-federal-gsa-fedramp-5-low": [ "CM-07(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-07(02)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-07(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-07(02)" ], "usa-federal-cms-marse-2-0": [ "CM-7(2)" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-07 (02)" ], "emea-sau-otcc-1-2022": [ "2-3-1-11" ], "apac-aus-essential-8-2024": [ "ML2-P5", "ML3-P5" ], "amaericas-can-osfi-self-assessment": [ "4.19", "4.20" ], "americas-can-itsp-10-171-2025": [ "03.04.08.B" ] } }, { "control_id": "CFG-03.3", "title": "Explicitly Allow / Deny Applications", "family": "CFG", "description": "Mechanisms exist to explicitly allow (allowlist / whitelist) and/or block (denylist / blacklist) applications that are authorized to execute on systems.", "scf_question": "Does the organization explicitly allow (allowlist / whitelist) and/or block (denylist / blacklist) applications that are authorized to execute on systems?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-31" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to explicitly allow (allowlist / whitelist) and/or block (denylist / blacklist) applications that are authorized to execute on systems.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)", "small": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)", "medium": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-cis-csc-8-1": [ "2.3", "2.5", "2.6", "2.7" ], "general-cis-csc-8-1-ig1": [ "2.3" ], "general-cis-csc-8-1-ig2": [ "2.3", "2.5", "2.6" ], "general-cis-csc-8-1-ig3": [ "2.3", "2.5", "2.6", "2.7" ], "general-csa-cmm-4-1-0": [ "UEM-02" ], "general-csa-iot-2": [ "CLS-02" ], "general-govramp": [ "CM-07(05)" ], "general-govramp-mod": [ "CM-07(05)" ], "general-govramp-high": [ "CM-07(05)" ], "general-nist-800-53-r4": [ "CM-7(4)", "CM-7(5)", "SC-18(4)" ], "general-nist-800-53-r5-2": [ "CM-07(04)", "CM-07(05)", "SC-18(04)" ], "general-nist-800-53-r5-2-privacy": [ "SC-18(04)" ], "general-nist-800-53-r5-2-mod": [ "CM-07(05)" ], "general-nist-800-82-r3": [ "CM-07(04)", "CM-07(05)", "SC-18(04)" ], "general-nist-800-82-r3-mod": [ "CM-07(05)" ], "general-nist-800-82-r3-high": [ "CM-07(05)" ], "general-nist-800-160-vol-2-r1": [ "CM-07(04)", "CM-07(05)" ], "general-nist-800-161-r1": [ "CM-7(4)", "CM-7(5)" ], "general-nist-800-161-r1-level-2": [ "CM-7(4)" ], "general-nist-800-161-r1-level-3": [ "CM-7(4)", "CM-7(5)" ], "general-nist-800-171-r2": [ "3.4.8" ], "general-nist-800-171-r3": [ "03.04.08.a", "03.04.08.b", "03.13.13.a", "03.13.13.b" ], "general-nist-800-171a": [ "3.4.8[a]", "3.4.8[b]", "3.4.8[c]" ], "general-nist-800-171a-r3": [ "A.03.04.08.ODP[01]", "A.03.04.08.a", "A.03.04.08.b", "A.03.13.13.b[03]" ], "general-sparta": [ "CM0047", "CM0069" ], "general-swift-cscf-2025": [ "2.3" ], "usa-federal-fbi-cjis-6-0": [ "CM-7(5)" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-3m" ], "usa-federal-dow-cmmc-2-level-2": [ "CML2.-3.4.8" ], "usa-federal-gsa-fedramp-5-low": [ "SC-18(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-07(05)", "SC-18(04)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-07(05)", "SC-18(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-18(04)" ], "usa-federal-irs-1075-2021": [ "CM-7(CE-5)", "CM-7(CE-5).a", "CM-7(CE-5).b", "CM-7(CE-5).c" ], "usa-federal-cms-marse-2-0": [ "CM-7(4)", "CM-7(4).a", "CM-7(4).b", "CM-7(4).c" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(B)" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-07 (05)" ], "emea-deu-c5-2020": [ "AM-02" ], "emea-isr-cmo-1-0": [ "6.7" ], "emea-sau-cscc-1-2019": [ "2-3-1-1" ], "emea-sau-cgiot-2024": [ "2-14-2" ], "emea-sau-otcc-1-2022": [ "2-3-1-6" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "4" ], "emea-gbr-def-stan-05-138-2024": [ "2409" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2409" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2409" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2409" ], "apac-aus-essential-8-2024": [ "ML1-P5", "ML2-P5", "ML3-P5" ], "apac-aus-ism-2024-june": [ "ISM-0843", "ISM-0846", "ISM-1235", "ISM-1544" ], "apac-nzl-ism-3-9": [ "14.2.4.C.01", "14.2.5.C.01", "14.2.5.C.02", "14.2.5.C.03", "14.2.5.C.04", "14.2.6.C.01", "14.2.7.C.01", "14.2.7.C.02", "14.2.7.C.03", "14.2.7.C.04", "14.2.7.C.05", "14.2.7.C.06", "14.2.7.C.07" ], "apac-sgp-mas-trm-2021": [ "11.3.6" ], "amaericas-can-osfi-self-assessment": [ "4.19", "4.20" ], "americas-can-itsp-10-171-2025": [ "03.04.08.A", "03.04.08.B", "03.13.13.A", "03.13.13.B" ] } }, { "control_id": "CFG-03.4", "title": "Split Tunneling", "family": "CFG", "description": "Mechanisms exist to prevent split tunneling for remote devices unless the split tunnel is securely provisioned using organization-defined safeguards.", "scf_question": "Does the organization prevent split tunneling for remote devices unless the split tunnel is securely provisioned using organization-defined safeguards?\n\nPrevent split tunneling for remote devices unless the split tunnel is securely provisioned using organization-defined safeguards?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent split tunneling for remote devices unless the split tunnel is securely provisioned using organization-defined safeguards.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-2", "R-BC-4", "R-EX-7", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-govramp": [ "SC-07(07)" ], "general-govramp-low-plus": [ "SC-07(07)" ], "general-govramp-mod": [ "SC-07(07)" ], "general-govramp-high": [ "SC-07(07)" ], "general-nist-800-53-r4": [ "SC-7(7)" ], "general-nist-800-53-r5-2": [ "SC-07(07)" ], "general-nist-800-53-r5-2-mod": [ "SC-07(07)" ], "general-nist-800-82-r3": [ "SC-07(07)" ], "general-nist-800-82-r3-mod": [ "SC-07(07)" ], "general-nist-800-82-r3-high": [ "SC-07(07)" ], "general-nist-800-171-r2": [ "3.13.7" ], "general-nist-800-171a": [ "3.13.7" ], "general-pci-dss-4-0-1": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.5.1" ], "usa-federal-fbi-cjis-6-0": [ "SC-7(7)" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.7" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07(07)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(07)" ], "usa-federal-irs-1075-2021": [ "SC-7(CE-7)", "SC-7(CE-7).a", "SC-7(CE-7).b", "SC-7(CE-7).b.1", "SC-7(CE-7).b.2", "SC-7(CE-7).b.3", "SC-7(CE-7).c", "SC-7(CE-7).c.1", "SC-7(CE-7).c.2", "SC-7(CE-7).c.3", "SC-7(CE-7).c.4" ], "usa-federal-cms-marse-2-0": [ "SC-7(7)" ], "emea-isr-cmo-1-0": [ "4.15", "9.13" ], "emea-gbr-def-stan-05-138-2024": [ "2305" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2305" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2305" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2305" ], "apac-aus-ism-2024-june": [ "ISM-0705" ], "apac-nzl-ism-3-9": [ "18.7.14.C.01", "18.7.14.C.02" ] } }, { "control_id": "CFG-04", "title": "Software Usage Restrictions", "family": "CFG", "description": "Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.", "scf_question": "Does the organization enforce software usage restrictions to comply with applicable contract agreements and copyright laws?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-govramp": [ "CM-10" ], "general-govramp-low-plus": [ "CM-10" ], "general-govramp-mod": [ "CM-10" ], "general-govramp-high": [ "CM-10" ], "general-mitre-att&ck-16-1": [ "T1546.008", "T1546.013", "T1550.001", "T1553", "T1553.004", "T1559", "T1559.002", "T1562.006", "T1562.009" ], "general-nist-800-53-r4": [ "CM-10" ], "general-nist-800-53-r5-2": [ "CM-10" ], "general-nist-800-53-r5-2-low": [ "CM-10" ], "general-nist-800-82-r3": [ "CM-10" ], "general-nist-800-82-r3-low": [ "CM-10" ], "general-nist-800-82-r3-mod": [ "CM-10" ], "general-nist-800-82-r3-high": [ "CM-10" ], "general-nist-800-161-r1": [ "CM-10" ], "general-nist-800-161-r1-cscrm": [ "CM-10" ], "general-nist-800-161-r1-level-2": [ "CM-10" ], "general-nist-800-161-r1-level-3": [ "CM-10" ], "general-nist-800-171-r3": [ "03.13.13.b" ], "general-tisax-6-0-3": [ "1.3.4" ], "usa-federal-fbi-cjis-6-0": [ "CM-10" ], "usa-federal-gsa-fedramp-5-low": [ "CM-10" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-10" ], "usa-federal-gsa-fedramp-5-high": [ "CM-10" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-10" ], "usa-federal-irs-1075-2021": [ "CM-10" ], "usa-federal-cms-marse-2-0": [ "CM-10", "CM-10.a", "CM-10.b", "CM-10.c" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-10" ], "usa-state-tx-txramp-2-0-level-1": [ "CM-10" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-10" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "3" ], "americas-can-itsp-10-171-2025": [ "03.13.13.B" ] } }, { "control_id": "CFG-04.1", "title": "Open Source Software", "family": "CFG", "description": "Mechanisms exist to establish parameters for the secure use of open source software.", "scf_question": "Does the organization establish parameters for the secure use of open source software?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish parameters for the secure use of open source software.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)", "small": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)", "medium": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-govramp": [ "CM-10(01)" ], "general-govramp-mod": [ "CM-10(01)" ], "general-govramp-high": [ "CM-10(01)" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.2-002" ], "general-nist-800-53-r4": [ "CM-10(1)" ], "general-nist-800-53-r5-2": [ "CM-10(01)" ], "general-nist-800-82-r3": [ "CM-10(01)" ], "general-nist-800-161-r1": [ "CM-8(10)", "CM-10(1)" ], "general-nist-800-161-r1-level-2": [ "CM-10(1)" ], "general-nist-800-161-r1-level-3": [ "CM-8(10)", "CM-10(1)" ], "general-nist-800-171-r3": [ "03.13.13.b" ], "usa-federal-cms-marse-2-0": [ "CM-10(1)", "CM-10(1).a", "CM-10(1).b", "CM-10(1).c" ], "apac-sgp-mas-trm-2021": [ "6.1.3" ], "americas-can-itsp-10-171-2025": [ "03.13.13.B" ] } }, { "control_id": "CFG-04.2", "title": "Unsupported Internet Browsers & Email Clients", "family": "CFG", "description": "Mechanisms exist to allow only approved Internet browsers and email clients to run on systems.", "scf_question": "Does the organization allow only approved Internet browsers and email clients to run on systems?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to allow only approved Internet browsers and email clients to run on systems.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.7" ], "general-cis-csc-8-1": [ "9.0", "9.1", "9.4" ], "general-cis-csc-8-1-ig1": [ "9.1" ], "general-cis-csc-8-1-ig2": [ "9.1", "9.4" ], "general-cis-csc-8-1-ig3": [ "9.1", "9.4" ], "emea-sau-ecc-1-2018": [ "2-4-1", "2-5-3-3" ], "apac-aus-ism-2024-june": [ "ISM-0824", "ISM-1235", "ISM-1412", "ISM-1470", "ISM-1485", "ISM-1486", "ISM-1542", "ISM-1585", "ISM-1601", "ISM-1654", "ISM-1655" ], "amaericas-can-osfi-self-assessment": [ "4.6", "4.9" ] } }, { "control_id": "CFG-05", "title": "User-Installed Software", "family": "CFG", "description": "Mechanisms exist to restrict the ability of non-privileged users to install unauthorized software.", "scf_question": "Does the organization restrict the ability of non-privileged users to install unauthorized software?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-01", "E-AST-21", "E-IAM-02" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict the ability of non-privileged users to install unauthorized software.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Privileged Account Management (PAM)\n∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Privileged Account Management (PAM)\n∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Privileged Account Management (PAM)\n∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Privileged Account Management (PAM)\n∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Privileged Account Management (PAM)\n∙ whitelisting / blacklisting applications\n∙ Microsoft Windows Defender Application Control (WDAC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.8-POF1" ], "general-govramp": [ "CM-11" ], "general-govramp-low": [ "CM-11" ], "general-govramp-low-plus": [ "CM-11" ], "general-govramp-mod": [ "CM-11" ], "general-govramp-high": [ "CM-11" ], "general-mitre-att&ck-16-1": [ "T1021.005", "T1059", "T1059.006", "T1072", "T1176", "T1195", "T1195.001", "T1195.002", "T1218", "T1218.001", "T1218.002", "T1218.003", "T1218.004", "T1218.005", "T1218.008", "T1218.009", "T1218.012", "T1218.013", "T1218.014", "T1505", "T1505.001", "T1505.002", "T1505.004", "T1543", "T1543.001", "T1543.002", "T1543.003", "T1543.004", "T1547.013", "T1550.001", "T1564.009", "T1569", "T1569.001" ], "general-nist-800-53-r4": [ "CM-11" ], "general-nist-800-53-r5-2": [ "CM-11", "CM-11(02)" ], "general-nist-800-53-r5-2-privacy": [ "CM-11", "CM-11(02)" ], "general-nist-800-53-r5-2-low": [ "CM-11" ], "general-nist-800-82-r3": [ "CM-11", "CM-11(02)" ], "general-nist-800-82-r3-low": [ "CM-11" ], "general-nist-800-82-r3-mod": [ "CM-11" ], "general-nist-800-82-r3-high": [ "CM-11" ], "general-nist-800-161-r1": [ "CM-11" ], "general-nist-800-161-r1-cscrm": [ "CM-11" ], "general-nist-800-161-r1-level-2": [ "CM-11" ], "general-nist-800-161-r1-level-3": [ "CM-11" ], "general-nist-800-171-r2": [ "3.4.9" ], "general-nist-800-171-r3": [ "03.13.13.b" ], "general-nist-800-171a": [ "3.4.9[b]", "3.4.9[c]" ], "general-nist-csf-2-0": [ "PR.PS-05" ], "general-tisax-6-0-3": [ "1.3.4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.Q" ], "usa-federal-fbi-cjis-6-0": [ "CM-11" ], "usa-federal-dow-cmmc-2-level-2": [ "CML2.-3.4.9" ], "usa-federal-gsa-fedramp-5-low": [ "CM-11", "CM-11(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-11", "CM-11(02)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-11", "CM-11(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-11", "CM-11(02)" ], "usa-federal-irs-1075-2021": [ "CM-11" ], "usa-federal-cms-marse-2-0": [ "CM-11", "CM-11.a", "CM-11.b", "CM-11.c" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-11" ], "usa-state-tx-txramp-2-0-level-1": [ "CM-11" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-11" ], "emea-isr-cmo-1-0": [ "6.3" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "3" ], "apac-aus-ism-2024-june": [ "ISM-0382", "ISM-1592", "ISM-1655" ], "amaericas-can-osfi-self-assessment": [ "4.19", "4.20" ], "americas-can-itsp-10-171-2025": [ "03.13.13.B" ] } }, { "control_id": "CFG-05.1", "title": "Unauthorized Installation Alerts", "family": "CFG", "description": "Mechanisms exist to configure systems to generate an alert when the unauthorized installation of software is detected.", "scf_question": "Does the organization configure systems to generate an alert when the unauthorized installation of software is detected?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).\n▪ Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to configure systems to generate an alert when the unauthorized installation of software is detected.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Windows Defender Application Control (WDAC)", "small": "∙ Microsoft Windows Defender Application Control (WDAC)", "medium": "∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-2", "R-BC-4", "R-EX-7", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.8-POF2" ], "general-cis-csc-8-1": [ "2.3" ], "general-cis-csc-8-1-ig1": [ "2.3" ], "general-cis-csc-8-1-ig2": [ "2.3" ], "general-cis-csc-8-1-ig3": [ "2.3" ], "general-govramp": [ "CM-08(03)" ], "general-govramp-mod": [ "CM-08(03)" ], "general-govramp-high": [ "CM-08(03)" ], "general-nist-800-53-r4": [ "CM-11(1)" ], "general-nist-800-53-r5-2": [ "CM-08(03)", "CM-11(03)" ], "general-nist-800-53-r5-2-privacy": [ "CM-08(03)", "CM-11(03)" ], "general-nist-800-53-r5-2-mod": [ "CM-08(03)" ], "general-nist-800-82-r3": [ "CM-08(03)", "CM-11(03)" ], "general-nist-800-82-r3-mod": [ "CM-08(03)" ], "general-nist-800-82-r3-high": [ "CM-08(03)" ], "general-nist-800-160-vol-2-r1": [ "CM-08(03)" ], "usa-federal-fbi-cjis-6-0": [ "CM-8(3)" ], "usa-federal-gsa-fedramp-5-low": [ "CM-08(03)", "CM-11(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-08(03)", "CM-11(03)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-08(03)", "CM-11(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-08(03)", "CM-11(03)" ], "usa-federal-cms-marse-2-0": [ "CM-8(3)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.2.c" ], "emea-sau-otcc-1-2022": [ "2-3-1-11" ], "amaericas-can-osfi-self-assessment": [ "4.19", "4.20" ] } }, { "control_id": "CFG-05.2", "title": "Restrict Roles Permitted To Install Software", "family": "CFG", "description": "Mechanisms exist to configure systems to prevent the installation of software, unless the action is performed by a privileged user or service.", "scf_question": "Does the organization configure systems to prevent the installation of software, unless the action is performed by a privileged user or service?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to configure systems to prevent the installation of software, unless the action is performed by a privileged user or service.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "small": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "medium": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "large": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.8-POF1" ], "general-cis-csc-8-1": [ "9.1", "9.4" ], "general-cis-csc-8-1-ig1": [ "9.1" ], "general-cis-csc-8-1-ig2": [ "9.1", "9.4" ], "general-cis-csc-8-1-ig3": [ "9.1", "9.4" ], "general-csa-cmm-4-1-0": [ "IAM-09" ], "general-nist-800-53-r4": [ "CM-11(2)" ], "general-nist-800-53-r5-2": [ "CM-11(02)" ], "general-nist-800-53-r5-2-privacy": [ "CM-11(02)" ], "general-nist-800-82-r3": [ "CM-11(02)" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.Q" ], "usa-federal-gsa-fedramp-5-low": [ "CM-11(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-11(02)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-11(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-11(02)" ], "emea-isr-cmo-1-0": [ "6.3" ], "apac-aus-ism-2024-june": [ "ISM-0382", "ISM-1592" ], "apac-jpn-ismap": [ "12.5", "12.5.1", "12.5.1.1", "12.5.1.2", "12.5.1.3", "12.6.2", "12.6.2.1", "12.6.2.2", "12.6.2.3", "12.6.2.4" ], "amaericas-can-osfi-self-assessment": [ "4.19", "4.20" ] } }, { "control_id": "CFG-06", "title": "Configuration Enforcement", "family": "CFG", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "scf_question": "Does the organization use automated mechanisms to monitor, enforce and report on configurations for endpoint devices?", "relative_weight": 7, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically monitor, enforce and report on configurations for endpoint devices.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Windows Defender Application Control (WDAC)", "small": "∙ Microsoft Windows Defender Application Control (WDAC)", "medium": "∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ Microsoft Windows Defender Application Control (WDAC)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-csa-iot-2": [ "CCM-03" ], "general-nist-800-53-r5-2": [ "CM-03(08)", "CM-11(03)" ], "general-nist-800-53-r5-2-privacy": [ "CM-11(03)" ], "general-nist-800-82-r3": [ "CM-03(08)", "CM-11(03)" ], "general-nist-800-161-r1": [ "CM-3(8)" ], "general-nist-800-161-r1-level-2": [ "CM-3(8)" ], "general-nist-800-161-r1-level-3": [ "CM-3(8)" ], "general-nist-800-171-r3": [ "03.04.02.a", "03.04.02.b", "03.04.03.a" ], "general-nist-800-172": [ "3.4.2e" ], "general-nist-800-207": [ "NIST Tenet 5" ], "usa-federal-dow-cmmc-2-level-3": [ "CM.L3-3.4.2E" ], "usa-federal-gsa-fedramp-5-low": [ "CM-11(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-11(03)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-11(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-11(03)" ], "apac-aus-ism-2024-june": [ "ISM-0843", "ISM-0846", "ISM-0955", "ISM-1392", "ISM-1471", "ISM-1490", "ISM-1544", "ISM-1582" ], "apac-ind-sebi-2024": [ "PR.DS.S6" ], "amaericas-can-osfi-self-assessment": [ "4.19", "4.20" ], "americas-can-itsp-10-171-2025": [ "03.04.02.A", "03.04.02.B", "03.04.03.A" ] } }, { "control_id": "CFG-06.1", "title": "Integrity Assurance & Enforcement (IAE)", "family": "CFG", "description": "Automated mechanisms exist to identify unauthorized deviations from an approved baseline and implement automated resiliency actions to remediate the unauthorized change.", "scf_question": "Does the organization use automated mechanisms to identify unauthorized deviations from an approved baseline and implement automated resiliency actions to remediate the unauthorized change?", "relative_weight": 3, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically identify unauthorized deviations from an approved baseline and implement automated resiliency actions to remediate the unauthorized change.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document baseline configurations for key systems", "small": "∙ Configuration baseline documentation\n∙ CIS Benchmark hardening guides", "medium": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-cis-csc-8-1": [ "2.3", "2.4" ], "general-cis-csc-8-1-ig1": [ "2.3" ], "general-cis-csc-8-1-ig2": [ "2.3", "2.4" ], "general-cis-csc-8-1-ig3": [ "2.3", "2.4" ], "general-iec-62443-4-2-2019": [ "HDR 3.11(1)", "NDR 3.11(1)" ], "general-nist-800-53-r5-2": [ "CM-03(08)", "CM-11(03)" ], "general-nist-800-53-r5-2-privacy": [ "CM-11(03)" ], "general-nist-800-82-r3": [ "CM-03(08)", "CM-11(03)" ], "general-nist-800-172": [ "3.4.2e", "3.14.7e" ], "general-nist-800-207": [ "NIST Tenet 5" ], "usa-federal-dow-cmmc-2-level-3": [ "CM.L3-3.4.2E" ], "usa-federal-gsa-fedramp-5-low": [ "CM-11(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-11(03)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-11(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-11(03)" ], "apac-aus-ism-2024-june": [ "ISM-0843", "ISM-0846", "ISM-0955", "ISM-1392", "ISM-1471", "ISM-1490", "ISM-1544", "ISM-1582" ], "apac-ind-sebi-2024": [ "PR.DS.S6" ], "amaericas-can-osfi-self-assessment": [ "4.19", "4.20" ] } }, { "control_id": "CFG-07", "title": "Zero-Touch Provisioning (ZTP)", "family": "CFG", "description": "Mechanisms exist to implement Zero-Touch Provisioning (ZTP), or similar technology, to automatically and securely configure devices upon being added to a network.", "scf_question": "Does the organization implement Zero-Touch Provisioning (ZTP), or similar technology, to automatically and securely configure devices upon being added to a network?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement Zero-Touch Provisioning (ZTP), or similar technology, to automatically and securely configure devices upon being added to a network.", "4": "Configuration Management (CFG) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-csa-iot-2": [ "IAM-07" ], "general-iec-62443-4-2-2019": [ "HDR 3.13(b)" ] } }, { "control_id": "CFG-08", "title": "Sensitive / Regulated Data Access Enforcement", "family": "CFG", "description": "Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to restrict access to sensitive/regulated data.", "scf_question": "Does the organization configure Technology Assets, Applications and/or Services (TAAS) to restrict access to sensitive/regulated data?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-DCH-08" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to configure Technology Assets, Applications and/or Services (TAAS) to restrict access to sensitive/regulated data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-03(11)" ], "general-nist-800-66-r2": [ "164.308(a)(3)", "164.312(c)" ], "general-nist-800-82-r3": [ "AC-03(11)" ], "general-nist-800-82-r3-high": [ "AC-03(11)" ], "general-nist-800-160-vol-2-r1": [ "AC-03(11)" ], "general-nist-800-171-r3": [ "03.01.02" ], "general-nist-800-171a-r3": [ "A.03.01.02[01]" ], "general-nist-800-207": [ "NIST Tenet 4" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.7" ], "usa-federal-sro-finra": [ "248.30(a)(2)(iii)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(i)", "164.312(c)(2)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(i)", "164.312(c)(2)" ], "usa-federal-irs-1075-2021": [ "AC-3(CE-11)" ], "americas-can-itsp-10-171-2025": [ "03.01.02" ] } }, { "control_id": "CFG-08.1", "title": "Sensitive / Regulated Data Actions", "family": "CFG", "description": "Automated mechanisms exist to generate event logs whenever sensitive/regulated data is collected, created, updated, deleted and/or archived.", "scf_question": "Does the organization use automated mechanisms to generate event logs whenever sensitive/regulated data is collected, created, updated, deleted and/or archived?", "relative_weight": 7, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Configuration Management (CFG) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CFG domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Configuration management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Configurations mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "2": "Configuration Management (CFG) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Configuration management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Configuration management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) are used to configure Technology Assets, Applications and/or Services (TAAS) according to the principles of least functionality and least privilege, mostly conforming to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).", "3": "Configuration Management (CFG) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CFG domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CFG domain capabilities are well-documented and kept current by process owners.\n▪ A configuration management team, or similar function, is appropriately staffed and supported to implement and maintain CFG domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of configuration management operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CFG domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically generate event logs whenever sensitive/regulated data is collected, created, updated, deleted and/or archived.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document baseline configurations for key systems", "small": "∙ Configuration baseline documentation\n∙ CIS Benchmark hardening guides", "medium": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Configuration Management", "crosswalks": { "general-nist-800-53-r4": [ "DM-2(1)" ], "general-nist-800-66-r2": [ "164.312(c)" ], "general-scf-dpmp-2025": [ "5.2" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(c)(2)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(c)(2)" ] } }, { "control_id": "MON-01", "title": "Continuous Monitoring", "family": "MON", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "scf_question": "Does the organization facilitate the implementation of enterprise-wide monitoring controls?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-MON-01", "E-MON-06", "E-MON-07" ], "pptdf": "Technology", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.\n▪ Generating event logs and the review of those event logs is narrowly-focused to business-critical Technology Assets, Applications, Services and/or Data (TAASD).", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to facilitate the implementation of enterprise-wide monitoring controls.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Centralized event logging\n∙ Managed Security Services Provider (MSSP)\n∙ Cloud-native SIEM (e.g., Microsoft Sentinel free tier, Elastic SIEM free)", "small": "∙ Centralized event logging\n∙ Managed Security Services Provider (MSSP)\n∙ Cloud SIEM (e.g., Microsoft Sentinel, Elastic SIEM, Sumo Logic)", "medium": "∙ Centralized event logging\n∙ Security Incident Event Management (SIEM) (e.g., Splunk, Microsoft Sentinel, IBM QRadar)\n∙ Managed Security Services Provider (MSSP)\n∙ Security Operations Center (SOC)", "large": "∙ Centralized event logging\n∙ Security Incident Event Management (SIEM) (e.g., Splunk, Microsoft Sentinel, IBM QRadar)\n∙ Managed Security Services Provider (MSSP)\n∙ Security Operations Center (SOC) with 24/7 coverage", "enterprise": "∙ Enterprise SIEM platform (e.g., Splunk Enterprise Security, IBM QRadar, Microsoft Sentinel)\n∙ 24/7 Security Operations Center (SOC)\n∙ Security Orchestration, Automation & Response (SOAR)\n∙ Threat intelligence integration\n∙ Managed Detection & Response (MDR) or in-house SOC" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.1-POF2" ], "general-aicpa-tsc-2017": [ "CC7.2", "CC7.2-POF1" ], "general-cis-csc-8-1": [ "8.0", "8.2", "13.0", "13.6" ], "general-cis-csc-8-1-ig1": [ "8.2" ], "general-cis-csc-8-1-ig2": [ "8.2", "13.6" ], "general-cis-csc-8-1-ig3": [ "8.2", "13.6" ], "general-cobit-2019": [ "DSS01.03", "DSS05.07", "MEA01.01" ], "general-csa-cmm-4-1-0": [ "LOG-01" ], "general-csa-iot-2": [ "MON-01", "MON-03", "MON-05", "MON-07", "SNT-03" ], "general-govramp": [ "AU-01", "SI-04" ], "general-govramp-core": [ "SI-04" ], "general-govramp-low": [ "AU-01", "SI-04" ], "general-govramp-low-plus": [ "AU-01", "SI-04" ], "general-govramp-mod": [ "AU-01", "SI-04" ], "general-govramp-high": [ "AU-01", "SI-04" ], "general-iec-62443-3-3-2013": [ "SR 6.2" ], "general-iec-62443-4-2-2019": [ "CR 6.2" ], "general-iso-27002-2022": [ "8.15", "8.16" ], "general-iso-27017-2015": [ "12.4.1" ], "general-iso-27018-2025": [ "8.15", "8.16" ], "general-mitre-att&ck-16-1": [ "T1001", "T1001.001", "T1001.002", "T1001.003", "T1003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1005", "T1008", "T1011", "T1011.001", "T1020.001", "T1021", "T1021.001", "T1021.002", "T1021.003", "T1021.004", "T1021.005", "T1021.006", "T1021.008", "T1025", "T1027", "T1027.002", "T1027.007", "T1027.008", "T1027.009", "T1027.010", "T1027.011", "T1027.012", "T1029", "T1030", "T1036", "T1036.001", "T1036.003", "T1036.005", "T1036.007", "T1036.008", "T1036.010", "T1037", "T1037.002", "T1037.003", "T1037.004", "T1037.005", "T1040", "T1041", "T1046", "T1047", "T1048", "T1048.001", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1053", "T1053.002", "T1053.003", "T1053.005", "T1053.006", "T1055", "T1055.001", "T1055.002", "T1055.003", "T1055.004", "T1055.005", "T1055.008", "T1055.009", "T1055.011", "T1055.012", "T1055.013", "T1055.014", "T1056.002", "T1059", "T1059.001", "T1059.002", "T1059.003", "T1059.004", "T1059.005", "T1059.006", "T1059.007", "T1059.008", "T1059.009", "T1059.010", "T1059.011", "T1068", "T1070", "T1070.001", "T1070.002", "T1070.003", "T1070.007", "T1070.008", "T1070.009", "T1070.010", "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1071.005", "T1072", "T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1080", "T1087", "T1087.001", "T1087.002", "T1090", "T1090.001", "T1090.002", "T1091", "T1092", "T1095", "T1098", "T1098.001", "T1098.002", "T1098.003", "T1098.004", "T1098.007", "T1102", "T1102.001", "T1102.002", "T1102.003", "T1104", "T1105", "T1106", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1111", "T1114", "T1114.001", "T1114.002", "T1114.003", "T1119", "T1127", "T1127.001", "T1127.002", "T1129", "T1132", "T1132.001", "T1132.002", "T1133", "T1135", "T1136", "T1136.001", "T1136.002", "T1136.003", "T1137", "T1137.001", "T1176", "T1185", "T1187", "T1189", "T1190", "T1195", "T1195.001", "T1197", "T1201", "T1203", "T1204", "T1204.001", "T1204.002", "T1204.003", "T1205", "T1205.001", "T1205.002", "T1210", "T1211", "T1212", "T1213", "T1213.001", "T1213.002", "T1213.004", "T1213.005", "T1216", "T1216.001", "T1218", "T1218.001", "T1218.002", "T1218.003", "T1218.004", "T1218.005", "T1218.008", "T1218.009", "T1218.010", "T1218.011", "T1218.012", "T1218.013", "T1218.014", "T1218.015", "T1219", "T1220", "T1221", "T1222", "T1222.001", "T1222.002", "T1484", "T1485", "T1486", "T1489", "T1490", "T1491", "T1491.001", "T1491.002", "T1499", "T1499.001", "T1499.002", "T1499.003", "T1499.004", "T1505", "T1505.002", "T1505.003", "T1505.004", "T1505.005", "T1525", "T1528", "T1530", "T1537", "T1539", "T1542.004", "T1542.005", "T1543", "T1543.002", "T1546.002", "T1546.003", "T1546.004", "T1546.006", "T1546.008", "T1546.013", "T1546.014", "T1546.016", "T1547.002", "T1547.003", "T1547.004", "T1547.005", "T1547.006", "T1547.007", "T1547.008", "T1547.009", "T1547.012", "T1547.013", "T1548", "T1548.001", "T1548.002", "T1548.003", "T1548.004", "T1548.006", "T1550.001", "T1550.003", "T1552", "T1552.001", "T1552.002", "T1552.003", "T1552.004", "T1552.005", "T1552.006", "T1552.008", "T1553", "T1553.001", "T1553.003", "T1553.004", "T1553.005", "T1555", "T1555.001", "T1555.002", "T1555.004", "T1555.005", "T1556", "T1556.001", "T1556.002", "T1556.003", "T1556.004", "T1556.008", "T1556.009", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1557.004", "T1558", "T1558.002", "T1558.003", "T1558.004", "T1558.005", "T1559", "T1559.002", "T1559.003", "T1560", "T1560.001", "T1561", "T1561.001", "T1561.002", "T1562", "T1562.001", "T1562.002", "T1562.003", "T1562.004", "T1562.006", "T1562.010", "T1562.011", "T1562.012", "T1563", "T1563.001", "T1563.002", "T1564.002", "T1564.004", "T1564.006", "T1564.007", "T1564.008", "T1564.009", "T1564.010", "T1565", "T1565.001", "T1565.002", "T1565.003", "T1566", "T1566.001", "T1566.002", "T1566.003", "T1567", "T1568", "T1568.002", "T1569", "T1569.002", "T1570", "T1571", "T1572", "T1573", "T1573.001", "T1573.002", "T1574", "T1574.001", "T1574.004", "T1574.005", "T1574.007", "T1574.008", "T1574.009", "T1574.010", "T1574.013", "T1574.014", "T1578", "T1578.001", "T1578.002", "T1578.003", "T1598", "T1598.001", "T1598.002", "T1598.003", "T1599", "T1599.001", "T1601", "T1601.001", "T1601.002", "T1602", "T1602.001", "T1602.002", "T1610", "T1611", "T1612", "T1613", "T1622", "T1647", "T1648", "T1651", "T1653" ], "general-mpa-csbp-5-3-1": [ "TS-1.5" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(h)" ], "general-nist-600-1-gen-ai-profile": [ "GV-4.3-002", "GV-6.2-004" ], "general-nist-privacy-framework-1-0": [ "CT.DM-P8" ], "general-nist-800-37-r2": [ "TASK P-7" ], "general-nist-800-53-r4": [ "AU-1", "SI-4" ], "general-nist-800-53-r5-2": [ "AU-01", "PM-31", "SI-04" ], "general-nist-800-53-r5-2-privacy": [ "AU-01", "PM-31", "SI-04" ], "general-nist-800-53-r5-2-low": [ "AU-01", "SI-04" ], "general-nist-800-66-r2": [ "164.308(a)(1)", "164.312(b)" ], "general-nist-800-82-r3": [ "AU-01", "PM-31", "SI-04" ], "general-nist-800-82-r3-low": [ "AU-01", "PM-31", "SI-04" ], "general-nist-800-82-r3-mod": [ "AU-01", "PM-31", "SI-04" ], "general-nist-800-82-r3-high": [ "AU-01", "PM-31", "SI-04" ], "general-nist-800-160-vol-2-r1": [ "PM-31" ], "general-nist-800-161-r1": [ "AU-1", "PM-31", "SI-4" ], "general-nist-800-161-r1-cscrm": [ "AU-1", "SI-4" ], "general-nist-800-161-r1-flowdown": [ "SI-4" ], "general-nist-800-161-r1-level-1": [ "AU-1", "PM-31", "SI-4" ], "general-nist-800-161-r1-level-2": [ "AU-1", "PM-31", "SI-4" ], "general-nist-800-161-r1-level-3": [ "AU-1", "PM-31", "SI-4" ], "general-nist-800-171-r2": [ "3.3.3", "3.14.6", "NFO - AU-1" ], "general-nist-800-171-r3": [ "03.03.01.a", "03.12.03", "03.14.06.a" ], "general-nist-800-171a-r3": [ "A.03.14.06.a.01[01]", "A.03.14.06.a.01[02]", "A.03.14.06.a.02" ], "general-nist-800-172": [ "3.14.2e" ], "general-nist-800-207": [ "NIST Tenet 5", "NIST Tenet 6", "NIST Tenet 7" ], "general-nist-csf-2-0": [ "PR.PS-04", "DE.CM-01", "DE.CM-03", "DE.CM-06", "DE.CM-09", "DE.AE" ], "general-owasp-top-10-2025": [ "A01:2025", "A09:2025" ], "general-pci-dss-4-0-1": [ "10.1", "10.4.3", "10.7", "10.7.1", "10.7.2", "10.7.3", "A3.3.1", "A3.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.4.3" ], "general-pci-dss-4-0-1-saq-c": [ "10.4.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.4.3", "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.4.3", "10.7.1", "10.7.2", "10.7.3" ], "general-scf-dpmp-2025": [ "7.0" ], "general-sparta": [ "CM0090" ], "general-swift-cscf-2025": [ "6.4", "6.5A" ], "general-tisax-6-0-3": [ "5.2.4" ], "general-un-155-2021": [ "7.2.2.2(g)", "7.2.2.2(h)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(g)", "7.2.2.2(h)" ], "usa-federal-dow-cert-rmm-1-2": [ "MON:SG1", "MON:SG1.SP1", "MON:SG1.SP2", "MON:SG1.SP3", "MON:SG1.SP4", "MON:SG2", "MON:SG2.SP1", "MON:SG2.SP2", "MON:SG2.SP3", "MON:SG2.SP4", "MON:GG1.GP1", "MON:GG2", "MON:GG2.GP2" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.b.", "1.f" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.AACCO", "3.UNI.CLMAN", "3.UNI.SAWAR", "3.UNL.CMREP" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.D", "2.T" ], "usa-federal-fbi-cjis-6-0": [ "AU-1", "SI-4" ], "usa-federal-doe-c2m2-2-1": [ "SITUATION-1a", "SITUATION-2c", "SITUATION-3g" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.3", "SIL2.-3.14.6" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.5", "7.3.1" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "6.5" ], "usa-federal-eo-14028": [ "4e(i)(B)", "4e(i)(F)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(e)" ], "usa-federal-gsa-fedramp-5-low": [ "AU-01", "SI-04" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-01", "SI-04" ], "usa-federal-gsa-fedramp-5-high": [ "AU-01", "SI-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AU-01", "SI-04" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)(viii)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(1)(i)", "164.308(a)(1)(ii)(D)", "164.312(b)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(1)(i)", "164.308(a)(1)(ii)(D)", "164.312(b)" ], "usa-federal-irs-1075-2021": [ "AU-1", "SI-4", "SI-4(IRS-Defined)" ], "usa-federal-cms-marse-2-0": [ "AU-1", "SI-4", "SI-4.a", "SI-4.a.1", "SI-4.a.2", "SI-4.b", "SI-4.c", "SI-4.d", "SI-4.e", "SI-4.f", "SI-4.g", "SI-4.g.1", "SI-4.g.2", "SI-4.h", "SI-4.i", "SI-4.j", "SI-4.k", "SI-4-IS.1" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.3", "III.D.3.a", "III.D.3.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(7)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(b)(3)", "500.6(a)(1)", "500.6(a)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AT-01", "AU-01", "SI-04" ], "usa-state-tx-txramp-2-0-level-1": [ "AU-01", "SI-04" ], "usa-state-tx-txramp-2-0-level-2": [ "AU-01", "SI-04" ], "emea-eu-eba-ict-srm-2025": [ "3.4.5(39)", "3.4.5(40)", "3.5(52)" ], "emea-eu-dora-2023": [ "Article 10.3" ], "emea-eu-nis2-annex-2024": [ "2.2.3", "3.2.1", "3.2.2", "3.2.6", "13.1.2(f)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "5.5", "6.3", "6.7" ], "emea-deu-c5-2020": [ "OPS-10" ], "emea-isr-cmo-1-0": [ "4.6", "6.8", "9.10", "11.11", "12.31", "13.9", "21.1" ], "emea-sau-cscc-1-2019": [ "2-11" ], "emea-sau-cgiot-2024": [ "2-11-1" ], "emea-sau-ecc-1-2018": [ "2-3-4", "2-12-1", "2-12-2", "2-12-3", "2-12-4", "5-1-3-3" ], "emea-sau-otcc-1-2022": [ "2-11", "2-11-1", "2-11-2" ], "emea-sau-sacs-002-2022": [ "TPC-40", "TPC-80" ], "emea-sau-sama-csf-1-2017": [ "3.3.14" ], "emea-zaf-popia-2013": [ "19.1", "19.2" ], "emea-esp-boe-a-2022-7191": [ "Article 10.1", "Article 21.2", "Article 24.1" ], "emea-esp-decree-311-2022": [ "10.1", "21.2", "24.1" ], "emea-esp-ccn-stic-825-2023": [ "7.3.8 [OP.EXP.8]" ], "emea-gbr-caf-4-0": [ "C1" ], "emea-gbr-cap-1850-2020": [ "C1" ], "emea-gbr-def-stan-05-138-2024": [ "2203", "2427", "3100", "3101", "3102", "3106" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2427", "3100", "3101" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2203", "2427", "3100", "3101", "3106" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2203", "2427", "3100", "3102", "3106" ], "apac-aus-ism-2024-june": [ "ISM-0109", "ISM-0120", "ISM-0580", "ISM-0660", "ISM-1163", "ISM-1294", "ISM-1586" ], "apac-ind-sebi-2024": [ "DE.CM.S2", "PR.AA.S8" ], "apac-jpn-ismap": [ "12.4", "12.4.1", "12.4.1.15.PB" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP70", "HML70" ], "apac-nzl-hisf-microsmall-2023": [ "HMS18" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP61" ], "apac-nzl-ism-3-9": [ "16.6.6.C.01", "16.6.6.C.02", "16.6.8.C.01", "16.6.10.C.01", "16.6.10.C.02" ], "apac-sgp-mas-trm-2021": [ "12.2.1", "12.2.2", "12.2.3" ], "americas-bmu-mba-coc-2020": [ "6.21" ], "amaericas-can-osfi-self-assessment": [ "3.5" ], "americas-can-osfi-b13-2022": [ "3.3", "3.3.1", "3.3.2" ], "americas-can-itsp-10-171-2025": [ "03.03.01.A", "03.12.03", "03.14.06.A" ] } }, { "control_id": "MON-01.1", "title": "Intrusion Detection & Prevention Systems (IDS & IPS)", "family": "MON", "description": "Mechanisms exist to implement Intrusion Detection / Prevention Systems (IDS / IPS) technologies on critical systems, key network segments and network choke points.", "scf_question": "Does the organization implement Intrusion Detection / Prevention Systems (IDS / IPS) technologies on critical systems, key network segments and network choke points?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-MON-01", "E-MON-06", "E-MON-07" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to implement Intrusion Detection / Prevention Systems (IDS / IPS) technologies on critical systems, key network segments and network choke points.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Intrusion Detection / Prevention Systems (IDS/IPS)\n∙ Next-Generation Firewall (NGFW) with IPS (e.g., Fortinet FortiGate, Palo Alto)", "small": "∙ Intrusion Detection / Prevention Systems (IDS/IPS)\n∙ Next-Generation Firewall (NGFW) with built-in IPS (e.g., Fortinet, Palo Alto)", "medium": "∙ Intrusion Detection / Prevention Systems (IDS/IPS)\n∙ Next-Generation Firewall (NGFW) with IPS\n∙ Extended Detection and Response (XDR) (e.g., CrowdStrike Falcon, SentinelOne, Microsoft Defender XDR)", "large": "∙ Intrusion Detection / Prevention Systems (IDS/IPS)\n∙ Extended Detection and Response (XDR) (e.g., CrowdStrike Falcon, Palo Alto Cortex XDR)\n∙ Network Detection and Response (NDR) (e.g., Darktrace, ExtraHop)", "enterprise": "∙ Enterprise IDS/IPS integrated with SIEM\n∙ Extended Detection and Response (XDR) (e.g., CrowdStrike Falcon, Palo Alto Cortex XDR)\n∙ Network Detection and Response (NDR) (e.g., Darktrace, ExtraHop, Vectra AI)\n∙ AI-driven anomaly detection" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.2", "CC7.2-POF2", "CC7.2-POF3" ], "general-cobit-2019": [ "DSS05.07" ], "general-csa-iot-2": [ "OPA-04" ], "general-govramp": [ "SI-04(01)" ], "general-govramp-mod": [ "SI-04(01)" ], "general-govramp-high": [ "SI-04(01)" ], "general-iso-27002-2022": [ "8.16" ], "general-iso-27018-2025": [ "8.16" ], "general-mpa-csbp-5-3-1": [ "TS-2.7" ], "general-nist-800-53-r4": [ "SI-4(1)" ], "general-nist-800-53-r5-2": [ "SI-04(01)", "SI-04(25)" ], "general-nist-800-53-r5-2-privacy": [ "SI-04(25)" ], "general-nist-800-82-r3": [ "SI-04(01)", "SI-04(25)" ], "general-nist-800-160-vol-2-r1": [ "SI-04(01)", "SI-04(25)" ], "general-nist-800-171-r3": [ "03.13.01.a" ], "general-nist-800-172": [ "3.14.6e" ], "general-nist-csf-2-0": [ "DE.CM-01" ], "general-owasp-top-10-2025": [ "A01:2025", "A09:2025" ], "general-pci-dss-4-0-1": [ "1.4.3", "11.5", "11.5.1", "11.5.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.4.3", "11.5.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.4.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.4.3", "11.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.4.3", "11.5.1", "11.5.1.1" ], "general-shared-assessments-sig-2025": [ "N.7" ], "general-sparta": [ "CM0032" ], "general-swift-cscf-2025": [ "6.5A" ], "usa-federal-dow-cmmc-2-level-3": [ "SI.L3-3.14.6E" ], "usa-federal-gsa-fedramp-5-low": [ "SI-04(25)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-04(01)", "SI-04(25)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-04(01)", "SI-04(25)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-04(25)" ], "usa-federal-irs-1075-2021": [ "SI-4(CE-1)" ], "usa-federal-cms-marse-2-0": [ "SI-4(1)" ], "usa-federal-nispom-2020": [ "§117.15(d)(2)", "§117.15(d)(2)(i)", "§117.15(d)(2)(i)(A)", "§117.15(d)(2)(i)(B)", "§117.15(d)(2)(i)(C)", "§117.15(d)(2)(i)(D)", "§117.15(d)(2)(i)(E)", "§117.15(d)(2)(ii)", "§117.15(d)(2)(iii)", "§117.15(d)(2)(iv)", "§117.15(d)(2)(v)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(8)(A)" ], "emea-isr-cmo-1-0": [ "7.4", "11.11", "12.18", "23.6" ], "emea-sau-ecc-1-2018": [ "2-5-3-6" ], "emea-esp-ccn-stic-825-2023": [ "7.6.1 [OP.MON.1]" ], "apac-nzl-ism-3-9": [ "16.6.10.C.01", "16.6.10.C.02", "18.4.7.C.01", "18.4.7.C.02", "18.4.7.C.03", "18.4.8.C.01", "18.4.8.C.02", "18.4.8.C.03", "18.4.9.C.01", "18.4.9.C.02", "18.4.10.C.01", "18.4.11.C.01", "18.4.11.C.02", "18.4.11.C.03", "18.4.12.C.01", "18.4.14.C.01" ], "amaericas-can-osfi-self-assessment": [ "3.3", "4.3", "4.4" ], "americas-can-osfi-b13-2022": [ "3.3.2" ], "americas-can-itsp-10-171-2025": [ "03.13.01.A" ] } }, { "control_id": "MON-01.2", "title": "Automated Tools for Real-Time Analysis", "family": "MON", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support near real-time analysis and incident escalation.", "scf_question": "Does the organization utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support near real-time analysis and incident escalation?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-MON-01", "E-MON-05" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical TAASD.\n▪ IT and/or cybersecurity personnel configure alerts for critical or sensitive data that is stored, transmitted and processed on assets.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support near real-time analysis and incident escalation.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)\n∙ Cloud SIEM with automated alerting (e.g., Microsoft Sentinel, Elastic SIEM)", "small": "∙ Managed Security Services Provider (MSSP)\n∙ Cloud SIEM (e.g., Microsoft Sentinel, Sumo Logic)\n∙ Automated alert rules for common attack patterns", "medium": "∙ Security Incident Event Management (SIEM) (e.g., Splunk, Microsoft Sentinel, IBM QRadar)\n∙ Security Orchestration, Automation & Response (SOAR) (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ Extended Detection and Response (XDR)", "large": "∙ SIEM with automated analytics (e.g., Splunk, Microsoft Sentinel)\n∙ Security Orchestration, Automation & Response (SOAR) (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ Extended Detection and Response (XDR)\n∙ User and Entity Behavior Analytics (UEBA)", "enterprise": "∙ Enterprise SIEM with AI/ML-driven analytics (e.g., Splunk ES, IBM QRadar with AI)\n∙ SOAR platform for automated response (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ XDR / MDR platform\n∙ UEBA integrated with SIEM\n∙ Threat hunting capability" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.2", "CC7.2-POF1", "CC7.2-POF3" ], "general-csa-cmm-4-1-0": [ "LOG-03" ], "general-csa-iot-2": [ "MON-03", "OPA-04" ], "general-govramp": [ "SI-04(02)" ], "general-govramp-mod": [ "SI-04(02)" ], "general-govramp-high": [ "SI-04(02)" ], "general-iso-27002-2022": [ "8.16" ], "general-iso-27018-2025": [ "8.16" ], "general-mpa-csbp-5-3-1": [ "TS-1.5" ], "general-nist-600-1-gen-ai-profile": [ "MG-3.2-006" ], "general-nist-800-53-r4": [ "SI-4(2)" ], "general-nist-800-53-r5-2": [ "SC-48", "SI-04(02)" ], "general-nist-800-53-r5-2-privacy": [ "SC-48" ], "general-nist-800-53-r5-2-mod": [ "SI-04(02)" ], "general-nist-800-82-r3": [ "SC-48", "SI-04(02)" ], "general-nist-800-82-r3-mod": [ "SI-04(02)" ], "general-nist-800-82-r3-high": [ "SI-04(02)" ], "general-nist-800-160-vol-2-r1": [ "SC-48", "SI-04(02)" ], "general-nist-800-207": [ "NIST Tenet 5", "NIST Tenet 7" ], "general-owasp-top-10-2025": [ "A01:2025", "A09:2025" ], "general-pci-dss-4-0-1": [ "10.4", "10.4.1", "10.4.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.4.1", "10.4.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "10.4.1", "10.4.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.4.1", "10.4.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.4.1", "10.4.1.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.CLMAN" ], "usa-federal-fbi-cjis-6-0": [ "SI-4(2)" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-1d" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.7.2", "2.7.3", "5.2.2", "7.2", "7.2.1" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "6.2" ], "usa-federal-gsa-fedramp-5-low": [ "SC-48" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-48", "SI-04(02)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-48", "SI-04(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-48" ], "usa-federal-irs-1075-2021": [ "SI-4(CE-2)" ], "usa-federal-cms-marse-2-0": [ "SI-4(2)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(8)(A)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.14(b)(2)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.5(39)", "3.4.5(40)" ], "emea-eu-nis2-annex-2024": [ "3.2.2" ], "emea-deu-c5-2020": [ "OPS-13" ], "emea-isr-cmo-1-0": [ "11.11", "12.31" ], "emea-sau-cscc-1-2019": [ "2-11-1-3", "2-11-1-4" ], "emea-sau-cgiot-2024": [ "2-11-1" ], "emea-sau-ecc-1-2018": [ "2-12-3-3", "5-1-3-3" ], "emea-sau-sama-csf-1-2017": [ "3.3.14" ], "emea-gbr-def-stan-05-138-2024": [ "3102" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3102" ], "apac-nzl-hisf-microsmall-2023": [ "HMS19" ], "amaericas-can-osfi-self-assessment": [ "3.4" ], "americas-can-osfi-b13-2022": [ "3.3.1" ] } }, { "control_id": "MON-01.3", "title": "Inbound & Outbound Communications Traffic", "family": "MON", "description": "Mechanisms exist to continuously monitor inbound and outbound communications traffic for unusual or unauthorized activities or conditions.", "scf_question": "Does the organization continuously monitor inbound and outbound communications traffic for unusual or unauthorized activities or conditions?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-MON-01", "E-MON-06", "E-MON-07" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.\n▪ Generating event logs and the review of those event logs is narrowly-focused to business-critical Technology Assets, Applications, Services and/or Data (TAASD).", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to continuously monitor inbound and outbound communications traffic for unusual or unauthorized activities or conditions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Intrusion Detection / Prevention Systems (IDS / IPS)", "small": "∙ Intrusion Detection / Prevention Systems (IDS / IPS)", "medium": "∙ Intrusion Detection / Prevention Systems (IDS / IPS)\n∙ Extended Detection and Response (XDR)", "large": "∙ Intrusion Detection / Prevention Systems (IDS / IPS)\n∙ Extended Detection and Response (XDR)", "enterprise": "∙ Intrusion Detection / Prevention Systems (IDS / IPS)\n∙ Extended Detection and Response (XDR)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.2" ], "general-csa-iot-2": [ "CLS-07", "OPA-04", "OPA-08" ], "general-govramp": [ "SI-04(04)" ], "general-govramp-core": [ "SI-04(04)" ], "general-govramp-mod": [ "SI-04(04)" ], "general-govramp-high": [ "SI-04(04)" ], "general-iec-62443-2-1-2024": [ "ORG 2.2(b)" ], "general-iso-27002-2022": [ "8.16" ], "general-iso-27018-2025": [ "8.16" ], "general-mpa-csbp-5-3-1": [ "TS-1.5", "TS-2.13" ], "general-nist-800-53-r4": [ "SI-4(4)" ], "general-nist-800-53-r5-2": [ "SI-04(04)" ], "general-nist-800-53-r5-2-mod": [ "SI-04(04)" ], "general-nist-800-82-r3": [ "SI-04(04)" ], "general-nist-800-82-r3-mod": [ "SI-04(04)" ], "general-nist-800-82-r3-high": [ "SI-04(04)" ], "general-nist-800-160-vol-2-r1": [ "SI-04(04)" ], "general-nist-800-171-r2": [ "3.14.6" ], "general-nist-800-171-r3": [ "03.13.01.a", "03.14.06.c" ], "general-nist-800-171a": [ "3.14.6[a]", "3.14.6[b]", "3.14.6[c]" ], "general-nist-800-171a-r3": [ "A.03.13.01.a[01]", "A.03.13.01.a[03]", "A.03.14.06.c[01]", "A.03.14.06.c[02]" ], "general-nist-csf-2-0": [ "DE.CM-01" ], "general-owasp-top-10-2025": [ "A01:2025", "A09:2025" ], "general-sparta": [ "CM0073" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.b.i" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.T" ], "usa-federal-fbi-cjis-6-0": [ "SI-4(4)" ], "usa-federal-doe-c2m2-2-1": [ "SITUATION-2b" ], "usa-federal-dow-cmmc-2-level-2": [ "SIL2.-3.14.6" ], "usa-federal-eo-14028": [ "4e(i)(B)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-04(04)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-04(04)" ], "usa-federal-irs-1075-2021": [ "SI-4(CE-4)", "SI-4(CE-4).a", "SI-4(CE-4).b" ], "usa-federal-cms-marse-2-0": [ "SI-4(4)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.2.a", "III.D.2.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(8)(A)" ], "usa-state-tx-txramp-2-0-level-2": [ "SI-04 (04)" ], "emea-eu-nis2-annex-2024": [ "3.2.3(a)" ], "emea-isr-cmo-1-0": [ "9.9", "9.10", "10.9" ], "emea-sau-sacs-002-2022": [ "TPC-40" ], "apac-nzl-ism-3-9": [ "16.6.10.C.01", "16.6.10.C.02", "18.4.8.C.01", "18.4.8.C.02", "18.4.8.C.03" ], "americas-can-itsp-10-171-2025": [ "03.13.01.A", "03.14.06.C" ] } }, { "control_id": "MON-01.4", "title": "System Generated Alerts", "family": "MON", "description": "Mechanisms exist to generate, monitor, correlate and respond to alerts from physical, cybersecurity, data protection and supply chain activities to achieve integrated situational awareness.", "scf_question": "Does the organization generate, monitor, correlate and respond to alerts from physical, cybersecurity, data protection and supply chain activities to achieve integrated situational awareness?", "relative_weight": 7, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-END-03", "E-MON-01", "E-MON-06", "E-MON-07" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ SBC enforce logging to link system access to individual users or service accounts using a non-repudiation capability to protect against an individual falsely denying having performed a particular action.\n▪ SBC enforce local security event logging and forward those logs to a centralized log repository to provide an alternate audit capability in the event of a failure in the primary audit capability.\n▪ A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical TAASD.\n▪ IT and/or cybersecurity personnel configure alerts for critical or sensitive data that is stored, transmitted and processed on assets.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to generate, monitor, correlate and respond to alerts from physical, cybersecurity, data protection and supply chain activities to achieve integrated situational awareness.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.2", "CC7.2-POF2" ], "general-cis-csc-8-1": [ "8.2" ], "general-cis-csc-8-1-ig1": [ "8.2" ], "general-cis-csc-8-1-ig2": [ "8.2" ], "general-cis-csc-8-1-ig3": [ "8.2" ], "general-cobit-2019": [ "DSS06.05" ], "general-csa-cmm-4-1-0": [ "LOG-03" ], "general-csa-iot-2": [ "CLS-08", "MON-03" ], "general-govramp": [ "SI-04(05)" ], "general-govramp-mod": [ "SI-04(05)" ], "general-govramp-high": [ "SI-04(05)" ], "general-iec-62443-2-1-2024": [ "EVENT 1.4" ], "general-iec-62443-3-3-2013": [ "SR 2.8" ], "general-iec-62443-4-2-2019": [ "CR 2.8" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.3" ], "general-iso-27002-2022": [ "8.15" ], "general-iso-27017-2015": [ "12.4.1" ], "general-iso-27018-2025": [ "8.15" ], "general-mpa-csbp-5-3-1": [ "TS-2.4", "TS-2.6" ], "general-nist-800-53-r4": [ "SI-4(5)" ], "general-nist-800-53-r5-2": [ "SI-04(05)" ], "general-nist-800-53-r5-2-mod": [ "SI-04(05)" ], "general-nist-800-66-r2": [ "164.312(b)" ], "general-nist-800-82-r3": [ "SI-04(05)" ], "general-nist-800-82-r3-mod": [ "SI-04(05)" ], "general-nist-800-82-r3-high": [ "SI-04(05)" ], "general-nist-800-171-r2": [ "NFO - SI-4(5)" ], "general-nist-800-171-r3": [ "03.03.01.a", "03.03.03.a", "03.14.06.a.01", "03.14.06.b", "03.14.06.c" ], "general-nist-800-171a-r3": [ "A.03.03.02.a.01", "A.03.03.03.a" ], "general-nist-800-207": [ "NIST Tenet 7" ], "general-nist-csf-2-0": [ "PR.PS-04", "DE.CM-01" ], "general-owasp-top-10-2025": [ "A01:2025", "A09:2025" ], "general-pci-dss-4-0-1": [ "10.2", "10.4", "10.4.1", "10.4.1.1", "10.4.3", "10.7", "10.7.1", "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.4.1", "10.4.1.1", "10.4.3" ], "general-pci-dss-4-0-1-saq-c": [ "10.4.1", "10.4.1.1", "10.4.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.4.1", "10.4.1.1", "10.4.3", "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.4.1", "10.4.1.1", "10.4.3", "10.7.1", "10.7.2", "10.7.3" ], "general-tisax-6-0-3": [ "5.2.4" ], "usa-federal-dow-cert-rmm-1-2": [ "IMC:SG2", "IMC:SG2.SP1", "IMC:SG2.SP2" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.b.ii" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.AACCO" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.G", "2.T" ], "usa-federal-fbi-cjis-6-0": [ "SI-4(5)" ], "usa-federal-doe-c2m2-2-1": [ "SITUATION-1a", "SITUATION-1b", "SITUATION-1c", "SITUATION-1d", "SITUATION-1f", "SITUATION-2e" ], "usa-federal-eo-14028": [ "4e(i)(B)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-04(05)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-04(05)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(b)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(b)" ], "usa-federal-irs-1075-2021": [ "SI-4(CE-5)" ], "usa-federal-cms-marse-2-0": [ "SI-4(5)", "SI-4(5).a", "SI-4(5).b", "SI-4(5).c", "SI-4(5).d" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 4.1", "CIP-007-6 4.2" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.3.a" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(7)" ], "emea-eu-ai-act-2024": [ "Article 12.1" ], "emea-deu-c5-2020": [ "OPS-13" ], "emea-isr-cmo-1-0": [ "21.2", "21.4" ], "emea-sau-cscc-1-2019": [ "2-11-1-1" ], "emea-sau-ecc-1-2018": [ "2-12-3-1" ], "emea-sau-sacs-002-2022": [ "TPC-80", "TPC-87" ], "emea-esp-ccn-stic-825-2023": [ "7.3.8 [OP.EXP.8]" ], "emea-gbr-caf-4-0": [ "C1.a", "C1.c" ], "emea-gbr-def-stan-05-138-2024": [ "3101" ], "emea-gbr-def-stan-05-138-l1-2024": [ "3101" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3101" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP69", "HML68" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP60" ], "amaericas-can-osfi-self-assessment": [ "3.6" ], "americas-can-itsp-10-171-2025": [ "03.03.01.A", "03.03.03.A", "03.14.06.A.01", "03.14.06.B", "03.14.06.C" ] } }, { "control_id": "MON-01.5", "title": "Wireless Network Monitoring", "family": "MON", "description": "Mechanisms exist to monitor wireless network segments for:\n(1) Rogue wireless devices; and\n(2) Anomalous and/or hostile activities.", "scf_question": "Does the organization monitor wireless network segments for:\n(1) Rogue wireless devices; and\n(2) Anomalous and/or hostile activities?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to monitor wireless network segments for:\n(1) Rogue wireless devices; and\n(2) Anomalous and/or hostile activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Wireless Intrusion Detection / Protection Systems (WIDS / WIPS)", "small": "∙ Wireless Intrusion Detection / Protection Systems (WIDS / WIPS)", "medium": "∙ Wireless Intrusion Detection / Protection Systems (WIDS / WIPS)\n∙ Extended Detection and Response (XDR)", "large": "∙ Wireless Intrusion Detection / Protection Systems (WIDS / WIPS)\n∙ Extended Detection and Response (XDR)", "enterprise": "∙ Wireless Intrusion Detection / Protection Systems (WIDS / WIPS)\n∙ Extended Detection and Response (XDR)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.2" ], "general-csa-iot-2": [ "MON-08" ], "general-govramp": [ "SI-04(14)" ], "general-govramp-mod": [ "SI-04(14)" ], "general-govramp-high": [ "SI-04(14)" ], "general-iec-62443-3-3-2013": [ "SR 2.2 RE 1" ], "general-nist-800-53-r4": [ "SI-4(14)", "SI-4(15)" ], "general-nist-800-53-r5-2": [ "SI-04(14)" ], "general-nist-800-53-r5-2-high": [ "SI-04(14)" ], "general-nist-800-82-r3": [ "SI-04(14)" ], "general-nist-800-82-r3-high": [ "SI-04(14)" ], "general-pci-dss-4-0-1": [ "11.2" ], "general-shared-assessments-sig-2025": [ "N.7" ], "usa-federal-gsa-fedramp-5-high": [ "SI-04(14)" ], "usa-federal-cms-marse-2-0": [ "SI-4(14)" ], "emea-isr-cmo-1-0": [ "7.6" ], "apac-nzl-ism-3-9": [ "16.6.10.C.01", "16.6.10.C.02", "18.4.8.C.01", "18.4.8.C.02", "18.4.8.C.03" ] } }, { "control_id": "MON-01.6", "title": "Host-Based Devices", "family": "MON", "description": "Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) to actively alert on or block unwanted activities and send logs to a Security Incident Event Manager (SIEM), or similar automated tool, to maintain situational awareness.", "scf_question": "Does the organization utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) to actively alert on or block unwanted activities and send logs to a Security Incident Event Manager (SIEM), or similar automated tool, to maintain situational awareness?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) to actively alert on or block unwanted activities and send logs to a Security Incident Event Manager (SIEM), or similar automated tool, to maintain situational awareness.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS)", "small": "∙ Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS)", "medium": "∙ Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) \n∙ Extended Detection and Response (XDR)", "large": "∙ Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) \n∙ Extended Detection and Response (XDR)", "enterprise": "∙ Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) \n∙ Extended Detection and Response (XDR)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.2" ], "general-govramp": [ "SI-04(23)" ], "general-govramp-mod": [ "SI-04(23)" ], "general-govramp-high": [ "SI-04(23)" ], "general-nist-800-53-r4": [ "SI-4(23)" ], "general-nist-800-53-r5-2": [ "SI-04(23)" ], "general-nist-800-82-r3": [ "SI-04(23)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-04(23)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-04(23)" ] } }, { "control_id": "MON-01.7", "title": "File Integrity Monitoring (FIM)", "family": "MON", "description": "Mechanisms exist to utilize a File Integrity Monitor (FIM), or similar change-detection technology, on critical Technology Assets, Applications and/or Services (TAAS) to generate alerts for unauthorized modifications.", "scf_question": "Does the organization utilize a File Integrity Monitor (FIM), or similar change-detection technology, on critical Technology Assets, Applications and/or Services (TAAS) to generate alerts for unauthorized modifications?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-MON-08" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to utilize a File Integrity Monitor (FIM), or similar change-detection technology, on critical Technology Assets, Applications and/or Services (TAAS) to generate alerts for unauthorized modifications.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ File Integrity Monitoring (FIM) via endpoint security tool (e.g., OSSEC free, Wazuh free)", "small": "∙ File Integrity Monitor (FIM) (e.g., Wazuh free, OSSEC, Tripwire free edition)", "medium": "∙ File Integrity Monitor (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netwrix.com)\n∙ Wazuh (free, open-source) (https://wazuh.com)", "large": "∙ File Integrity Monitor (FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netwrix.com)\n∙ Tripwire Enterprise (https://tripwire.com)", "enterprise": "∙ Enterprise FIM solution (e.g., Tripwire Enterprise, CimTrak, Qualys FIM)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ FIM integrated with SIEM for real-time alerting\n∙ CIS Control 10 (Malware Defenses) alignment" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.8", "CC7.1", "CC7.1-POF2", "CC7.1-POF3", "CC7.1-POF4" ], "general-csa-iot-2": [ "SAP-06" ], "general-govramp": [ "SI-04(24)" ], "general-govramp-high": [ "SI-04(24)" ], "general-iec-62443-2-1-2024": [ "DATA 1.7" ], "general-iec-62443-3-3-2013": [ "SR 3.4", "SR 3.4 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 3.4(2)" ], "general-nist-privacy-framework-1-0": [ "PR.DS-P6" ], "general-nist-800-53-r5-2": [ "SI-04(24)" ], "general-nist-800-53-r5-2-privacy": [ "SI-04(24)" ], "general-nist-800-66-r2": [ "164.312(c)" ], "general-nist-800-82-r3": [ "SI-04(24)" ], "general-nist-800-160-vol-2-r1": [ "SI-04(24)" ], "general-nist-csf-2-0": [ "DE.CM-09" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A05:2025", "A09:2025" ], "general-pci-dss-4-0-1": [ "10.3.4", "10.4", "11.5", "11.5.2", "11.6.1" ], "general-pci-dss-4-0-1-saq-a": [ "11.6.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.3.4", "11.5.2", "11.6.1" ], "general-pci-dss-4-0-1-saq-c": [ "10.3.4", "11.5.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.3.4", "11.5.2", "11.6.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.3.4", "11.5.2", "11.6.1" ], "general-swift-cscf-2025": [ "6.2" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.3.3", "2.3.5" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(a)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-04(24)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-04(24)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-04(24)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-04(24)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(c)(2)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(c)(2)" ], "usa-federal-irs-1075-2021": [ "SI-4(CE-24)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(36)(e)" ], "emea-isr-cmo-1-0": [ "6.4", "12.19" ], "emea-sau-otcc-1-2022": [ "1-5-4" ], "apac-nzl-ism-3-9": [ "16.6.10.C.01", "16.6.10.C.02" ] } }, { "control_id": "MON-01.8", "title": "Security Event Monitoring", "family": "MON", "description": "Mechanisms exist to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.", "scf_question": "Does the organization review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-MON-01", "E-MON-02", "E-MON-05" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.\n▪ Generating event logs and the review of those event logs is narrowly-focused to business-critical Technology Assets, Applications, Services and/or Data (TAASD).", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical TAASD.\n▪ IT and/or cybersecurity personnel configure alerts for critical or sensitive data that is stored, transmitted and processed on assets.\n▪ Logs of privileged functions (e.g., administrator or root actions) are reviewed for evidence of unauthorized activities.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.2", "CC7.2-POF4" ], "general-cis-csc-8-1": [ "8.1" ], "general-cis-csc-8-1-ig1": [ "8.1" ], "general-cis-csc-8-1-ig2": [ "8.1" ], "general-cis-csc-8-1-ig3": [ "8.1" ], "general-csa-cmm-4-1-0": [ "LOG-03", "LOG-05" ], "general-csa-iot-2": [ "CLS-08" ], "general-govramp": [ "AU-02" ], "general-govramp-low": [ "AU-02" ], "general-govramp-low-plus": [ "AU-02" ], "general-govramp-mod": [ "AU-02" ], "general-govramp-high": [ "AU-02" ], "general-iec-62443-2-1-2024": [ "EVENT 1.2", "EVENT 1.7" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.4" ], "general-iso-21434-2021": [ "RQ-08-01", "RQ-08-02", "RQ-08-03", "RQ-08-04" ], "general-iso-27002-2022": [ "8.16" ], "general-iso-27018-2025": [ "8.15(a)", "8.16" ], "general-mpa-csbp-5-3-1": [ "TS-1.5", "TS-2.4" ], "general-nist-800-53-r4": [ "AU-2(3)" ], "general-nist-800-53-r5-2": [ "AU-02" ], "general-nist-800-53-r5-2-privacy": [ "AU-02" ], "general-nist-800-53-r5-2-low": [ "AU-02" ], "general-nist-800-66-r2": [ "164.308(a)(1)", "164.312(b)" ], "general-nist-800-82-r3": [ "AU-02" ], "general-nist-800-82-r3-low": [ "AU-02" ], "general-nist-800-82-r3-mod": [ "AU-02" ], "general-nist-800-82-r3-high": [ "AU-02" ], "general-nist-800-161-r1": [ "AU-2" ], "general-nist-800-161-r1-cscrm": [ "AU-2" ], "general-nist-800-161-r1-flowdown": [ "AU-2" ], "general-nist-800-161-r1-level-1": [ "AU-2" ], "general-nist-800-161-r1-level-2": [ "AU-2" ], "general-nist-800-161-r1-level-3": [ "AU-2" ], "general-nist-800-171-r2": [ "3.3.3", "3.14.3" ], "general-nist-800-171-r3": [ "03.03.01.b", "03.03.05.a" ], "general-nist-800-171a": [ "3.3.3[a]", "3.3.3[b]", "3.3.3[c]", "3.14.3[a]", "3.14.3[b]", "3.14.3[c]" ], "general-nist-800-171a-r3": [ "A.03.03.01.ODP[02]", "A.03.03.01.b[01]", "A.03.03.05.ODP[01]", "A.03.03.05.a" ], "general-nist-csf-2-0": [ "DE.CM-01", "DE.AE", "DE.AE-06" ], "general-owasp-top-10-2025": [ "A01:2025", "A09:2025" ], "general-pci-dss-4-0-1": [ "10.4", "10.4.1", "10.4.1.1", "10.4.2", "10.4.2.1", "10.4.3", "12.4.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.4.1", "10.4.1.1", "10.4.2", "10.4.2.1", "10.4.3" ], "general-pci-dss-4-0-1-saq-c": [ "10.4.1", "10.4.1.1", "10.4.2", "10.4.2.1", "10.4.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.4.1", "10.4.1.1", "10.4.2", "10.4.2.1", "10.4.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.4.1", "10.4.1.1", "10.4.2", "10.4.2.1", "10.4.3", "12.4.2" ], "general-shared-assessments-sig-2025": [ "J.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.T" ], "usa-federal-fbi-cjis-6-0": [ "AU-2" ], "usa-federal-doe-c2m2-2-1": [ "SITUATION-2a", "SITUATION-2b", "SITUATION-2e", "SITUATION-2i" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.3", "SIL2.-3.14.3" ], "usa-federal-gsa-fedramp-5-low": [ "AU-02" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-02" ], "usa-federal-gsa-fedramp-5-high": [ "AU-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AU-02" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(1)(ii)(D)", "164.312(b)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(1)(ii)(D)", "164.312(b)" ], "usa-federal-irs-1075-2021": [ "AU-2" ], "usa-federal-cms-marse-2-0": [ "AU-2", "AU-6-IS.1", "AU-6-IS.2", "AU-6-IS.3", "AU-6-IS.4", "AU-6-IS.5", "AU-6-IS.6", "AU-6-IS.7" ], "usa-federal-nispom-2020": [ "§117.15(d)(3)", "§117.15(d)(3)(i)", "§117.15(d)(3)(i)(A)", "§117.15(d)(3)(i)(B)", "§117.15(d)(3)(ii)", "§117.15(d)(3)(ii)(A)", "§117.15(d)(3)(ii)(B)", "§117.15(d)(3)(ii)(C)", "§117.15(d)(3)(ii)(D)", "§117.15(d)(3)(iii)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.3.a" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(7)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)3", "17.04(4)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)(3)", "899-bb.2(b)(ii)(C)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AT-02", "AU-02" ], "usa-state-tx-txramp-2-0-level-1": [ "AU-02" ], "usa-state-tx-txramp-2-0-level-2": [ "AU-02" ], "usa-state-vt-act-171-2018": [ "2447(b)(2)(C)", "2447(c)(4)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.5(39)", "3.4.5(40)" ], "emea-eu-nis2-annex-2024": [ "3.2.3", "3.2.4" ], "emea-deu-bsrit-2017": [ "5.5" ], "emea-isr-cmo-1-0": [ "12.31", "21.3", "21.11" ], "emea-sau-cscc-1-2019": [ "2-11-1-2" ], "emea-sau-cgiot-2024": [ "2-11-1" ], "emea-sau-ecc-1-2018": [ "2-12-3-4" ], "emea-sau-sacs-002-2022": [ "TPC-40" ], "emea-gbr-caf-4-0": [ "C1.a" ], "emea-gbr-cap-1850-2020": [ "C1", "C2" ], "emea-gbr-def-stan-05-138-2024": [ "3101", "3102" ], "emea-gbr-def-stan-05-138-l1-2024": [ "3101" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3101" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3102" ], "apac-aus-ism-2024-june": [ "ISM-0109" ], "apac-ind-sebi-2024": [ "DE.CM.S3" ], "apac-jpn-ismap": [ "12.4.3.3", "12.4.5.P", "12.4.5.1.P", "12.4.5.2.P", "12.4.5.3.P", "12.4.5.4.P", "12.4.5.5.P" ], "apac-sgp-mas-trm-2021": [ "12.2.2" ], "amaericas-can-osfi-self-assessment": [ "3.5" ], "americas-can-osfi-b13-2022": [ "3.3.1" ], "americas-can-itsp-10-171-2025": [ "03.03.01.B", "03.03.05.A" ] } }, { "control_id": "MON-01.9", "title": "Proxy Logging", "family": "MON", "description": "Mechanisms exist to log all Internet-bound requests, in order to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.", "scf_question": "Does the organization log all Internet-bound requests, in order to identify prohibited activities and assist incident handlers with identifying potentially compromised systems?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.\n▪ Generating event logs and the review of those event logs is narrowly-focused to business-critical Technology Assets, Applications, Services and/or Data (TAASD).", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to log all Internet-bound requests, in order to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Review system logs periodically", "small": "∙ Log monitoring policy\n∙ Regular review of key system logs", "medium": "∙ SIEM (e.g., Wazuh)\n∙ Automated log collection and alerting", "large": "∙ Enterprise SIEM (e.g., Splunk, IBM QRadar)\n∙ Continuous monitoring program\n∙ SOC monitoring", "enterprise": "∙ Enterprise SIEM/SOAR platform\n∙ 24/7 SOC monitoring\n∙ Threat hunting\n∙ Automated incident response" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "emea-isr-cmo-1-0": [ "9.14", "21.20" ], "apac-aus-ism-2024-june": [ "ISM-0261" ], "apac-nzl-ism-3-9": [ "14.3.6.C.02", "16.6.10.C.01", "16.6.10.C.02" ] } }, { "control_id": "MON-01.10", "title": "Deactivated Account Activity", "family": "MON", "description": "Mechanisms exist to monitor deactivated accounts for attempted usage.", "scf_question": "Does the organization monitor deactivated accounts for attempted usage?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to monitor deactivated accounts for attempted usage.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-owasp-top-10-2025": [ "A09:2025" ], "general-pci-dss-4-0-1": [ "3.1" ] } }, { "control_id": "MON-01.11", "title": "Automated Response to Suspicious Events", "family": "MON", "description": "Automated mechanisms exist to implement pre-determined corrective actions in response to detected events that have security incident implications.", "scf_question": "Does the organization automatically implement pre-determined corrective actions in response to detected events that have security incident implications?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically implement pre-determined corrective actions in response to detected events that have security incident implications.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Review system logs periodically", "small": "∙ Log monitoring policy\n∙ Regular review of key system logs", "medium": "∙ Intrusion Detection / Prevention Systems (IDS / IPS)\n∙ Extended Detection and Response (XDR)", "large": "∙ Intrusion Detection / Prevention Systems (IDS / IPS)\n∙ Extended Detection and Response (XDR)", "enterprise": "∙ Intrusion Detection / Prevention Systems (IDS / IPS)\n∙ Extended Detection and Response (XDR)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-800-53-r4": [ "SI-4(7)" ], "general-nist-800-53-r5-2": [ "IR-04(05)", "SI-04(07)" ], "general-nist-800-53-r5-2-privacy": [ "IR-04(05)", "SI-04(07)" ], "general-nist-800-82-r3": [ "IR-04(05)", "SI-04(07)" ], "general-nist-800-160-vol-2-r1": [ "SI-04(07)" ], "general-pci-dss-4-0-1": [ "A3.2.6.1", "A3.5" ], "usa-federal-gsa-fedramp-5-low": [ "IR-04(05)", "SI-04(07)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-04(05)", "SI-04(07)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-04(05)", "SI-04(07)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-04(05)", "SI-04(07)" ] } }, { "control_id": "MON-01.12", "title": "Automated Alerts", "family": "MON", "description": "Mechanisms exist to automatically alert incident response personnel to inappropriate or anomalous activities that have potential security incident implications.", "scf_question": "Does the organization automatically alert incident response personnel to inappropriate or anomalous activities that have potential security incident implications?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-MON-06" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically alert incident response personnel to inappropriate or anomalous activities that have potential security incident implications.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.2-POF2" ], "general-csa-iot-2": [ "MON-03" ], "general-nist-800-53-r4": [ "SI-4(12)" ], "general-nist-800-53-r5-2": [ "SI-04(12)" ], "general-nist-800-53-r5-2-privacy": [ "SI-04(12)" ], "general-nist-800-53-r5-2-high": [ "SI-04(12)" ], "general-nist-800-82-r3": [ "SI-04(12)" ], "general-nist-800-82-r3-high": [ "SI-04(12)" ], "general-nist-800-171-r3": [ "03.03.04.a", "03.03.05.b" ], "general-nist-800-171a-r3": [ "A.03.03.05.b" ], "general-nist-csf-2-0": [ "DE.AE", "DE.AE-06" ], "general-pci-dss-4-0-1": [ "A3.2.6.1" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.T" ], "usa-federal-gsa-fedramp-5-low": [ "SI-04(12)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-04(12)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-04(12)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-04(12)" ], "usa-federal-irs-1075-2021": [ "SI-4(CE-12)" ], "emea-sau-ecc-1-2018": [ "2-12-3-1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP69", "HML68" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP60" ], "americas-can-itsp-10-171-2025": [ "03.03.04.A", "03.03.05.B" ] } }, { "control_id": "MON-01.13", "title": "Alert Threshold Tuning", "family": "MON", "description": "Mechanisms exist to \"tune\" event monitoring technologies through analyzing communications traffic/event patterns and developing profiles representing common traffic patterns and/or events.", "scf_question": "Does the organization \"tune\" event monitoring technologies through analyzing communications traffic/event patterns and developing profiles representing common traffic patterns and/or events?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to \"tune\" event monitoring technologies through analyzing communications traffic/event patterns and developing profiles representing common traffic patterns and/or events.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-cis-csc-8-1": [ "13.6", "13.11" ], "general-cis-csc-8-1-ig2": [ "13.6" ], "general-cis-csc-8-1-ig3": [ "13.6", "13.11" ], "general-csa-iot-2": [ "OPA-04" ], "general-nist-800-53-r4": [ "SI-4(13)" ], "general-nist-800-53-r5-2": [ "SI-04(13)" ], "general-nist-800-82-r3": [ "SI-04(13)" ], "general-nist-800-160-vol-2-r1": [ "SI-04(13)" ], "usa-federal-doe-c2m2-2-1": [ "SITUATION-3g" ] } }, { "control_id": "MON-01.14", "title": "Individuals Posing Greater Risk", "family": "MON", "description": "Mechanisms exist to implement enhanced activity monitoring for individuals who have been identified as posing an increased level of risk.", "scf_question": "Does the organization implement enhanced activity monitoring for individuals who have been identified as posing an increased level of risk?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-MON-03" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to implement enhanced activity monitoring for individuals who have been identified as posing an increased level of risk.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-govramp": [ "SI-04(19)" ], "general-govramp-high": [ "SI-04(19)" ], "general-nist-800-53-r4": [ "SI-4(19)" ], "general-nist-800-53-r5-2": [ "SI-04(19)" ], "general-nist-800-82-r3": [ "SI-04(19)" ], "general-nist-800-161-r1": [ "SI-4(19)" ], "general-nist-800-161-r1-level-2": [ "SI-4(19)" ], "general-nist-800-161-r1-level-3": [ "SI-4(19)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-04(19)" ], "emea-deu-bsrit-2017": [ "6.7" ], "emea-sau-ecc-1-2018": [ "2-12-3-2" ] } }, { "control_id": "MON-01.15", "title": "Privileged User Oversight", "family": "MON", "description": "Mechanisms exist to implement enhanced activity monitoring for privileged users.", "scf_question": "Does the organization implement enhanced activity monitoring for privileged users?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-MON-03" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to implement enhanced activity monitoring for privileged users.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-cis-csc-8-1": [ "3.14" ], "general-cis-csc-8-1-ig3": [ "3.14" ], "general-csa-cmm-4-1-0": [ "IAM-09", "IAM-10", "IAM-11" ], "general-govramp": [ "SI-04(20)" ], "general-govramp-high": [ "SI-04(20)" ], "general-nist-800-53-r4": [ "SI-4(20)" ], "general-nist-800-53-r5-2": [ "SI-04(20)" ], "general-nist-800-53-r5-2-high": [ "SI-04(20)" ], "general-nist-800-66-r2": [ "164.312(c)" ], "general-nist-800-82-r3": [ "SI-04(20)" ], "general-nist-800-82-r3-high": [ "SI-04(20)" ], "general-nist-800-171-r3": [ "03.01.07.b" ], "usa-federal-gsa-fedramp-5-high": [ "SI-04(20)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(c)(2)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(c)(2)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(c)" ], "emea-deu-bsrit-2017": [ "6.7" ], "emea-sau-ecc-1-2018": [ "2-12-3-2" ], "emea-sau-sacs-002-2022": [ "TPC-83" ], "emea-gbr-def-stan-05-138-2024": [ "2203" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2203" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2203" ], "americas-can-itsp-10-171-2025": [ "03.01.07.B" ] } }, { "control_id": "MON-01.16", "title": "Analyze and Prioritize Monitoring Requirements", "family": "MON", "description": "Mechanisms exist to assess the organization's needs for monitoring and prioritize the monitoring of Technology Assets, Applications and/or Services (TAAS), based on TAAS criticality and the sensitivity of the data it stores, transmits and processes.", "scf_question": "Does the organization assess the organization's needs for monitoring and prioritize the monitoring of Technology Assets, Applications and/or Services (TAAS), based on TAAS criticality and the sensitivity of the data it stores, transmits and processes?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-30" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to assess the organization's needs for monitoring and prioritize the monitoring of Technology Assets, Applications and/or Services (TAAS), based on TAAS criticality and the sensitivity of the data it stores, transmits and processes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Review system logs periodically", "small": "∙ Log monitoring policy\n∙ Regular review of key system logs", "medium": "∙ SIEM (e.g., Wazuh)\n∙ Automated log collection and alerting", "large": "∙ Enterprise SIEM (e.g., Splunk, IBM QRadar)\n∙ Continuous monitoring program\n∙ SOC monitoring", "enterprise": "∙ Enterprise SIEM/SOAR platform\n∙ 24/7 SOC monitoring\n∙ Threat hunting\n∙ Automated incident response" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed\n- NIST 800-171A", "family_name": "Continuous Monitoring", "crosswalks": { "general-csa-iot-2": [ "CLS-07" ], "general-nist-800-66-r2": [ "164.312(b)" ], "general-nist-800-171-r2": [ "3.3.3" ], "general-owasp-top-10-2025": [ "A01:2025", "A09:2025" ], "general-swift-cscf-2025": [ "6.4" ], "usa-federal-doe-c2m2-2-1": [ "SITUATION-1a", "SITUATION-1f", "SITUATION-2f", "SITUATION-2g", "SITUATION-3g", "RESPONSE-1e" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.3" ], "usa-federal-dow-zt-roadmap-1-1": [ "7.1.2" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(b)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(b)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.3.a", "III.D.3.b" ], "emea-eu-eba-ict-srm-2025": [ "3.4.5(39)", "3.4.5(40)", "3.5(52)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "5.5", "6.3", "6.7" ], "emea-deu-c5-2020": [ "OPS-10" ], "emea-isr-cmo-1-0": [ "4.6", "6.8", "9.10", "11.11", "12.31", "13.9", "21.1" ], "emea-sau-cscc-1-2019": [ "2-11" ], "emea-sau-ecc-1-2018": [ "2-3-4", "2-12-1", "2-12-2", "2-12-3", "2-12-4", "5-1-3-3" ], "emea-sau-otcc-1-2022": [ "2-11", "2-11-1", "2-11-2" ], "emea-sau-sacs-002-2022": [ "TPC-40", "TPC-80" ], "emea-sau-sama-csf-1-2017": [ "3.3.14" ], "emea-zaf-popia-2013": [ "19.1", "19.2" ], "emea-esp-decree-311-2022": [ "10.1", "21.2", "24.1" ], "emea-esp-ccn-stic-825-2023": [ "7.3.8 [OP.EXP.8]" ], "emea-gbr-cap-1850-2020": [ "C1" ], "apac-aus-ism-2024-june": [ "ISM-0109", "ISM-0120", "ISM-0580", "ISM-0660", "ISM-1163", "ISM-1294", "ISM-1586" ], "apac-nzl-ism-3-9": [ "16.6.6.C.01", "16.6.6.C.02", "16.6.8.C.01", "16.6.10.C.01", "16.6.10.C.02" ], "apac-sgp-mas-trm-2021": [ "12.2.1", "12.2.2", "12.2.3" ], "americas-bmu-mba-coc-2020": [ "6.21" ], "amaericas-can-osfi-self-assessment": [ "3.5" ] } }, { "control_id": "MON-01.17", "title": "Real-Time Session Monitoring", "family": "MON", "description": "Mechanisms exist to enable authorized personnel the ability to remotely view and hear content related to an established user session in real time, in accordance with organizational standards, as well as statutory, regulatory and contractual obligations.", "scf_question": "Does the organization enable authorized personnel the ability to remotely view and hear content related to an established user session in real time, in accordance with organizational standards, as well as statutory, regulatory and contractual obligations?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to enable authorized personnel the ability to remotely view and hear content related to an established user session in real time, in accordance with organizational standards, as well as statutory, regulatory and contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Review system logs periodically", "small": "∙ Log monitoring policy\n∙ Regular review of key system logs", "medium": "∙ SIEM (e.g., Wazuh)\n∙ Automated log collection and alerting", "large": "∙ Enterprise SIEM (e.g., Splunk, IBM QRadar)\n∙ Continuous monitoring program\n∙ SOC monitoring", "enterprise": "∙ Enterprise SIEM/SOAR platform\n∙ 24/7 SOC monitoring\n∙ Threat hunting\n∙ Automated incident response" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-800-53-r5-2": [ "AU-14(03)" ], "general-nist-800-82-r3": [ "AU-14(03)" ] } }, { "control_id": "MON-02", "title": "Centralized Collection of Security Event Logs", "family": "MON", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "scf_question": "Does the organization utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-MON-01", "E-MON-05" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical TAASD.\n▪ IT and/or cybersecurity personnel configure alerts for critical or sensitive data that is stored, transmitted and processed on assets.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Centralized log collector (e.g., Windows Event Forwarding, syslog server)\n∙ Managed Security Services Provider (MSSP)\n∙ Cloud logging (e.g., Microsoft Sentinel free tier, AWS CloudWatch)", "small": "∙ Centralized log collector (e.g., Graylog free, Elastic Stack free)\n∙ Managed Security Services Provider (MSSP)\n∙ Cloud SIEM (e.g., Microsoft Sentinel, Sumo Logic)", "medium": "∙ Centralized log collector\n∙ Security Incident Event Manager (SIEM) (e.g., Splunk, Microsoft Sentinel, IBM QRadar)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Enterprise SIEM with centralized log collection (e.g., Splunk, Microsoft Sentinel)\n∙ Log management platform (e.g., Splunk, Elastic Stack, Graylog)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Enterprise SIEM with scalable log ingestion (e.g., Splunk Enterprise, IBM QRadar)\n∙ Log management and analytics platform\n∙ Managed Detection and Response (MDR) or in-house SOC\n∙ Log data lake for long-term retention and threat hunting" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.2", "CC7.2-POF1", "CC7.3" ], "general-cis-csc-8-1": [ "3.14", "8.1", "8.2", "8.3", "8.4", "8.5", "8.6", "8.7", "8.8", "8.9", "8.12", "13.1" ], "general-cis-csc-8-1-ig1": [ "8.1", "8.2", "8.3" ], "general-cis-csc-8-1-ig2": [ "8.1", "8.2", "8.3", "8.4", "8.5", "8.6", "8.7", "8.8", "8.9", "13.1" ], "general-cis-csc-8-1-ig3": [ "3.14", "8.1", "8.2", "8.3", "8.4", "8.5", "8.6", "8.7", "8.8", "8.9", "8.12", "13.1" ], "general-csa-iot-2": [ "MON-07" ], "general-govramp": [ "AU-02", "AU-06", "SI-04" ], "general-govramp-core": [ "SI-04" ], "general-govramp-low": [ "AU-02", "AU-06", "SI-04" ], "general-govramp-low-plus": [ "AU-02", "AU-06", "SI-04" ], "general-govramp-mod": [ "AU-02", "AU-06", "SI-04" ], "general-govramp-high": [ "AU-02", "AU-06", "SI-04" ], "general-iec-62443-3-3-2013": [ "SR 2.8 RE 1" ], "general-iso-27002-2022": [ "8.15" ], "general-iso-27017-2015": [ "12.4.1" ], "general-iso-27018-2025": [ "8.15" ], "general-nist-800-53-r4": [ "AU-2", "AU-2(3)", "AU-6", "IR-4(4)", "SI-4" ], "general-nist-800-53-r5-2": [ "AU-02", "AU-06", "IR-04(04)", "SI-04" ], "general-nist-800-53-r5-2-privacy": [ "AU-02", "AU-06", "IR-04(04)", "SI-04" ], "general-nist-800-53-r5-2-low": [ "AU-02", "AU-06", "SI-04" ], "general-nist-800-53-r5-2-high": [ "IR-04(04)" ], "general-nist-800-82-r3": [ "AU-02", "AU-06", "IR-04(04)", "SI-04" ], "general-nist-800-82-r3-low": [ "AU-02", "AU-06", "SI-04" ], "general-nist-800-82-r3-mod": [ "AU-02", "AU-06", "SI-04" ], "general-nist-800-82-r3-high": [ "AU-02", "AU-06", "IR-04(04)", "SI-04" ], "general-nist-800-160-vol-2-r1": [ "AU-06", "IR-04(04)" ], "general-nist-800-161-r1": [ "AU-2", "AU-6", "SI-4" ], "general-nist-800-161-r1-cscrm": [ "AU-2", "AU-6", "SI-4" ], "general-nist-800-161-r1-flowdown": [ "AU-2", "SI-4" ], "general-nist-800-161-r1-level-1": [ "AU-2", "SI-4" ], "general-nist-800-161-r1-level-2": [ "AU-2", "AU-6", "SI-4" ], "general-nist-800-161-r1-level-3": [ "AU-2", "AU-6", "SI-4" ], "general-nist-800-171-r2": [ "3.3.1", "3.3.3", "3.3.5", "3.3.6", "3.3.8", "3.3.9" ], "general-nist-800-171-r3": [ "03.03.05.a", "03.03.05.c" ], "general-nist-800-171a-r3": [ "A.03.03.05.ODP[01]", "A.03.03.05.a", "A.03.03.05.c[01]" ], "general-nist-800-207": [ "NIST Tenet 5", "NIST Tenet 7" ], "general-nist-csf-2-0": [ "DE.AE-03", "DE.AE-06" ], "general-owasp-top-10-2025": [ "A09:2025" ], "general-pci-dss-4-0-1": [ "10.3.3", "10.4", "10.4.1", "10.4.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.3.3", "10.4.1", "10.4.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "10.3.3", "10.4.1", "10.4.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.3.3", "10.4.1", "10.4.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.3.3", "10.4.1", "10.4.1.1" ], "general-scf-dpmp-2025": [ "7.0", "7.13" ], "general-swift-cscf-2025": [ "6.1", "6.2", "6.3", "6.4" ], "general-tisax-6-0-3": [ "5.2.4" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.CLMAN" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.G", "2.T" ], "usa-federal-fbi-cjis-6-0": [ "AU-2", "AU-6", "SI-4" ], "usa-federal-doe-c2m2-2-1": [ "SITUATION-1e" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.1", "AUL2.-3.3.3", "AUL2.-3.3.5", "AUL2.-3.3.6", "AUL2.-3.3.8", "AUL2.-3.3.9" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.5.1", "3.5.2", "7.1" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(b)", "11.10(c)", "11.10(e)" ], "usa-federal-gsa-fedramp-5-low": [ "AU-02", "AU-06", "IR-04(04)", "SI-04" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-02", "AU-06", "IR-04(04)", "SI-04" ], "usa-federal-gsa-fedramp-5-high": [ "AU-02", "AU-06", "IR-04(04)", "SI-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AU-02", "AU-06", "IR-04(04)", "SI-04" ], "usa-federal-irs-1075-2021": [ "AU-2", "AU-6", "SI-4" ], "usa-federal-cms-marse-2-0": [ "AU-2", "AU-2.a", "AU-2.b", "AU-2.c", "AU-6", "AU-6.a", "SI-4" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(7)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.6(a)(2)", "500.14(b)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AT-02", "AU-02", "AU-06", "SI-04" ], "usa-state-tx-txramp-2-0-level-1": [ "AU-02", "AU-06", "SI-04" ], "usa-state-tx-txramp-2-0-level-2": [ "AU-02", "AU-06", "SI-04" ], "emea-eu-eba-ict-srm-2025": [ "3.5(52)" ], "emea-eu-nis2-annex-2024": [ "3.2.6" ], "emea-deu-c5-2020": [ "OPS-14" ], "emea-isr-cmo-1-0": [ "4.6", "12.17", "21.3", "21.4", "21.6", "21.12" ], "emea-sau-cscc-1-2019": [ "2-11-1-3", "2-11-1-4" ], "emea-sau-otcc-1-2022": [ "2-11-1-3", "2-11-1-9" ], "emea-sau-sacs-002-2022": [ "TPC-81" ], "emea-sau-sama-csf-1-2017": [ "3.3.14" ], "emea-gbr-cap-1850-2020": [ "C1", "C2" ], "apac-aus-ism-2024-june": [ "ISM-0109", "ISM-1228", "ISM-1405", "ISM-1536", "ISM-1537", "ISM-1566", "ISM-1650" ], "apac-nzl-ism-3-9": [ "16.6.11.C.01", "16.6.11.C.02", "16.6.11.C.03", "16.6.12.C.01", "16.6.12.C.02", "16.6.12.C.03" ], "apac-sgp-mas-trm-2021": [ "9.1.3" ], "americas-bmu-mba-coc-2020": [ "6.21" ], "amaericas-can-osfi-self-assessment": [ "3.2" ], "americas-can-osfi-b13-2022": [ "3.3.1" ], "americas-can-itsp-10-171-2025": [ "03.03.05.A", "03.03.05.C" ] } }, { "control_id": "MON-02.1", "title": "Correlate Monitoring Information", "family": "MON", "description": "Automated mechanisms exist to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.", "scf_question": "Does the organization use automated mechanisms to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-MON-05", "E-MON-07" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical TAASD.\n▪ IT and/or cybersecurity personnel configure alerts for critical or sensitive data that is stored, transmitted and processed on assets.\n▪ Logs of vulnerability scanning activities and associated administrator accounts are reviewed to ensure that those activities are limited to the timeframes of legitimate scans.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.2", "CC7.3" ], "general-cis-csc-8-1": [ "3.14", "8.12", "13.6" ], "general-cis-csc-8-1-ig2": [ "13.6" ], "general-cis-csc-8-1-ig3": [ "3.14", "8.12", "13.6" ], "general-cr-cmm-2026": [ "CR2.2.1" ], "general-govramp": [ "AU-06(03)", "SI-04(16)" ], "general-govramp-mod": [ "AU-06(03)", "SI-04(16)" ], "general-govramp-high": [ "AU-06(03)", "SI-04(16)" ], "general-iso-27002-2022": [ "8.15" ], "general-iso-27017-2015": [ "12.4.1" ], "general-iso-27018-2025": [ "8.15" ], "general-nist-800-53-r4": [ "AU-6(3)", "IR-4(4)", "SI-4(16)" ], "general-nist-800-53-r5-2": [ "AU-06(03)", "AU-06(09)", "IR-04(04)", "SI-04(16)" ], "general-nist-800-53-r5-2-privacy": [ "IR-04(04)" ], "general-nist-800-53-r5-2-mod": [ "AU-06(03)" ], "general-nist-800-53-r5-2-high": [ "IR-04(04)" ], "general-nist-800-82-r3": [ "AU-06(03)", "AU-06(09)", "IR-04(04)", "SI-04(16)" ], "general-nist-800-82-r3-mod": [ "AU-06(03)" ], "general-nist-800-82-r3-high": [ "AU-06(03)", "IR-04(04)" ], "general-nist-800-160-vol-2-r1": [ "AU-06(03)", "AU-06(09)", "IR-04(04)", "SI-04(16)" ], "general-nist-800-161-r1": [ "AU-6(9)" ], "general-nist-800-161-r1-level-3": [ "AU-6(9)" ], "general-nist-800-171-r2": [ "3.3.5", "3.14.7" ], "general-nist-800-171-r3": [ "03.03.05.a", "03.03.05.c" ], "general-nist-800-171a": [ "3.3.5[a]", "3.3.5[b]", "3.14.7[a]", "3.14.7[b]" ], "general-nist-800-171a-r3": [ "A.03.03.05.c[02]" ], "general-nist-800-207": [ "NIST Tenet 5", "NIST Tenet 7" ], "general-nist-csf-2-0": [ "DE.AE-03", "DE.AE-06" ], "general-owasp-top-10-2025": [ "A09:2025" ], "general-pci-dss-4-0-1": [ "10.4.1.1", "12.10.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.4.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "10.4.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.4.1.1", "12.10.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.4.1.1", "12.10.5" ], "general-scf-dpmp-2025": [ "7.13" ], "general-tisax-6-0-3": [ "5.2.4" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.SAWAR", "3.UNL.CMREP" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.T" ], "usa-federal-fbi-cjis-6-0": [ "AU-6(3)" ], "usa-federal-doe-c2m2-2-1": [ "SITUATION-1e", "SITUATION-3e", "RESPONSE-1d" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.5", "SIL2.-3.14.7" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.5.1", "3.5.2", "4.4.3", "4.4.4", "4.4.5", "4.4.6", "7.2.2" ], "usa-federal-gsa-fedramp-5-low": [ "IR-04(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-06(03)", "IR-04(04)", "SI-04(16)" ], "usa-federal-gsa-fedramp-5-high": [ "AU-06(03)", "IR-04(04)", "SI-04(16)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-04(04)" ], "usa-federal-irs-1075-2021": [ "AU-6(CE-3)", "AU-6(CE-9)" ], "usa-federal-cms-marse-2-0": [ "AU-6(3)" ], "emea-deu-c5-2020": [ "OPS-13" ], "emea-isr-cmo-1-0": [ "4.6", "12.17", "21.6", "21.12", "21.13", "21.19" ], "emea-sau-cscc-1-2019": [ "2-11-1-3", "2-11-1-4" ], "emea-sau-otcc-1-2022": [ "2-11-1-4", "2-11-1-5", "2-11-1-6", "2-11-1-7", "2-11-1-8", "2-11-1-10" ], "emea-sau-sacs-002-2022": [ "TPC-81" ], "emea-sau-sama-csf-1-2017": [ "3.3.14" ], "apac-aus-ism-2024-june": [ "ISM-1228" ], "apac-nzl-ism-3-9": [ "16.6.14.C.01", "18.4.12.C.01" ], "apac-sgp-mas-trm-2021": [ "12.2.5" ], "amaericas-can-osfi-self-assessment": [ "3.6" ], "americas-can-osfi-b13-2022": [ "3.3.1" ], "americas-can-itsp-10-171-2025": [ "03.03.05.A", "03.03.05.C" ] } }, { "control_id": "MON-02.2", "title": "Central Review & Analysis", "family": "MON", "description": "Automated mechanisms exist to centrally collect, review and analyze audit records from multiple sources.", "scf_question": "Does the organization use automated mechanisms to centrally collect, review and analyze audit records from multiple sources?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-MON-01", "E-MON-02", "E-MON-05" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical TAASD.\n▪ IT and/or cybersecurity personnel configure alerts for critical or sensitive data that is stored, transmitted and processed on assets.\n▪ Logs of privileged functions (e.g., administrator or root actions) are reviewed for evidence of unauthorized activities.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically centrally collect, review and analyze audit records from multiple sources.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-cis-csc-8-1": [ "8.11" ], "general-cis-csc-8-1-ig2": [ "8.11" ], "general-cis-csc-8-1-ig3": [ "8.11" ], "general-csa-iot-2": [ "MON-07" ], "general-govramp": [ "AU-06(04)" ], "general-govramp-high": [ "AU-06(04)" ], "general-iec-62443-3-3-2013": [ "SR 2.8 RE 1" ], "general-iso-27002-2022": [ "6.8", "8.15", "8.16" ], "general-iso-27017-2015": [ "12.4.1" ], "general-iso-27018-2025": [ "6.8", "8.15", "8.16" ], "general-nist-privacy-framework-1-0": [ "CT.DM-P8" ], "general-nist-800-53-r4": [ "AU-6(4)" ], "general-nist-800-53-r5-2": [ "AU-06(04)" ], "general-nist-800-82-r3": [ "AU-06(04)" ], "general-nist-800-171-r3": [ "03.03.01.b", "03.03.05.a", "03.03.05.c" ], "general-nist-800-207": [ "NIST Tenet 5", "NIST Tenet 7" ], "general-pci-dss-4-0-1": [ "10.3.3", "10.4", "10.4.1", "10.4.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.3.3", "10.4.1", "10.4.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "10.3.3", "10.4.1", "10.4.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.3.3", "10.4.1", "10.4.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.3.3", "10.4.1", "10.4.1.1" ], "general-swift-cscf-2025": [ "6.1", "6.2", "6.3", "6.4" ], "general-tisax-6-0-3": [ "5.2.4" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNL.CMREP" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.G", "2.T" ], "usa-federal-dow-zt-roadmap-1-1": [ "7.1.3", "7.2.3" ], "usa-federal-gsa-fedramp-5-high": [ "AU-06(04)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(7)" ], "emea-eu-eba-ict-srm-2025": [ "3.5(52)" ], "emea-deu-c5-2020": [ "OPS-13" ], "emea-sau-cscc-1-2019": [ "2-11-1-3" ], "emea-sau-ecc-1-2018": [ "2-12-3-4" ], "emea-sau-otcc-1-2022": [ "2-11-1-9", "2-11-2" ], "emea-sau-sacs-002-2022": [ "TPC-81" ], "emea-esp-ccn-stic-825-2023": [ "7.3.8 [OP.EXP.8]" ], "emea-gbr-cap-1850-2020": [ "C1", "C2" ], "apac-aus-essential-8-2024": [ "ML2-P3", "ML2-P4", "ML2-P5", "ML2-P7", "ML3-P3", "ML3-P4", "ML3-P5", "ML3-P7" ], "apac-aus-ism-2024-june": [ "ISM-1228" ], "apac-nzl-ism-3-9": [ "16.6.11.C.01", "16.6.11.C.02", "16.6.11.C.03", "16.6.12.C.01", "16.6.12.C.02", "16.6.12.C.03" ], "apac-sgp-mas-trm-2021": [ "12.2.6" ], "americas-bmu-mba-coc-2020": [ "6.21" ], "americas-can-osfi-b13-2022": [ "3.3.1", "3.3.2" ], "americas-can-itsp-10-171-2025": [ "03.03.01.B", "03.03.05.A", "03.03.05.C" ] } }, { "control_id": "MON-02.3", "title": "Integration of Scanning & Other Monitoring Information", "family": "MON", "description": "Automated mechanisms exist to integrate the analysis of audit records with analysis of vulnerability scanners, network performance, system monitoring and other sources to further enhance the ability to identify inappropriate or unusual activity.", "scf_question": "Does the organization use automated mechanisms to integrate the analysis of audit records with analysis of vulnerability scanners, network performance, system monitoring and other sources to further enhance the ability to identify inappropriate or unusual activity?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically integrate the analysis of audit records with analysis of vulnerability scanners, network performance, system monitoring and other sources to further enhance the ability to identify inappropriate or unusual activity.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-cis-csc-8-1": [ "3.14", "8.6", "8.7", "8.12", "13.6" ], "general-cis-csc-8-1-ig2": [ "8.6", "8.7", "13.6" ], "general-cis-csc-8-1-ig3": [ "3.14", "8.6", "8.7", "8.12", "13.6" ], "general-govramp": [ "AU-06(05)" ], "general-govramp-high": [ "AU-06(05)" ], "general-nist-800-53-r4": [ "AU-6(5)" ], "general-nist-800-53-r5-2": [ "AU-06(05)", "SI-04(17)" ], "general-nist-800-53-r5-2-high": [ "AU-06(05)" ], "general-nist-800-82-r3": [ "AU-06(05)", "SI-04(17)" ], "general-nist-800-82-r3-high": [ "AU-06(05)" ], "general-nist-800-160-vol-2-r1": [ "AU-06(05)", "SI-04(17)" ], "general-nist-800-161-r1": [ "SI-4(17)" ], "general-nist-800-161-r1-level-2": [ "SI-4(17)" ], "general-nist-800-161-r1-level-3": [ "SI-4(17)" ], "general-nist-800-171-r3": [ "03.03.05.c" ], "general-nist-800-207": [ "NIST Tenet 4", "NIST Tenet 5", "NIST Tenet 7" ], "general-shared-assessments-sig-2025": [ "J.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.D", "2.T" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-1d" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.5.1", "3.5.2", "7.2.3", "7.2.4" ], "usa-federal-gsa-fedramp-5-high": [ "AU-06(05)" ], "emea-sau-otcc-1-2022": [ "2-11-1-4", "2-11-1-5", "2-11-1-6", "2-11-1-7", "2-11-1-8", "2-11-1-10" ], "emea-gbr-cap-1850-2020": [ "C1", "C2" ], "americas-can-itsp-10-171-2025": [ "03.03.05.C" ] } }, { "control_id": "MON-02.4", "title": "Correlation with Physical Monitoring", "family": "MON", "description": "Automated mechanisms exist to correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual or malevolent activity.", "scf_question": "Does the organization use automated mechanisms to correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual or malevolent activity?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual or malevolent activity.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-govramp": [ "AU-06(06)" ], "general-govramp-high": [ "AU-06(06)" ], "general-nist-800-53-r4": [ "AU-6(6)" ], "general-nist-800-53-r5-2": [ "AU-06(06)" ], "general-nist-800-53-r5-2-high": [ "AU-06(06)" ], "general-nist-800-82-r3": [ "AU-06(06)" ], "general-nist-800-82-r3-high": [ "AU-06(06)" ], "general-nist-800-160-vol-2-r1": [ "AU-06(06)" ], "general-nist-800-207": [ "NIST Tenet 4" ], "general-shared-assessments-sig-2025": [ "J.5" ], "usa-federal-gsa-fedramp-5-high": [ "AU-06(06)" ], "emea-eu-nis2-annex-2024": [ "3.2.3(i)" ] } }, { "control_id": "MON-02.5", "title": "Permitted Actions", "family": "MON", "description": "Mechanisms exist to specify the permitted actions for both users and Technology Assets, Applications and/or Services (TAAS) associated with the review, analysis and reporting of audit information.", "scf_question": "Does the organization specify the permitted actions for both users and Technology Assets, Applications and/or Services (TAAS) associated with the review, analysis and reporting of audit information?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to specify the permitted actions for both users and Technology Assets, Applications and/or Services (TAAS) associated with the review, analysis and reporting of audit information.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-govramp": [ "AU-06(07)" ], "general-govramp-high": [ "AU-06(07)" ], "general-nist-800-53-r4": [ "AU-6(7)" ], "general-nist-800-53-r5-2": [ "AU-06(07)" ], "general-nist-800-82-r3": [ "AU-06(07)" ], "usa-federal-gsa-fedramp-5-high": [ "AU-06(07)" ], "usa-federal-irs-1075-2021": [ "AU-6(CE-7)" ], "emea-sau-cscc-1-2019": [ "2-3-1-8" ] } }, { "control_id": "MON-02.6", "title": "Audit Level Adjustments", "family": "MON", "description": "Mechanisms exist to adjust the level of audit review, analysis and reporting based on evolving threat information from law enforcement, industry associations or other credible sources of threat intelligence.", "scf_question": "Does the organization adjust the level of audit review, analysis and reporting based on evolving threat information from law enforcement, industry associations or other credible sources of threat intelligence?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to adjust the level of audit review, analysis and reporting based on evolving threat information from law enforcement, industry associations or other credible sources of threat intelligence.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Review system logs periodically", "small": "∙ Log monitoring policy\n∙ Regular review of key system logs", "medium": "∙ SIEM (e.g., Wazuh)\n∙ Automated log collection and alerting", "large": "∙ Enterprise SIEM (e.g., Splunk, IBM QRadar)\n∙ Continuous monitoring program\n∙ SOC monitoring", "enterprise": "∙ Enterprise SIEM/SOAR platform\n∙ 24/7 SOC monitoring\n∙ Threat hunting\n∙ Automated incident response" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-govramp": [ "AU-06" ], "general-govramp-low": [ "AU-06" ], "general-govramp-low-plus": [ "AU-06" ], "general-govramp-mod": [ "AU-06" ], "general-govramp-high": [ "AU-06" ], "general-nist-800-53-r4": [ "AU-6(10)" ], "general-nist-800-53-r5-2": [ "AU-06" ], "general-nist-800-53-r5-2-privacy": [ "AU-06" ], "general-nist-800-53-r5-2-low": [ "AU-06" ], "general-nist-800-82-r3": [ "AU-06" ], "general-nist-800-82-r3-low": [ "AU-06" ], "general-nist-800-82-r3-mod": [ "AU-06" ], "general-nist-800-82-r3-high": [ "AU-06" ], "general-nist-800-160-vol-2-r1": [ "AU-06" ], "general-nist-800-161-r1": [ "AU-6" ], "general-nist-800-161-r1-cscrm": [ "AU-6" ], "general-nist-800-161-r1-level-2": [ "AU-6" ], "general-nist-800-161-r1-level-3": [ "AU-6" ], "usa-federal-fbi-cjis-6-0": [ "AU-6" ], "usa-federal-gsa-fedramp-5-low": [ "AU-06" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-06" ], "usa-federal-gsa-fedramp-5-high": [ "AU-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AU-06" ], "usa-federal-irs-1075-2021": [ "AU-6" ], "usa-federal-cms-marse-2-0": [ "AU-6", "AU-6.b" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AU-06" ], "usa-state-tx-txramp-2-0-level-1": [ "AU-06" ], "usa-state-tx-txramp-2-0-level-2": [ "AU-06" ], "emea-deu-c5-2020": [ "OIS-05" ], "apac-jpn-ismap": [ "6.1.3.5", "6.1.4.7" ] } }, { "control_id": "MON-02.7", "title": "System-Wide / Time-Correlated Audit Trail", "family": "MON", "description": "Automated mechanisms exist to compile audit records into an organization-wide audit trail that is time-correlated.", "scf_question": "Does the organization use automated mechanisms to compile audit records into an organization-wide audit trail that is time-correlated?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ SBC enforce logging to link system access to individual users or service accounts using a non-repudiation capability to protect against an individual falsely denying having performed a particular action.\n▪ SBC enforce local security event logging and forward those logs to a centralized log repository to provide an alternate audit capability in the event of a failure in the primary audit capability.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically compile audit records into an organization-wide audit trail that is time-correlated.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-cis-csc-8-1": [ "8.2" ], "general-cis-csc-8-1-ig1": [ "8.2" ], "general-cis-csc-8-1-ig2": [ "8.2" ], "general-cis-csc-8-1-ig3": [ "8.2" ], "general-csa-iot-2": [ "MON-07" ], "general-govramp": [ "AU-12(01)" ], "general-govramp-high": [ "AU-12(01)" ], "general-nist-800-53-r4": [ "AU-12(1)" ], "general-nist-800-53-r5-2": [ "AU-12(01)" ], "general-nist-800-53-r5-2-high": [ "AU-12(01)" ], "general-nist-800-82-r3": [ "AU-12(01)" ], "general-nist-800-82-r3-high": [ "AU-12(01)" ], "general-nist-800-171-r3": [ "03.03.01.a" ], "general-pci-dss-4-0-1": [ "10.6", "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-c": [ "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.6.1", "10.6.2", "10.6.3" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.b.i", "1.b.ii" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.AACCO" ], "usa-federal-dow-zt-roadmap-1-1": [ "7.1" ], "usa-federal-eo-14028": [ "4e(i)(B)" ], "usa-federal-gsa-fedramp-5-high": [ "AU-12(01)" ], "usa-federal-irs-1075-2021": [ "AU-12(CE-1)" ], "usa-federal-cms-marse-2-0": [ "AU-12(1)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(7)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AU-02-SID" ], "emea-sau-otcc-1-2022": [ "2-11-1-1", "2-11-1-2", "2-11-1-3" ], "apac-aus-ism-2024-june": [ "ISM-0988" ], "apac-nzl-ism-3-9": [ "16.6.11.C.02" ], "americas-can-osfi-b13-2022": [ "3.3.1" ], "americas-can-itsp-10-171-2025": [ "03.03.01.A" ] } }, { "control_id": "MON-02.8", "title": "Changes by Authorized Individuals", "family": "MON", "description": "Mechanisms exist to provide privileged users or roles the capability to change the auditing to be performed on specified system components, based on specific event criteria within specified time thresholds.", "scf_question": "Does the organization provide privileged users or roles the capability to change the auditing to be performed on specified system components, based on specific event criteria within specified time thresholds?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to provide privileged users or roles the capability to change the auditing to be performed on specified system components, based on specific event criteria within specified time thresholds.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-govramp": [ "AU-12(03)" ], "general-govramp-high": [ "AU-12(03)" ], "general-nist-800-53-r4": [ "AU-12(3)" ], "general-nist-800-53-r5-2": [ "AU-12(03)" ], "general-nist-800-53-r5-2-high": [ "AU-12(03)" ], "general-nist-800-82-r3": [ "AU-12(03)" ], "general-nist-800-82-r3-high": [ "AU-12(03)" ], "usa-federal-gsa-fedramp-5-high": [ "AU-12(03)" ] } }, { "control_id": "MON-02.9", "title": "Inventory of Technology Asset Event Logging", "family": "MON", "description": "Mechanisms exist to maintain a current and accurate inventory of technology-related Technology Assets, Applications and/or Services (TAAS) being logged.", "scf_question": "Does the organization maintain a current and accurate inventory of technology-related Technology Assets, Applications and/or Services (TAAS) being logged?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to maintain a current and accurate inventory of technology-related Technology Assets, Applications and/or Services (TAAS) being logged.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Review system logs periodically", "small": "∙ Log monitoring policy\n∙ Regular review of key system logs", "medium": "∙ SIEM (e.g., Wazuh)\n∙ Automated log collection and alerting", "large": "∙ Enterprise SIEM (e.g., Splunk, IBM QRadar)\n∙ Continuous monitoring program\n∙ SOC monitoring", "enterprise": "∙ Enterprise SIEM/SOAR platform\n∙ 24/7 SOC monitoring\n∙ Threat hunting\n∙ Automated incident response" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "emea-eu-nis2-annex-2024": [ "3.2.6", "3.2.7" ] } }, { "control_id": "MON-03", "title": "Content of Event Logs", "family": "MON", "description": "Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum:\n(1) Establish what type of event occurred;\n(2) When (date and time) the event occurred;\n(3) Where the event occurred;\n(4) The source of the event;\n(5) The outcome (success or failure) of the event; and \n(6) The identity of any user/subject associated with the event.", "scf_question": "Does the organization configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum:\n (1) Establish what type of event occurred;\n (2) When (date and time) the event occurred;\n (3) Where the event occurred;\n (4) The source of the event;\n (5) The outcome (success or failure) of the event; and \n (6) The identity of any user/subject associated with the event?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-01", "E-CPL-01" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.\n▪ Generating event logs and the review of those event logs is narrowly-focused to business-critical Technology Assets, Applications, Services and/or Data (TAASD).", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ SBC enforce logging to link system access to individual users or service accounts using a non-repudiation capability to protect against an individual falsely denying having performed a particular action.\n▪ SBC enforce local security event logging and forward those logs to a centralized log repository to provide an alternate audit capability in the event of a failure in the primary audit capability.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum:\n(1) Establish what type of event occurred;\n(2) When (date and time) the event occurred;\n(3) Where the event occurred;\n(4) The source of the event;\n(5) The outcome (success or failure) of the event; and \n(6) The identity of any user/subject associated with the event.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "PI1.4" ], "general-cis-csc-8-1": [ "3.14", "8.2", "8.5" ], "general-cis-csc-8-1-ig1": [ "8.2" ], "general-cis-csc-8-1-ig2": [ "8.2", "8.5" ], "general-cis-csc-8-1-ig3": [ "3.14", "8.2", "8.5" ], "general-cobit-2019": [ "DSS06.05" ], "general-csa-cmm-4-1-0": [ "LOG-09", "LOG-12" ], "general-csa-iot-2": [ "MON-03", "MON-06" ], "general-govramp": [ "AU-03" ], "general-govramp-low": [ "AU-03" ], "general-govramp-low-plus": [ "AU-03" ], "general-govramp-mod": [ "AU-03" ], "general-govramp-high": [ "AU-03" ], "general-iec-62443-2-1-2024": [ "EVENT 1.5" ], "general-iec-62443-4-2-2019": [ "CR 2.8" ], "general-iso-27002-2022": [ "8.15" ], "general-iso-27017-2015": [ "12.4.1" ], "general-iso-27018-2025": [ "8.15" ], "general-mpa-csbp-5-3-1": [ "TS-1.5" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(i)" ], "general-nist-800-53-r4": [ "AU-3", "DM-2(1)" ], "general-nist-800-53-r5-2": [ "AU-03" ], "general-nist-800-53-r5-2-low": [ "AU-03" ], "general-nist-800-66-r2": [ "164.312(b)" ], "general-nist-800-82-r3": [ "AU-03" ], "general-nist-800-82-r3-low": [ "AU-03" ], "general-nist-800-82-r3-mod": [ "AU-03" ], "general-nist-800-82-r3-high": [ "AU-03" ], "general-nist-800-161-r1": [ "AU-3" ], "general-nist-800-161-r1-cscrm": [ "AU-3" ], "general-nist-800-161-r1-flowdown": [ "AU-3" ], "general-nist-800-161-r1-level-1": [ "AU-3" ], "general-nist-800-161-r1-level-2": [ "AU-3" ], "general-nist-800-161-r1-level-3": [ "AU-3" ], "general-nist-800-171-r2": [ "3.3.2" ], "general-nist-800-171-r3": [ "03.03.01.a", "03.03.02.a", "03.03.02.a.01", "03.03.02.a.02", "03.03.02.a.03", "03.03.02.a.04", "03.03.02.a.05", "03.03.02.a.06", "03.03.02.b" ], "general-nist-800-171a": [ "3.3.1[a]", "3.3.1[b]", "3.3.1[d]", "3.3.2[a]", "3.3.2[b]" ], "general-nist-800-171a-r3": [ "A.03.03.01.ODP[01]", "A.03.03.01.a", "A.03.03.01.b[02]", "A.03.03.02.a.02", "A.03.03.02.a.03", "A.03.03.02.a.04", "A.03.03.02.a.05", "A.03.03.02.a.06", "A.03.03.02.b" ], "general-nist-csf-2-0": [ "PR.PS-04" ], "general-owasp-top-10-2025": [ "A09:2025" ], "general-pci-dss-4-0-1": [ "6.4.2", "10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "10.2.1.2", "10.2.1.4", "10.2.1.5", "10.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.b." ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.AACCO" ], "usa-federal-fbi-cjis-6-0": [ "AU-3" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.2" ], "usa-federal-dow-zt-roadmap-1-1": [ "7.1" ], "usa-federal-eo-14028": [ "4e(i)(B)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(b)", "11.10(c)", "11.10(e)" ], "usa-federal-gsa-fedramp-5-low": [ "AU-03" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-03" ], "usa-federal-gsa-fedramp-5-high": [ "AU-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AU-03" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(b)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(b)" ], "usa-federal-irs-1075-2021": [ "AU-3" ], "usa-federal-cms-marse-2-0": [ "AU-3", "AU-3(1).a", "AU-3(1).b", "AU-3(1).c", "AU-3(1)-IS.1", "AU-3(1)-IS.1.a", "AU-3(1)-IS.1.b", "AU-3(1)-IS.1.c", "AU-3(1)-IS.1.d", "AU-3(1)-IS.2" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 4.1", "CIP-007-6 4.1.1", "CIP-007-6 4.1.2", "CIP-007-6 4.1.3" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.3.a" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(7)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.6(a)(1)", "500.6(a)(2)", "500.7(c)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AU-03" ], "usa-state-tx-txramp-2-0-level-1": [ "AU-03" ], "usa-state-tx-txramp-2-0-level-2": [ "AU-03" ], "emea-eu-eba-ict-srm-2025": [ "3.5(52)" ], "emea-eu-nis2-annex-2024": [ "3.2.3", "3.2.3(c)", "3.2.3(d)", "3.2.3(e)", "3.2.3(f)", "3.2.3(g)", "3.2.3(h)", "3.2.3(j)", "3.2.3(k)", "3.2.3(l)", "11.5.2(d)" ], "emea-deu-bsrit-2017": [ "6.3" ], "emea-deu-c5-2020": [ "OPS-15" ], "emea-isr-cmo-1-0": [ "4.6", "12.17", "21.2", "21.5", "21.7", "21.10" ], "emea-sau-cscc-1-2019": [ "2-11-1-5" ], "emea-esp-boe-a-2022-7191": [ "Article 24.1" ], "emea-esp-decree-311-2022": [ "24.1" ], "emea-esp-ccn-stic-825-2023": [ "7.3.8 [OP.EXP.8]" ], "emea-gbr-caf-4-0": [ "C1.a" ], "emea-gbr-def-stan-05-138-2024": [ "3104" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3104" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3104" ], "apac-aus-essential-8-2024": [ "ML2-P3", "ML2-P5", "ML3-P3", "ML3-P5" ], "apac-aus-ism-2024-june": [ "ISM-0582", "ISM-0585", "ISM-1536", "ISM-1537" ], "apac-ind-sebi-2024": [ "PR.AA.S9" ], "apac-jpn-ismap": [ "12.4.1.1", "12.4.1.2", "12.4.1.3", "12.4.1.4", "12.4.1.5", "12.4.1.6", "12.4.1.7", "12.4.1.8", "12.4.1.9", "12.4.1.10", "12.4.1.11", "12.4.1.12", "12.4.1.13", "12.4.1.14", "12.4.1.17", "12.4.1.18" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP70", "HML70" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP61" ], "apac-nzl-ism-3-9": [ "16.6.7.C.01", "16.6.9.C.01", "16.6.10.C.01", "16.6.10.C.02" ], "americas-bmu-mba-coc-2020": [ "6.21" ], "americas-can-osfi-b13-2022": [ "3.2.7", "3.3.1" ], "americas-can-itsp-10-171-2025": [ "03.03.01.A", "03.03.02.A", "03.03.02.A.01", "03.03.02.A.02", "03.03.02.A.03", "03.03.02.A.04", "03.03.02.A.05", "03.03.02.A.06", "03.03.02.B" ] } }, { "control_id": "MON-03.1", "title": "Sensitive Event Log Information", "family": "MON", "description": "Mechanisms exist to protect sensitive/regulated data contained in log files.", "scf_question": "Does the organization protect sensitive/regulated data contained in log files?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Logs of privileged functions (e.g., administrator or root actions) are reviewed for evidence of unauthorized activities.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to protect sensitive/regulated data contained in log files.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed", "family_name": "Continuous Monitoring", "crosswalks": { "general-cis-csc-8-1": [ "3.14" ], "general-cis-csc-8-1-ig3": [ "3.14" ], "general-govramp": [ "AU-03(01)", "AU-06(01)" ], "general-govramp-low-plus": [ "AU-06(01)" ], "general-govramp-mod": [ "AU-03(01)", "AU-06(01)" ], "general-govramp-high": [ "AU-03(01)", "AU-06(01)" ], "general-nist-800-53-r4": [ "AU-3(1)", "AU-6(1)" ], "general-nist-800-53-r5-2": [ "AU-03(01)", "AU-06(01)" ], "general-nist-800-53-r5-2-mod": [ "AU-03(01)", "AU-06(01)" ], "general-nist-800-82-r3": [ "AU-03(01)", "AU-06(01)" ], "general-nist-800-82-r3-mod": [ "AU-03(01)", "AU-06(01)" ], "general-nist-800-82-r3-high": [ "AU-03(01)", "AU-06(01)" ], "general-nist-800-171-r2": [ "3.3.8" ], "usa-federal-fbi-cjis-6-0": [ "AU-3(1)", "AU-6(1)" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.8" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-03(01)", "AU-06(01)" ], "usa-federal-gsa-fedramp-5-high": [ "AU-03(01)", "AU-06(01)" ], "usa-federal-irs-1075-2021": [ "AU-3(CE-1)", "AU-6(CE-1)" ], "usa-federal-cms-marse-2-0": [ "AU-3(1)", "AU-6(1)" ], "usa-state-tx-txramp-2-0-level-2": [ "AU-03 (01)" ], "emea-isr-cmo-1-0": [ "21.4" ] } }, { "control_id": "MON-03.2", "title": "Audit Trails", "family": "MON", "description": "Mechanisms exist to link system access to individual users or service accounts.", "scf_question": "Does the organization link system access to individual users or service accounts?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-MON-09" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.\n▪ Generating event logs and the review of those event logs is narrowly-focused to business-critical Technology Assets, Applications, Services and/or Data (TAASD).", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ SBC enforce logging to link system access to individual users or service accounts using a non-repudiation capability to protect against an individual falsely denying having performed a particular action.\n▪ SBC enforce local security event logging and forward those logs to a centralized log repository to provide an alternate audit capability in the event of a failure in the primary audit capability.\n▪ A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical TAASD.\n▪ IT and/or cybersecurity personnel configure alerts for critical or sensitive data that is stored, transmitted and processed on assets.\n▪ IT and/or cybersecurity personnel retain security event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and/or contractual retention requirements.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to link system access to individual users or service accounts.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(i)" ], "general-nist-800-66-r2": [ "164.312(b)" ], "general-nist-800-171-r3": [ "03.03.01.a" ], "general-nist-800-171a": [ "3.3.1[c]", "3.3.2[a]" ], "general-owasp-top-10-2025": [ "A09:2025" ], "general-pci-dss-4-0-1": [ "10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "10.2.1.2", "10.2.1.4", "10.2.1.5", "10.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.b." ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.AACCO" ], "usa-federal-eo-14028": [ "4e(i)(B)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(b)", "11.10(c)", "11.10(e)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(b)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(b)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.3.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(7)" ], "emea-eu-nis2-annex-2024": [ "11.5.2(b)" ], "emea-isr-cmo-1-0": [ "12.17" ], "emea-sau-cscc-1-2019": [ "2-11-1-3" ], "emea-gbr-def-stan-05-138-2024": [ "3107" ], "emea-gbr-def-stan-05-138-l1-2024": [ "3107" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3107" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3107" ], "apac-aus-ism-2024-june": [ "ISM-0407" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP70", "HML70" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP61" ], "apac-nzl-ism-3-9": [ "16.6.8.C.01", "16.6.9.C.01", "16.6.10.C.01", "16.6.10.C.02" ], "apac-sgp-mas-trm-2021": [ "9.2.2" ], "americas-can-itsp-10-171-2025": [ "03.03.01.A" ] } }, { "control_id": "MON-03.3", "title": "Privileged Functions Logging", "family": "MON", "description": "Mechanisms exist to log and review the actions of users and/or services with elevated privileges.", "scf_question": "Does the organization log and review the actions of users and/or services with elevated privileges?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "MON-03.2" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.\n▪ Generating event logs and the review of those event logs is narrowly-focused to business-critical Technology Assets, Applications, Services and/or Data (TAASD).", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ SBC enforce logging to link system access to individual users or service accounts using a non-repudiation capability to protect against an individual falsely denying having performed a particular action.\n▪ SBC enforce local security event logging and forward those logs to a centralized log repository to provide an alternate audit capability in the event of a failure in the primary audit capability.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to log and review the actions of users and/or services with elevated privileges.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-cis-csc-8-1": [ "8.8" ], "general-cis-csc-8-1-ig2": [ "8.8" ], "general-cis-csc-8-1-ig3": [ "8.8" ], "general-csa-cmm-4-1-0": [ "IAM-09", "IAM-10", "IAM-11" ], "general-iso-27002-2022": [ "8.15" ], "general-iso-27017-2015": [ "12.4.1", "12.4.3" ], "general-iso-27018-2025": [ "8.15" ], "general-nist-800-53-r4": [ "AU-6(8)" ], "general-nist-800-53-r5-2": [ "AU-06(08)" ], "general-nist-800-82-r3": [ "AU-06(08)" ], "general-nist-800-160-vol-2-r1": [ "AU-06(08)" ], "general-nist-800-171-r3": [ "03.01.07.b" ], "general-nist-800-171a-r3": [ "A.03.01.07.b" ], "general-owasp-top-10-2025": [ "A09:2025" ], "general-pci-dss-4-0-1": [ "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7" ], "general-pci-dss-4-0-1-saq-c": [ "10.2.1.2", "10.2.1.4", "10.2.1.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(c)" ], "emea-eu-nis2-annex-2024": [ "11.5.2(d)" ], "emea-deu-c5-2020": [ "OPS-16" ], "emea-isr-cmo-1-0": [ "21.10", "21.21" ], "emea-sau-ecc-1-2018": [ "2-12-3-2" ], "emea-gbr-def-stan-05-138-2024": [ "2216" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2216" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2216" ], "apac-aus-essential-8-2024": [ "ML2-P4", "ML3-P4", "ML3-P7" ], "apac-aus-ism-2024-june": [ "ISM-1537" ], "apac-jpn-ismap": [ "12.4.3", "12.4.3.1" ], "americas-can-itsp-10-171-2025": [ "03.01.07.B" ] } }, { "control_id": "MON-03.4", "title": "Verbosity Logging for Boundary Devices", "family": "MON", "description": "Mechanisms exist to verbosely log all traffic (both allowed and blocked) arriving at network boundary devices, including firewalls, Intrusion Detection / Prevention Systems (IDS/IPS) and inbound and outbound proxies.", "scf_question": "Does the organization verbosely log all traffic (both allowed and blocked) arriving at network boundary devices, including firewalls, Intrusion Detection / Prevention Systems (IDS/IPS) and inbound and outbound proxies?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.\n▪ Generating event logs and the review of those event logs is narrowly-focused to business-critical Technology Assets, Applications, Services and/or Data (TAASD).", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to verbosely log all traffic (both allowed and blocked) arriving at network boundary devices, including firewalls, Intrusion Detection / Prevention Systems (IDS/IPS) and inbound and outbound proxies.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-4", "R-AM-3", "R-GV-1", "R-IR-1", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-owasp-top-10-2025": [ "A09:2025" ], "emea-isr-cmo-1-0": [ "21.5", "21.21" ] } }, { "control_id": "MON-03.5", "title": "Limit Personal Data (PD) In Audit Records", "family": "MON", "description": "Mechanisms exist to limit Personal Data (PD) contained in audit records to the elements identified in the Data Privacy Risk Assessment (DPRA).", "scf_question": "Does the organization limit Personal Data (PD) contained in audit records to the elements identified in the Data Privacy Risk Assessment (DPRA)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to limit Personal Data (PD) contained in audit records to the elements identified in the Data Privacy Risk Assessment (DPRA).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-800-53-r5-2": [ "AU-03(03)" ], "general-nist-800-53-r5-2-privacy": [ "AU-03(03)" ], "general-nist-800-82-r3": [ "AU-03(03)" ], "general-shared-assessments-sig-2025": [ "P.6" ], "usa-federal-fbi-cjis-6-0": [ "AU-3(3)" ], "usa-federal-irs-1075-2021": [ "AU-3(CE-3)" ] } }, { "control_id": "MON-03.6", "title": "Centralized Management of Event Log Content", "family": "MON", "description": "Mechanisms exist to centrally manage and update the criteria to be captured in event logs generated by organization-defined system components.", "scf_question": "Does the organization centrally manage and update the criteria to be captured in event logs generated by organization-defined system components?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical TAASD.\n▪ IT and/or cybersecurity personnel configure alerts for critical or sensitive data that is stored, transmitted and processed on assets.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to centrally manage and update the criteria to be captured in event logs generated by organization-defined system components.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Review system logs periodically", "small": "∙ Log monitoring policy\n∙ Regular review of key system logs", "medium": "∙ SIEM (e.g., Wazuh)\n∙ Automated log collection and alerting", "large": "∙ Enterprise SIEM (e.g., Splunk, IBM QRadar)\n∙ Continuous monitoring program\n∙ SOC monitoring", "enterprise": "∙ Enterprise SIEM/SOAR platform\n∙ 24/7 SOC monitoring\n∙ Threat hunting\n∙ Automated incident response" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-800-53-r4": [ "AU-3(2)" ], "general-nist-800-53-r5-2": [ "PL-09" ], "general-nist-800-53-r5-2-privacy": [ "PL-09" ], "general-nist-800-82-r3": [ "PL-09" ], "general-nist-800-161-r1": [ "PL-9" ], "general-nist-800-161-r1-level-1": [ "PL-9" ], "general-nist-800-161-r1-level-2": [ "PL-9" ], "usa-federal-fbi-cjis-6-0": [ "PL-9" ], "usa-federal-gsa-fedramp-5-low": [ "PL-09" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-09" ], "usa-federal-gsa-fedramp-5-high": [ "PL-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-09" ], "usa-federal-cms-marse-2-0": [ "AU-2(3)", "AU-2(3)-IS.1" ], "emea-sau-ecc-1-2018": [ "2-12-4" ] } }, { "control_id": "MON-03.7", "title": "Database Logging", "family": "MON", "description": "Mechanisms exist to ensure databases produce audit records that contain sufficient information to monitor database activities.", "scf_question": "Does the organization ensure databases produce audit records that contain sufficient information to monitor database activities?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to ensure databases produce audit records that contain sufficient information to monitor database activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-800-171a": [ "3.3.2[a]" ], "general-pci-dss-4-0-1": [ "7.2.6" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.6" ], "apac-aus-ism-2024-june": [ "ISM-1537" ], "apac-nzl-ism-3-9": [ "16.6.7.C.01", "16.6.9.C.01", "16.6.10.C.01", "16.6.10.C.02" ] } }, { "control_id": "MON-04", "title": "Event Log Storage Capacity", "family": "MON", "description": "Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded.", "scf_question": "Does the organization allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ ITIL 4 (https://axelos.com)", "small": "∙ IT Asset Management (ITAM) program\n∙ ITIL 4 (https://axelos.com)", "medium": "∙ IT Asset Management (ITAM) program\n∙ ITIL 4 (https://axelos.com)", "large": "∙ IT Asset Management (ITAM) program\n∙ ITIL 4 (https://axelos.com)", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ ITIL 4 (https://axelos.com)" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-cis-csc-8-1": [ "8.3", "8.1" ], "general-cis-csc-8-1-ig1": [ "8.3" ], "general-cis-csc-8-1-ig2": [ "8.3", "8.1" ], "general-cis-csc-8-1-ig3": [ "8.3", "8.1" ], "general-govramp": [ "AU-04" ], "general-govramp-low": [ "AU-04" ], "general-govramp-low-plus": [ "AU-04" ], "general-govramp-mod": [ "AU-04" ], "general-govramp-high": [ "AU-04" ], "general-iec-62443-3-3-2013": [ "SR 2.9" ], "general-iec-62443-4-2-2019": [ "CR 2.9(a)", "CR 2.9(b)" ], "general-nist-800-53-r4": [ "AU-4" ], "general-nist-800-53-r5-2": [ "AU-04" ], "general-nist-800-53-r5-2-low": [ "AU-04" ], "general-nist-800-82-r3": [ "AU-04" ], "general-nist-800-82-r3-low": [ "AU-04" ], "general-nist-800-82-r3-mod": [ "AU-04" ], "general-nist-800-82-r3-high": [ "AU-04" ], "usa-federal-fbi-cjis-6-0": [ "AU-4" ], "usa-federal-gsa-fedramp-5-low": [ "AU-04" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-04" ], "usa-federal-gsa-fedramp-5-high": [ "AU-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AU-04" ], "usa-federal-irs-1075-2021": [ "AU-4" ], "usa-federal-cms-marse-2-0": [ "AU-4" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AU-04" ], "usa-state-tx-txramp-2-0-level-1": [ "AU-04" ], "usa-state-tx-txramp-2-0-level-2": [ "AU-04" ], "emea-isr-cmo-1-0": [ "21.8" ], "emea-sau-ecc-1-2018": [ "2-12-3-5" ], "apac-nzl-ism-3-9": [ "16.6.13.C.01", "16.6.13.C.02", "16.6.13.C.03", "16.6.13.C.04" ] } }, { "control_id": "MON-05", "title": "Response To Event Log Processing Failures", "family": "MON", "description": "Mechanisms exist to alert appropriate personnel in the event of a log processing failure and take actions to remedy the disruption.", "scf_question": "Does the organization alert appropriate personnel in the event of a log processing failure and take actions to remedy the disruption?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-MON-10" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to alert appropriate personnel in the event of a log processing failure and take actions to remedy the disruption.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Incident Response Plan (IRP)\n∙ Managed Security Services Provider (MSSP)", "small": "∙ Incident Response Plan (IRP)\n∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Incident Response Plan (IRP)\n∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Incident Response Plan (IRP)\n∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Incident Response Plan (IRP)\n∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-govramp": [ "AU-05" ], "general-govramp-low": [ "AU-05" ], "general-govramp-low-plus": [ "AU-05" ], "general-govramp-mod": [ "AU-05" ], "general-govramp-high": [ "AU-05" ], "general-iec-62443-3-3-2013": [ "SR 2.10" ], "general-nist-800-53-r4": [ "AU-5" ], "general-nist-800-53-r5-2": [ "AU-05" ], "general-nist-800-53-r5-2-low": [ "AU-05" ], "general-nist-800-82-r3": [ "AU-05" ], "general-nist-800-82-r3-low": [ "AU-05" ], "general-nist-800-82-r3-mod": [ "AU-05" ], "general-nist-800-82-r3-high": [ "AU-05" ], "general-nist-800-171-r2": [ "3.3.4" ], "general-nist-800-171-r3": [ "03.03.04.b" ], "general-nist-800-171a": [ "3.3.4[a]", "3.3.4[b]", "3.3.4[c]" ], "general-nist-800-171a-r3": [ "A.03.03.04.ODP[01]", "A.03.03.04.ODP[02]", "A.03.03.04.a", "A.03.03.04.b" ], "general-owasp-top-10-2025": [ "A09:2025" ], "general-pci-dss-4-0-1": [ "A3.3.1" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.T" ], "usa-federal-fbi-cjis-6-0": [ "AU-5" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.4" ], "usa-federal-gsa-fedramp-5-low": [ "AU-05" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-05" ], "usa-federal-gsa-fedramp-5-high": [ "AU-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AU-05" ], "usa-federal-irs-1075-2021": [ "AU-5" ], "usa-federal-cms-marse-2-0": [ "AU-5" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 4.2.2" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AU-05" ], "usa-state-tx-txramp-2-0-level-1": [ "AU-05" ], "usa-state-tx-txramp-2-0-level-2": [ "AU-05" ], "emea-deu-c5-2020": [ "OPS-17" ], "emea-isr-cmo-1-0": [ "21.9" ], "emea-sau-otcc-1-2022": [ "2-11-1-2" ], "americas-can-itsp-10-171-2025": [ "03.03.04.B" ] } }, { "control_id": "MON-05.1", "title": "Real-Time Alerts of Event Logging Failure", "family": "MON", "description": "Mechanisms exist to provide 24x7x365 near real-time alerting capability when an event log processing failure occurs.", "scf_question": "Does the organization provide 24x7x365 near real-time alerting capability when an event log processing failure occurs?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to provide 24x7x365 near real-time alerting capability when an event log processing failure occurs.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-govramp": [ "AU-05(02)" ], "general-govramp-high": [ "AU-05(02)" ], "general-nist-600-1-gen-ai-profile": [ "MG-3.2-006" ], "general-nist-800-53-r4": [ "AU-5(2)", "SI-4(12)" ], "general-nist-800-53-r5-2": [ "AU-05(02)", "SI-04(12)" ], "general-nist-800-53-r5-2-privacy": [ "SI-04(12)" ], "general-nist-800-53-r5-2-high": [ "AU-05(02)", "SI-04(12)" ], "general-nist-800-82-r3": [ "AU-05(02)", "SI-04(12)" ], "general-nist-800-82-r3-high": [ "AU-05(02)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-04(12)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-04(12)" ], "usa-federal-gsa-fedramp-5-high": [ "AU-05(02)", "SI-04(12)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-04(12)" ], "usa-federal-irs-1075-2021": [ "SI-4(CE-12)" ], "emea-deu-c5-2020": [ "OPS-17" ], "emea-isr-cmo-1-0": [ "21.9" ] } }, { "control_id": "MON-05.2", "title": "Event Log Storage Capacity Alerting", "family": "MON", "description": "Automated mechanisms exist to alert appropriate personnel when the allocated volume reaches an organization-defined percentage of maximum event log storage capacity.", "scf_question": "Does the organization use automated mechanisms to alert appropriate personnel when the allocated volume reaches an organization-defined percentage of maximum event log storage capacity?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically alert appropriate personnel when the allocated volume reaches an organization-defined percentage of maximum event log storage capacity.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-govramp": [ "AU-05(01)" ], "general-govramp-high": [ "AU-05(01)" ], "general-iec-62443-3-3-2013": [ "SR 2.9 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 2.9(1)" ], "general-nist-800-53-r4": [ "AU-5(1)" ], "general-nist-800-53-r5-2": [ "AU-05(01)" ], "general-nist-800-53-r5-2-high": [ "AU-05(01)" ], "general-nist-800-82-r3": [ "AU-05(01)" ], "general-nist-800-82-r3-high": [ "AU-05(01)" ], "usa-federal-gsa-fedramp-5-high": [ "AU-05(01)" ], "usa-federal-irs-1075-2021": [ "AU-5(CE-1)" ], "usa-federal-cms-marse-2-0": [ "AU-5(1)" ] } }, { "control_id": "MON-06", "title": "Monitoring Reporting", "family": "MON", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "scf_question": "Does the organization provide an event log report generation capability to aid in detecting and assessing anomalous activities?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical TAASD.\n▪ IT and/or cybersecurity personnel configure alerts for critical or sensitive data that is stored, transmitted and processed on assets.\n▪ Logs of privileged functions (e.g., administrator or root actions) are reviewed for evidence of unauthorized activities.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.2", "CC7.3" ], "general-govramp": [ "AU-07", "AU-07(01)", "AU-12" ], "general-govramp-core": [ "AU-07", "AU-07(01)" ], "general-govramp-low": [ "AU-12" ], "general-govramp-low-plus": [ "AU-12" ], "general-govramp-mod": [ "AU-07", "AU-07(01)", "AU-12" ], "general-govramp-high": [ "AU-07", "AU-07(01)", "AU-12" ], "general-iso-27002-2022": [ "6.8", "8.15" ], "general-iso-27017-2015": [ "12.4.1" ], "general-iso-27018-2025": [ "6.8", "8.15" ], "general-nist-800-53-r4": [ "AU-7", "AU-7(1)", "AU-12" ], "general-nist-800-53-r5-2": [ "AU-07", "AU-07(01)", "AU-12" ], "general-nist-800-53-r5-2-low": [ "AU-12" ], "general-nist-800-53-r5-2-mod": [ "AU-07", "AU-07(01)" ], "general-nist-800-82-r3": [ "AU-07", "AU-07(01)", "AU-12" ], "general-nist-800-82-r3-low": [ "AU-12" ], "general-nist-800-82-r3-mod": [ "AU-07", "AU-07(01)", "AU-12" ], "general-nist-800-82-r3-high": [ "AU-07", "AU-07(01)", "AU-12" ], "general-nist-800-161-r1": [ "AU-12" ], "general-nist-800-161-r1-cscrm": [ "AU-12" ], "general-nist-800-161-r1-flowdown": [ "AU-12" ], "general-nist-800-161-r1-level-2": [ "AU-12" ], "general-nist-800-161-r1-level-3": [ "AU-12" ], "general-nist-800-171-r2": [ "3.3.6" ], "general-nist-800-171-r3": [ "03.03.05.b", "03.03.06.a" ], "general-nist-800-171a": [ "3.3.6[a]", "3.3.6[b]" ], "general-nist-800-171a-r3": [ "A.03.03.05.b", "A.03.03.06.a[01]", "A.03.03.06.a[02]", "A.03.03.06.a[03]", "A.03.03.06.a[04]" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNL.CMREP" ], "usa-federal-fbi-cjis-6-0": [ "AU-7", "AU-7(1)", "AU-12" ], "usa-federal-doe-c2m2-2-1": [ "SITUATION-3a", "SITUATION-3b", "SITUATION-3c", "SITUATION-3d", "SITUATION-3f" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.6" ], "usa-federal-gsa-fedramp-5-low": [ "AU-12" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-07", "AU-07(01)", "AU-12" ], "usa-federal-gsa-fedramp-5-high": [ "AU-07", "AU-07(01)", "AU-12" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AU-12" ], "usa-federal-irs-1075-2021": [ "AU-7", "AU-7(CE-1)", "AU-12" ], "usa-federal-cms-marse-2-0": [ "AU-7", "AU-7.a", "AU-7.b", "AU-7(1)", "AU-12", "AU-12.a", "AU-12.b", "AU-12.c", "AU-12-IS" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AU-12" ], "usa-state-tx-txramp-2-0-level-1": [ "AU-12" ], "usa-state-tx-txramp-2-0-level-2": [ "AU-12" ], "emea-isr-cmo-1-0": [ "21.3", "21.11", "21.19", "21.20" ], "emea-gbr-def-stan-05-138-2024": [ "3108" ], "emea-gbr-def-stan-05-138-l1-2024": [ "3108" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3108" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3108" ], "apac-aus-ism-2024-june": [ "ISM-1660" ], "apac-sgp-mas-trm-2021": [ "12.2.6" ], "americas-can-itsp-10-171-2025": [ "03.03.05.B", "03.03.06.A" ] } }, { "control_id": "MON-06.1", "title": "Query Parameter Audits of Personal Data (PD)", "family": "MON", "description": "Mechanisms exist to provide and implement the capability for auditing the parameters of user query events for data sets containing Personal Data (PD).", "scf_question": "Does the organization provide and implement the capability for auditing the parameters of user query events for data sets containing Personal Data (PD)?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to provide and implement the capability for auditing the parameters of user query events for data sets containing Personal Data (PD).", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AM-3", "R-EX-5", "R-GV-3", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-800-53-r5-2": [ "AU-12(04)" ], "general-nist-800-82-r3": [ "AU-12(04)" ], "general-owasp-top-10-2025": [ "A09:2025" ] } }, { "control_id": "MON-06.2", "title": "Trend Analysis Reporting", "family": "MON", "description": "Mechanisms exist to employ trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.", "scf_question": "Does the organization employ trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.\n▪ Generating event logs and the review of those event logs is narrowly-focused to business-critical Technology Assets, Applications, Services and/or Data (TAASD).", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to employ trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-govramp": [ "CA-07(03)" ], "general-govramp-high": [ "CA-07(03)" ], "general-nist-800-53-r4": [ "CA-7(3)" ], "general-nist-800-53-r5-2": [ "CA-07(03)" ], "general-nist-800-82-r3": [ "CA-07(03)" ], "general-nist-800-160-vol-2-r1": [ "CA-07(03)" ], "general-nist-800-161-r1": [ "CA-7(3)" ], "general-nist-800-161-r1-level-3": [ "CA-7(3)" ], "usa-federal-doe-c2m2-2-1": [ "SITUATION-3a", "SITUATION-3c", "SITUATION-3d" ], "usa-federal-dow-zt-roadmap-1-1": [ "7.1.3" ] } }, { "control_id": "MON-07", "title": "Time Stamps", "family": "MON", "description": "Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to use an authoritative time source to generate time stamps for event logs.", "scf_question": "Does the organization configure Technology Assets, Applications and/or Services (TAAS) to use an authoritative time source to generate time stamps for event logs?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to configure Technology Assets, Applications and/or Services (TAAS) to use an authoritative time source to generate time stamps for event logs.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AM-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-govramp": [ "AU-08" ], "general-govramp-low": [ "AU-08" ], "general-govramp-low-plus": [ "AU-08" ], "general-govramp-mod": [ "AU-08" ], "general-govramp-high": [ "AU-08" ], "general-iec-62443-3-3-2013": [ "SR 2.11" ], "general-iec-62443-4-2-2019": [ "CR 2.11" ], "general-nist-800-53-r4": [ "AU-8" ], "general-nist-800-53-r5-2": [ "AU-08" ], "general-nist-800-53-r5-2-privacy": [ "AU-08" ], "general-nist-800-53-r5-2-low": [ "AU-08" ], "general-nist-800-82-r3": [ "AU-08" ], "general-nist-800-82-r3-low": [ "AU-08" ], "general-nist-800-82-r3-mod": [ "AU-08" ], "general-nist-800-82-r3-high": [ "AU-08" ], "general-nist-800-171-r3": [ "03.03.02.a.02", "03.03.07.a" ], "general-nist-800-171a": [ "3.3.7[a]", "3.3.7[b]" ], "general-nist-800-171a-r3": [ "A.03.03.07.ODP[01]", "A.03.03.07.a", "A.03.03.07.b[01]" ], "general-owasp-top-10-2025": [ "A09:2025" ], "general-pci-dss-4-0-1": [ "10.2", "10.6", "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-c": [ "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.6.1", "10.6.2", "10.6.3" ], "usa-federal-fbi-cjis-6-0": [ "AU-8" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(b)", "11.10(c)", "11.10(e)" ], "usa-federal-gsa-fedramp-5-low": [ "AU-08" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-08" ], "usa-federal-gsa-fedramp-5-high": [ "AU-08" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AU-08" ], "usa-federal-irs-1075-2021": [ "AU-8" ], "usa-federal-cms-marse-2-0": [ "AU-8", "AU-8.b" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AU-08" ], "usa-state-tx-txramp-2-0-level-1": [ "AU-08" ], "usa-state-tx-txramp-2-0-level-2": [ "AU-09" ], "emea-sau-ecc-1-2018": [ "2-3-3-4" ], "emea-esp-ccn-stic-825-2023": [ "8.7.5 [MP.INFO.5]" ], "americas-can-itsp-10-171-2025": [ "03.03.02.A.02", "03.03.07.A" ] } }, { "control_id": "MON-07.1", "title": "Synchronization With Authoritative Time Source", "family": "MON", "description": "Mechanisms exist to synchronize internal system clocks with an authoritative time source.", "scf_question": "Does the organization synchronize internal system clocks with an authoritative time source?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to synchronize internal system clocks with an authoritative time source.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AM-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-cis-csc-8-1": [ "8.4" ], "general-cis-csc-8-1-ig2": [ "8.4" ], "general-cis-csc-8-1-ig3": [ "8.4" ], "general-iec-62443-4-2-2019": [ "CR 2.11(1)" ], "general-nist-800-53-r4": [ "AU-8(1)" ], "general-nist-800-53-r5-2": [ "SC-45", "SC-45(01)" ], "general-nist-800-82-r3": [ "SC-45", "SC-45(01)" ], "general-nist-800-82-r3-low": [ "SC-45" ], "general-nist-800-82-r3-mod": [ "SC-45" ], "general-nist-800-82-r3-high": [ "SC-45" ], "general-nist-800-171-r2": [ "3.3.7" ], "general-nist-800-171-r3": [ "03.03.07.b" ], "general-nist-800-171a": [ "3.3.7[b]", "3.3.7[c]" ], "general-nist-800-171a-r3": [ "A.03.03.07.b[02]" ], "general-owasp-top-10-2025": [ "A09:2025" ], "general-pci-dss-4-0-1": [ "10.6", "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-c": [ "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.6.1", "10.6.2", "10.6.3" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.TSYNC" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.7" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(b)", "11.10(c)", "11.10(e)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-45", "SC-45(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-45", "SC-45(01)" ], "usa-federal-irs-1075-2021": [ "SC-45", "SC-45(CE-1)", "SC-45(CE-1).a", "SC-45(CE-1).b" ], "emea-eu-nis2-annex-2024": [ "3.2.6" ], "emea-sau-ecc-1-2018": [ "2-3-3-4" ], "emea-gbr-def-stan-05-138-2024": [ "2421" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2421" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2421" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2421" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP71", "HML71" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP62" ], "americas-can-itsp-10-171-2025": [ "03.03.07.B" ] } }, { "control_id": "MON-08", "title": "Protection of Event Logs", "family": "MON", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "scf_question": "Does the organization protect event logs and audit tools from unauthorized access, modification and deletion?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel retain security event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and/or contractual retention requirements.\n▪ IT and/or cybersecurity personnel restrict access to the management of event logs for privileged users to protect event logs and audit tools from unauthorized access, modification and deletion.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to protect event logs and audit tools from unauthorized access, modification and deletion.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "PI1.4", "PI1.5" ], "general-csa-cmm-4-1-0": [ "LOG-02", "LOG-10" ], "general-csa-iot-2": [ "MON-04", "MON-05" ], "general-govramp": [ "AU-09" ], "general-govramp-low": [ "AU-09" ], "general-govramp-low-plus": [ "AU-09" ], "general-govramp-mod": [ "AU-09" ], "general-govramp-high": [ "AU-09" ], "general-iec-62443-2-1-2024": [ "EVENT 1.6" ], "general-iec-62443-3-3-2013": [ "SR 3.9", "SR 6.1 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 3.9", "CR 6.1", "CR 6.1(1)" ], "general-iso-27002-2022": [ "8.15" ], "general-iso-27017-2015": [ "12.4.2" ], "general-iso-27018-2025": [ "8.15" ], "general-mpa-csbp-5-3-1": [ "TS-1.5" ], "general-nist-800-53-r4": [ "AU-9" ], "general-nist-800-53-r5-2": [ "AU-09" ], "general-nist-800-53-r5-2-low": [ "AU-09" ], "general-nist-800-82-r3": [ "AU-09" ], "general-nist-800-82-r3-low": [ "AU-09" ], "general-nist-800-82-r3-mod": [ "AU-09" ], "general-nist-800-82-r3-high": [ "AU-09" ], "general-nist-800-171-r2": [ "3.3.8" ], "general-nist-800-171-r3": [ "03.03.03.b", "03.03.06.b", "03.03.08.a" ], "general-nist-800-171a": [ "3.3.8[a]", "3.3.8[b]", "3.3.8[c]", "3.3.8[d]", "3.3.8[e]", "3.3.8[f]" ], "general-nist-800-171a-r3": [ "A.03.03.03.b", "A.03.03.06.b[01]", "A.03.03.06.b[02]", "A.03.03.08.a[01]", "A.03.03.08.b" ], "general-owasp-top-10-2025": [ "A01:2025", "A09:2025" ], "general-pci-dss-4-0-1": [ "10.3", "10.3.1", "10.3.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.3.1", "10.3.2" ], "general-pci-dss-4-0-1-saq-c": [ "10.3.1", "10.3.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.3.1", "10.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.3.1", "10.3.2" ], "general-swift-cscf-2025": [ "6.4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.U" ], "usa-federal-fbi-cjis-6-0": [ "AU-9" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.8" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(b)", "11.10(c)", "11.10(e)" ], "usa-federal-gsa-fedramp-5-low": [ "AU-09" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-09" ], "usa-federal-gsa-fedramp-5-high": [ "AU-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AU-09" ], "usa-federal-irs-1075-2021": [ "AU-9" ], "usa-federal-cms-marse-2-0": [ "AU-9" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(7)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AU-09" ], "usa-state-tx-txramp-2-0-level-1": [ "AU-09" ], "usa-state-tx-txramp-2-0-level-2": [ "AU-09" ], "emea-deu-c5-2020": [ "OPS-16" ], "emea-isr-cmo-1-0": [ "21.4", "21.14", "21.16" ], "emea-sau-cscc-1-2019": [ "2-3-1-8", "2-11-1-5", "2-11-2" ], "emea-sau-ecc-1-2018": [ "2-12-3-5", "2-14-3-3" ], "emea-sau-otcc-1-2022": [ "2-3-1-10" ], "emea-esp-ccn-stic-825-2023": [ "7.3.10 [OP.EXP.10]" ], "emea-gbr-caf-4-0": [ "C1.b" ], "emea-gbr-def-stan-05-138-2024": [ "3103" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3103" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3103" ], "apac-aus-essential-8-2024": [ "ML2-P3", "ML2-P4", "ML2-P5", "ML2-P7", "ML3-P3", "ML3-P4", "ML3-P5", "ML3-P7" ], "apac-aus-ism-2024-june": [ "ISM-0859", "ISM-0991" ], "apac-ind-sebi-2024": [ "PR.AA.S9" ], "apac-jpn-ismap": [ "12.4.2", "12.4.2.1", "12.4.2.2", "12.4.2.3", "12.4.3.2" ], "apac-nzl-ism-3-9": [ "16.6.13.C.01", "16.6.13.C.02", "16.6.13.C.03", "16.6.13.C.04" ], "americas-bmu-mba-coc-2020": [ "6.21" ], "americas-can-itsp-10-171-2025": [ "03.03.03.B", "03.03.06.B", "03.03.08.A" ] } }, { "control_id": "MON-08.1", "title": "Event Log Backup on Separate Physical Systems / Components", "family": "MON", "description": "Mechanisms exist to back up event logs onto a physically different system or system component than the Security Incident Event Manager (SIEM) or similar automated tool.", "scf_question": "Does the organization back up event logs onto a physically different system or system component than the Security Incident Event Manager (SIEM) or similar automated tool?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to back up event logs onto a physically different system or system component than the Security Incident Event Manager (SIEM) or similar automated tool.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AM-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-csa-iot-2": [ "MON-05", "MON-06" ], "general-govramp": [ "AU-09(02)" ], "general-govramp-mod": [ "AU-09(02)" ], "general-govramp-high": [ "AU-09(02)" ], "general-nist-800-53-r4": [ "AU-4(1)", "AU-9(2)" ], "general-nist-800-53-r5-2": [ "AU-04(01)", "AU-09(02)" ], "general-nist-800-53-r5-2-high": [ "AU-09(02)" ], "general-nist-800-82-r3": [ "AU-04(01)", "AU-09(02)" ], "general-nist-800-82-r3-low": [ "AU-04(01)" ], "general-nist-800-82-r3-mod": [ "AU-04(01)" ], "general-nist-800-82-r3-high": [ "AU-04(01)", "AU-09(02)" ], "general-nist-800-160-vol-2-r1": [ "AU-09(02)" ], "general-nist-800-171-r3": [ "03.03.08.a" ], "general-owasp-top-10-2025": [ "A09:2025" ], "general-pci-dss-4-0-1": [ "10.3.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.3.3" ], "general-pci-dss-4-0-1-saq-c": [ "10.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.3.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.3.3" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.U" ], "usa-federal-gsa-fedramp-5-high": [ "AU-09(02)" ], "emea-isr-cmo-1-0": [ "21.14", "21.15", "21.17" ], "emea-sau-cscc-1-2019": [ "2-11-1-5", "2-11-2" ], "apac-nzl-ism-3-9": [ "16.6.13.C.01", "16.6.13.C.02", "16.6.13.C.03", "16.6.13.C.04" ], "americas-can-itsp-10-171-2025": [ "03.03.08.A" ] } }, { "control_id": "MON-08.2", "title": "Access by Subset of Privileged Users", "family": "MON", "description": "Mechanisms exist to restrict access to the management of event logs to privileged users with a specific business need.", "scf_question": "Does the organization restrict access to the management of event logs to privileged users with a specific business need?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel restrict access to the management of event logs for privileged users to protect event logs and audit tools from unauthorized access, modification and deletion.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to restrict access to the management of event logs to privileged users with a specific business need.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-csa-cmm-4-1-0": [ "LOG-04" ], "general-csa-iot-2": [ "MON-04", "MON-05" ], "general-govramp": [ "AU-09(04)" ], "general-govramp-mod": [ "AU-09(04)" ], "general-govramp-high": [ "AU-09(04)" ], "general-iec-62443-3-3-2013": [ "SR 6.1" ], "general-iec-62443-4-2-2019": [ "CR 6.1" ], "general-nist-800-53-r4": [ "AU-9(4)" ], "general-nist-800-53-r5-2": [ "AU-09(04)" ], "general-nist-800-53-r5-2-mod": [ "AU-09(04)" ], "general-nist-800-82-r3": [ "AU-09(04)" ], "general-nist-800-82-r3-mod": [ "AU-09(04)" ], "general-nist-800-82-r3-high": [ "AU-09(04)" ], "general-nist-800-171-r2": [ "3.3.9" ], "general-nist-800-171-r3": [ "03.03.08.a", "03.03.08.b" ], "general-nist-800-171a": [ "3.3.9[a]", "3.3.9[b]" ], "general-nist-800-171a-r3": [ "A.03.03.08.b" ], "general-owasp-top-10-2025": [ "A09:2025" ], "general-pci-dss-4-0-1": [ "10.3", "10.3.1", "10.3.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.3.1", "10.3.2" ], "general-pci-dss-4-0-1-saq-c": [ "10.3.1", "10.3.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.3.1", "10.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.3.1", "10.3.2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.U" ], "usa-federal-fbi-cjis-6-0": [ "AU-9(4)" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.9" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-09(04)" ], "usa-federal-gsa-fedramp-5-high": [ "AU-09(04)" ], "usa-federal-irs-1075-2021": [ "AU-9(CE-4)" ], "usa-federal-cms-marse-2-0": [ "AU-9(4)" ], "emea-deu-c5-2020": [ "OPS-16" ], "emea-isr-cmo-1-0": [ "21.14" ], "americas-can-itsp-10-171-2025": [ "03.03.08.A", "03.03.08.B" ] } }, { "control_id": "MON-08.3", "title": "Cryptographic Protection of Event Log Information", "family": "MON", "description": "Cryptographic mechanisms exist to protect the integrity of event logs and audit tools.", "scf_question": "Are cryptographic mechanisms utilized to protect the integrity of event logs and audit tools?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational cryptographic capability exists to protect the integrity of event logs and audit tools.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-csa-iot-2": [ "MON-05" ], "general-govramp": [ "AU-09(03)" ], "general-govramp-high": [ "AU-09(03)" ], "general-nist-800-53-r4": [ "AU-9(3)" ], "general-nist-800-53-r5-2": [ "AU-09(03)" ], "general-nist-800-53-r5-2-high": [ "AU-09(03)" ], "general-nist-800-82-r3": [ "AU-09(03)" ], "general-nist-800-82-r3-high": [ "AU-09(03)" ], "general-nist-800-160-vol-2-r1": [ "AU-09(03)" ], "general-nist-800-171-r3": [ "03.03.08.a" ], "usa-federal-gsa-fedramp-5-high": [ "AU-09(03)" ], "americas-can-itsp-10-171-2025": [ "03.03.08.A" ] } }, { "control_id": "MON-08.4", "title": "Dual Authorization for Event Log Movement", "family": "MON", "description": "Automated mechanisms exist to enforce dual authorization for the movement or deletion of event logs.", "scf_question": "Does the organization use automated mechanisms to enforce dual authorization for the movement or deletion of event logs?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically enforce dual authorization for the movement or deletion of event logs.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "small": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "medium": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "large": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-800-53-r4": [ "AU-9(5)" ], "general-nist-800-53-r5-2": [ "AU-09(05)" ], "general-nist-800-82-r3": [ "AU-09(05)" ], "general-nist-800-160-vol-2-r1": [ "AU-09(05)" ] } }, { "control_id": "MON-09", "title": "Non-Repudiation", "family": "MON", "description": "Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.", "scf_question": "Does the organization utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AM-3", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-govramp": [ "AU-10" ], "general-govramp-high": [ "AU-10" ], "general-iec-62443-3-3-2013": [ "SR 2.12", "SR 2.12 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 2.12", "CR 2.12(1)" ], "general-nist-800-53-r4": [ "AU-10" ], "general-nist-800-53-r5-2": [ "AU-10" ], "general-nist-800-53-r5-2-high": [ "AU-10" ], "general-nist-800-82-r3": [ "AU-10" ], "general-nist-800-82-r3-high": [ "AU-10" ], "general-nist-800-161-r1": [ "AU-10" ], "general-nist-800-161-r1-level-3": [ "AU-10" ], "usa-federal-gsa-fedramp-5-high": [ "AU-10" ], "usa-federal-cms-marse-2-0": [ "AU-10" ], "emea-us-psd2-2015": [ "26" ], "emea-isr-cmo-1-0": [ "21.14" ], "apac-sgp-mas-trm-2021": [ "14.2.1", "14.2.2", "14.2.3", "14.2.4", "14.2.5", "14.2.6", "14.2.7", "14.2.8", "14.2.9", "14.2.10", "14.2.11" ] } }, { "control_id": "MON-09.1", "title": "Identity Binding", "family": "MON", "description": "Mechanisms exist to bind the identity of the information producer to the information generated.", "scf_question": "Does the organization bind the identity of the information producer to the information generated?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to bind the identity of the information producer to the information generated.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AM-3", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-800-53-r5-2": [ "AU-10(01)", "AU-10(02)" ], "general-nist-800-82-r3": [ "AU-10(01)", "AU-10(02)" ], "general-nist-800-160-vol-2-r1": [ "AU-10(02)" ], "general-nist-800-161-r1": [ "AU-10(1)", "AU-10(2)" ], "general-nist-800-161-r1-level-2": [ "AU-10(1)", "AU-10(2)" ], "general-nist-800-161-r1-level-3": [ "AU-10(2)" ] } }, { "control_id": "MON-10", "title": "Event Log Retention", "family": "MON", "description": "Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements.", "scf_question": "Does the organization retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-AST-11" ], "pptdf": "Data", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)\n∙ Log retention policy (minimum 90 days online, 1 year archived)\n∙ Cloud log storage (e.g., AWS S3, Azure Storage)", "small": "∙ Managed Security Services Provider (MSSP)\n∙ Log retention policy (minimum 90 days online, 1 year archived)\n∙ Cloud SIEM with configurable retention", "medium": "∙ Security Incident Event Manager (SIEM) with defined retention schedules\n∙ Managed Security Services Provider (MSSP)\n∙ Log archiving to cold storage (e.g., AWS S3 Glacier, Azure Archive)", "large": "∙ SIEM with tiered log retention (hot/warm/cold storage)\n∙ Log retention policy aligned to regulatory requirements (e.g., HIPAA 6 yrs, PCI DSS 1 yr)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Enterprise log retention program aligned to all applicable regulations\n∙ SIEM with tiered retention (hot/warm/cold storage)\n∙ Immutable log archives (e.g., AWS S3 Object Lock, Azure Blob WORM)\n∙ Legal hold capability for investigation support" }, "risks": [ "R-AM-3", "R-EX-6", "R-GV-1", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "C1.2" ], "general-cis-csc-8-1": [ "8.1" ], "general-cis-csc-8-1-ig2": [ "8.1" ], "general-cis-csc-8-1-ig3": [ "8.1" ], "general-csa-cmm-4-1-0": [ "LOG-04" ], "general-govramp": [ "AU-11" ], "general-govramp-core": [ "AU-11" ], "general-govramp-low": [ "AU-11" ], "general-govramp-low-plus": [ "AU-11" ], "general-govramp-mod": [ "AU-11" ], "general-govramp-high": [ "AU-11" ], "general-iec-62443-2-1-2024": [ "EVENT 1.4" ], "general-nist-800-53-r4": [ "AU-11" ], "general-nist-800-53-r5-2": [ "AU-11" ], "general-nist-800-53-r5-2-privacy": [ "AU-11" ], "general-nist-800-53-r5-2-low": [ "AU-11" ], "general-nist-800-82-r3": [ "AU-11" ], "general-nist-800-82-r3-low": [ "AU-11" ], "general-nist-800-82-r3-mod": [ "AU-11" ], "general-nist-800-82-r3-high": [ "AU-11" ], "general-nist-800-171-r2": [ "3.3.1" ], "general-nist-800-171-r3": [ "03.03.03.b" ], "general-nist-800-171a": [ "3.3.1[e]", "3.3.1[f]" ], "general-nist-800-171a-r3": [ "A.03.03.03.b" ], "general-owasp-top-10-2025": [ "A09:2025" ], "general-pci-dss-4-0-1": [ "10.5", "10.5.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.5.1" ], "general-pci-dss-4-0-1-saq-c": [ "10.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.5.1" ], "general-scf-dpmp-2025": [ "11.6" ], "general-shared-assessments-sig-2025": [ "D.3" ], "general-swift-cscf-2025": [ "6.4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.U" ], "usa-federal-fbi-cjis-6-0": [ "AU-11" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.1" ], "usa-federal-gsa-fedramp-5-low": [ "AU-11" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-11" ], "usa-federal-gsa-fedramp-5-high": [ "AU-11" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AU-11" ], "usa-federal-irs-1075-2021": [ "AU-11" ], "usa-federal-cms-marse-2-0": [ "AU-11", "AU-11-IS.1", "AU-11-IS.2" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.9", "CIP-006-6 2.3", "CIP-007-6 4.3" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.3.b" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.6(b)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AU-11" ], "usa-state-tx-txramp-2-0-level-1": [ "AU-11" ], "usa-state-tx-txramp-2-0-level-2": [ "AU-11" ], "emea-eu-ai-act-2024": [ "Article 19.1", "Article 19.2" ], "emea-eu-nis2-annex-2024": [ "3.2.3", "3.2.5" ], "emea-deu-c5-2020": [ "OPS-14" ], "emea-isr-cmo-1-0": [ "21.4", "21.15", "21.17" ], "emea-sau-cscc-1-2019": [ "2-11-2" ], "emea-sau-cgiot-2024": [ "2-11-1" ], "emea-sau-ecc-1-2018": [ "2-12-3-5", "2-14-3-3" ], "emea-sau-sacs-002-2022": [ "TPC-75" ], "emea-gbr-caf-4-0": [ "C1.b" ], "emea-gbr-def-stan-05-138-2024": [ "3103", "3107" ], "emea-gbr-def-stan-05-138-l1-2024": [ "3107" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3103", "3107" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3103", "3107" ], "apac-aus-ism-2024-june": [ "ISM-0859", "ISM-0991", "ISM-1213" ], "apac-chn-pipl-2021": [ "19" ], "apac-ind-sebi-2024": [ "PR.AA.S9" ], "apac-nzl-hisf-microsmall-2023": [ "HMS18" ], "americas-can-itsp-10-171-2025": [ "03.03.03.B" ] } }, { "control_id": "MON-11", "title": "Monitoring For Information Disclosure", "family": "MON", "description": "Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public information.", "scf_question": "Does the organization monitor for evidence of unauthorized exfiltration or disclosure of non-public information?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to monitor for evidence of unauthorized exfiltration or disclosure of non-public information.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Content filtering\n∙ Keyword alerting (e.g., Google Alerts)\n∙ Review of social media outlets\n∙ HaveIBeenPwned monitoring (https://haveibeenpwned.com)", "small": "∙ Content filtering\n∙ Keyword alerting (e.g., Google Alerts)\n∙ Review of social media outlets\n∙ HaveIBeenPwned monitoring (https://haveibeenpwned.com)\n∙ Dark web monitoring (e.g., SpyCloud, HaveIBeenPwned Pro)", "medium": "∙ Content filtering\n∙ Keyword alerting (e.g., Google Alerts)\n∙ Dark web monitoring (e.g., SpyCloud, Recorded Future, Digital Shadows)\n∙ Data Loss Prevention (DLP) solution", "large": "∙ Data Loss Prevention (DLP) solution (e.g., Microsoft Purview DLP, Forcepoint DLP)\n∙ Dark web monitoring platform (e.g., Recorded Future, Digital Shadows, SpyCloud)\n∙ Brand and digital footprint monitoring", "enterprise": "∙ Enterprise DLP solution (e.g., Symantec DLP, Forcepoint DLP, Microsoft Purview DLP)\n∙ Dedicated threat intelligence platform with dark web monitoring\n∙ Digital risk protection (DRP) service (e.g., ZeroFox, Recorded Future)\n∙ Automated exfiltration detection via SIEM/UEBA" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-iso-27002-2022": [ "5.7" ], "general-iso-27018-2025": [ "5.7" ], "general-nist-800-53-r4": [ "AU-13" ], "general-nist-800-53-r5-2": [ "AU-13" ], "general-nist-800-82-r3": [ "AU-13" ], "general-nist-800-160-vol-2-r1": [ "AU-13" ], "general-nist-800-161-r1": [ "AU-13" ], "general-nist-800-161-r1-flowdown": [ "AU-13" ], "general-nist-800-161-r1-level-2": [ "AU-13" ], "general-nist-800-161-r1-level-3": [ "AU-13" ], "general-nist-800-171-r3": [ "03.01.22.b" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP63", "HML69" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP55" ], "americas-can-itsp-10-171-2025": [ "03.01.22.B" ] } }, { "control_id": "MON-11.1", "title": "Analyze Traffic for Covert Exfiltration", "family": "MON", "description": "Automated mechanisms exist to analyze network traffic to detect covert data exfiltration.", "scf_question": "Does the organization use automated mechanisms to analyze network traffic to detect covert data exfiltration?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically analyze network traffic to detect covert data exfiltration.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Content filtering", "small": "∙ Content filtering", "medium": "∙ Content filtering", "large": "∙ Content filtering", "enterprise": "∙ Content filtering" }, "risks": [ "R-AM-1", "R-AM-3", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-govramp": [ "SI-04(18)" ], "general-govramp-high": [ "SI-04(18)" ], "general-nist-800-53-r4": [ "SI-4(18)" ], "general-nist-800-53-r5-2": [ "SI-04(18)" ], "general-nist-800-53-r5-2-privacy": [ "SI-04(18)" ], "general-nist-800-82-r3": [ "SI-04(18)" ], "general-nist-800-160-vol-2-r1": [ "SI-04(18)" ], "general-pci-dss-4-0-1": [ "11.5.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "11.5.1.1" ], "general-sparta": [ "CM0073" ], "usa-federal-gsa-fedramp-5-low": [ "SI-04(18)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-04(18)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-04(18)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-04(18)" ], "usa-federal-irs-1075-2021": [ "SI-4(CE-18)" ] } }, { "control_id": "MON-11.2", "title": "Unauthorized Network Services", "family": "MON", "description": "Automated mechanisms exist to detect unauthorized network services and alert incident response personnel.", "scf_question": "Does the organization use automated mechanisms to detect unauthorized network services and alert incident response personnel?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically detect unauthorized network services and alert incident response personnel.", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)\n∙ Extended Detection and Response (XDR)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)\n∙ Extended Detection and Response (XDR)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)\n∙ Extended Detection and Response (XDR)" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-4", "R-GV-1", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-govramp": [ "SI-04(22)" ], "general-govramp-high": [ "SI-04(22)" ], "general-iec-62443-2-1-2024": [ "ORG 2.2(b)" ], "general-mpa-csbp-5-3-1": [ "TS-2.13" ], "general-nist-800-53-r4": [ "SI-4(22)" ], "general-nist-800-53-r5-2": [ "SI-04(22)" ], "general-nist-800-53-r5-2-high": [ "SI-04(22)" ], "general-nist-800-82-r3": [ "SI-04(22)" ], "general-nist-800-82-r3-high": [ "SI-04(22)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-04(22)" ] } }, { "control_id": "MON-11.3", "title": "Monitoring for Indicators of Compromise (IOC)", "family": "MON", "description": "Automated mechanisms exist to identify and alert on Indicators of Compromise (IoC).", "scf_question": "Does the organization use automated mechanisms to identify and alert on Indicators of Compromise (IoC)?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-IRO-02", "E-MON-07" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically identify and alert on Indicators of Compromise (IoC).", "4": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Continuous Monitoring (MON) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)\n∙ Extended Detection and Response (XDR)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)\n∙ Extended Detection and Response (XDR)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)\n∙ Extended Detection and Response (XDR)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-csa-cmm-4-1-0": [ "LOG-14" ], "general-csa-iot-2": [ "IAM-08", "MON-01", "MON-09", "MON-11" ], "general-govramp": [ "SI-04(24)" ], "general-govramp-high": [ "SI-04(24)" ], "general-iso-27002-2022": [ "5.7" ], "general-iso-27018-2025": [ "5.7" ], "general-nist-800-53-r4": [ "SI-4(24)" ], "general-nist-800-53-r5-2": [ "SI-04(24)" ], "general-nist-800-53-r5-2-privacy": [ "SI-04(24)" ], "general-nist-800-82-r3": [ "SI-04(24)" ], "general-nist-800-160-vol-2-r1": [ "SI-04(24)" ], "general-nist-800-171-r2": [ "3.14.7" ], "general-nist-800-171-r3": [ "03.14.06.a.01", "03.14.06.a.02", "03.14.06.b", "03.14.06.c" ], "general-nist-800-172": [ "3.11.2e" ], "general-nist-csf-2-0": [ "DE.CM" ], "general-un-155-2021": [ "7.2.2.2(h)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(h)" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.DTDIS" ], "usa-federal-doe-c2m2-2-1": [ "SITUATION-2d", "SITUATION-2h", "SITUATION-2i" ], "usa-federal-dow-cmmc-2-level-2": [ "SIL2.-3.14.7" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.2E" ], "usa-federal-gsa-fedramp-5-low": [ "SI-04(24)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-04(24)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-04(24)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-04(24)" ], "usa-federal-irs-1075-2021": [ "SI-4(CE-24)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(8)(A)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.5(38)", "3.4.5(38)(a)", "3.4.5(38)(b)", "3.4.5(38)(c)" ], "emea-deu-bsrit-2017": [ "5.4" ], "apac-aus-ism-2024-june": [ "ISM-0120", "ISM-1091" ], "apac-sgp-mas-trm-2021": [ "11.3.5" ], "americas-can-osfi-b13-2022": [ "3.3.2" ], "americas-can-itsp-10-171-2025": [ "03.14.06.A.01", "03.14.06.A.02", "03.14.06.B", "03.14.06.C" ] } }, { "control_id": "MON-12", "title": "Session Audit", "family": "MON", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "scf_question": "Does the organization provide session audit capabilities that can: \n (1) Capture and log all content related to a user session; and\n (2) Remotely view all content related to an established user session in real time?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ ManageEngine PAM360 (https://manageengine.com)\n∙ Basic privileged session recording (e.g., built-in OS logging)", "small": "∙ ManageEngine PAM360 (https://manageengine.com)\n∙ Privileged Access Workstation (PAW) or jump server logging", "medium": "∙ ManageEngine PAM360 (https://manageengine.com)\n∙ Ekran User Activity Monitoring (UAM) (https://ekransystem.com)\n∙ Privileged Access Management (PAM) solution with session recording", "large": "∙ ManageEngine PAM360 (https://manageengine.com)\n∙ Ekran User Activity Monitoring (UAM) (https://ekransystem.com)\n∙ CyberArk Privileged Session Manager or BeyondTrust Session Management", "enterprise": "∙ Enterprise PAM with session audit (e.g., CyberArk, BeyondTrust, Delinea)\n∙ ManageEngine PAM360 (https://manageengine.com)\n∙ Ekran User Activity Monitoring (UAM) (https://ekransystem.com)\n∙ AI-powered anomalous behavior detection in privileged sessions" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-800-53-r4": [ "AU-14" ], "general-nist-800-53-r5-2": [ "AU-14" ], "general-nist-800-82-r3": [ "AU-14" ], "general-nist-800-161-r1": [ "AU-14" ], "general-nist-800-161-r1-flowdown": [ "AU-14" ], "general-nist-800-161-r1-level-2": [ "AU-14" ], "general-nist-800-161-r1-level-3": [ "AU-14" ], "emea-isr-cmo-1-0": [ "21.10", "21.18" ] } }, { "control_id": "MON-13", "title": "Alternate Event Logging Capability", "family": "MON", "description": "Mechanisms exist to provide an alternate event logging capability in the event of a failure in primary audit capability.", "scf_question": "Does the organization provide an alternate event logging capability in the event of a failure in primary audit capability?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to provide an alternate event logging capability in the event of a failure in primary audit capability.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-1", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-800-53-r4": [ "AU-15" ], "general-nist-800-53-r5-2": [ "AU-05(05)" ], "general-nist-800-82-r3": [ "AU-05(05)" ], "emea-isr-cmo-1-0": [ "21.15" ] } }, { "control_id": "MON-14", "title": "Cross-Organizational Monitoring", "family": "MON", "description": "Mechanisms exist to coordinate sanitized event logs among external organizations to identify anomalous events when event logs are shared across organizational boundaries, without giving away sensitive or critical business data.", "scf_question": "Does the organization coordinate sanitized event logs among external organizations to identify anomalous events when event logs are shared across organizational boundaries, without giving away sensitive or critical business data?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to coordinate sanitized event logs among external organizations to identify anomalous events when event logs are shared across organizational boundaries, without giving away sensitive or critical business data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-1", "R-AM-3", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-800-53-r4": [ "AU-16", "AU-16(1)" ], "general-nist-800-53-r5-2": [ "AU-16", "AU-16(01)" ], "general-nist-800-82-r3": [ "AU-16", "AU-16(01)" ], "general-nist-800-161-r1": [ "AU-16" ], "general-nist-800-161-r1-level-2": [ "AU-16" ], "general-nist-800-161-r1-level-3": [ "AU-16" ], "usa-federal-irs-1075-2021": [ "AU-16", "AU-16(CE-1)" ], "usa-federal-cms-marse-2-0": [ "AU-16" ] } }, { "control_id": "MON-14.1", "title": "Sharing of Event Logs", "family": "MON", "description": "Mechanisms exist to share event logs with third-party organizations based on specific cross-organizational sharing agreements.", "scf_question": "Does the organization share event logs with third-party organizations based on specific cross-organizational sharing agreements?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to share event logs with third-party organizations based on specific cross-organizational sharing agreements.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Vocabulary for Event Recording and Incident Sharing (VERIS) (https://verisframework.org)", "small": "∙ Vocabulary for Event Recording and Incident Sharing (VERIS) (https://verisframework.org)", "medium": "∙ Vocabulary for Event Recording and Incident Sharing (VERIS) (https://verisframework.org)", "large": "∙ Vocabulary for Event Recording and Incident Sharing (VERIS) (https://verisframework.org)", "enterprise": "∙ Vocabulary for Event Recording and Incident Sharing (VERIS) (https://verisframework.org)" }, "risks": [ "R-AC-1", "R-AM-3", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-800-53-r4": [ "AU-16(2)" ], "general-nist-800-53-r5-2": [ "AU-16(02)" ], "general-nist-800-82-r3": [ "AU-16(02)" ], "general-nist-800-161-r1": [ "AU-16(2)" ], "general-nist-800-161-r1-flowdown": [ "AU-16(2)" ], "general-nist-800-161-r1-level-2": [ "AU-16(2)" ], "general-nist-800-161-r1-level-3": [ "AU-16(2)" ], "usa-federal-irs-1075-2021": [ "AU-16(CE-2)" ] } }, { "control_id": "MON-15", "title": "Covert Channel Analysis", "family": "MON", "description": "Mechanisms exist to conduct covert channel analysis to identify aspects of communications that are potential avenues for covert channels.", "scf_question": "Does the organization conduct covert channel analysis to identify aspects of communications that are potential avenues for covert channels?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to conduct covert channel analysis to identify aspects of communications that are potential avenues for covert channels.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Managed Security Services Provider (MSSP)", "small": "∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-2", "R-BC-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1041", "T1048", "T1048.002", "T1048.003", "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1071.005", "T1567" ], "general-nist-800-53-r4": [ "SC-31" ], "general-nist-800-53-r5-2": [ "SC-31" ], "general-nist-800-82-r3": [ "SC-31" ], "general-pci-dss-4-0-1": [ "11.5.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "11.5.1.1" ], "emea-isr-cmo-1-0": [ "21.10" ] } }, { "control_id": "MON-16", "title": "Anomalous Behavior", "family": "MON", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "scf_question": "Does the organization utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-IRO-02", "E-MON-07" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Managed Security Services Provider (MSSP)", "small": "∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.2", "CC7.2-POF2", "CC7.2-POF3" ], "general-csa-cmm-4-1-0": [ "LOG-14" ], "general-csa-iot-2": [ "IAM-08", "MON-01", "MON-10", "SAP-06" ], "general-govramp": [ "AC-02(12)", "SI-04(11)" ], "general-govramp-mod": [ "AC-02(12)" ], "general-govramp-high": [ "AC-02(12)", "SI-04(11)" ], "general-iec-62443-2-1-2024": [ "ORG 2.2(d)" ], "general-nist-600-1-gen-ai-profile": [ "MS-1.1-002" ], "general-nist-800-53-r4": [ "AC-2(12)", "SI-4(11)" ], "general-nist-800-53-r5-2": [ "AC-02(12)", "IR-04(13)", "SI-04(11)" ], "general-nist-800-53-r5-2-privacy": [ "IR-04(13)" ], "general-nist-800-53-r5-2-high": [ "AC-02(12)" ], "general-nist-800-66-r2": [ "164.312(b)", "164.312(c)" ], "general-nist-800-82-r3": [ "AC-02(12)", "IR-04(13)", "SI-04(11)" ], "general-nist-800-82-r3-high": [ "AC-02(12)" ], "general-nist-800-160-vol-2-r1": [ "AC-02(12)", "IR-04(13)", "SI-04(11)" ], "general-nist-800-171-r2": [ "3.14.7" ], "general-nist-800-171-r3": [ "03.01.01.e", "03.03.05.a", "03.14.06.a.01", "03.14.06.a.02", "03.14.06.b", "03.14.06.c" ], "general-nist-800-171a-r3": [ "A.03.14.06.b" ], "general-nist-800-172": [ "3.14.2e" ], "general-nist-800-207": [ "NIST Tenet 4" ], "general-nist-csf-2-0": [ "DE.CM", "DE.CM-03" ], "general-pci-dss-4-0-1": [ "3.1", "A3.2.6.1" ], "general-swift-cscf-2025": [ "2.9" ], "general-un-155-2021": [ "7.2.2.2(g)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(g)" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.BBASE", "3.UNI.DTDIS" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.G" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-2i", "SITUATION-2d", "SITUATION-2h", "SITUATION-2i" ], "usa-federal-dow-cmmc-2-level-2": [ "SIL2.-3.14.7" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.6.1", "1.6.2", "1.6.3", "2.3.1", "2.3.2", "7.2.5", "7.3.2", "7.4", "7.4.1", "7.4.2", "7.4.3", "7.4.4" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "1.2", "6.7" ], "usa-federal-gsa-fedramp-5-low": [ "IR-04(13)" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02(12)", "IR-04(13)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02(12)", "IR-04(13)", "SI-04(11)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-04(13)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(b)", "164.312(c)(2)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(b)", "164.312(c)(2)" ], "usa-federal-irs-1075-2021": [ "AC-2(CE-12)", "AC-2(CE-12).a", "AC-2(CE-12).b", "SI-4(CE-11)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.2.b" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.14(a)(1)" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-02 (12)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.5(38)", "3.4.5(38)(a)", "3.4.5(38)(b)", "3.4.5(38)(c)" ], "emea-eu-dora-2023": [ "Article 10.1" ], "emea-eu-nis2-annex-2024": [ "13.1.2(d)" ], "emea-deu-bsrit-2017": [ "5.5" ], "emea-isr-cmo-1-0": [ "4.7", "21.10", "21.20" ], "emea-sau-otcc-1-2022": [ "2-3-1-12" ], "emea-sau-sacs-002-2022": [ "TPC-80" ], "emea-esp-boe-a-2022-7191": [ "Article 10.1" ], "emea-esp-decree-311-2022": [ "10.1" ], "emea-gbr-caf-4-0": [ "C1.f" ], "emea-gbr-cap-1850-2020": [ "C1", "C2" ], "emea-gbr-def-stan-05-138-2024": [ "3200", "3202", "3203" ], "emea-gbr-def-stan-05-138-l1-2024": [ "3200", "3203" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3200", "3202", "3203" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3200", "3202", "3203" ], "apac-aus-ism-2024-june": [ "ISM-1660" ], "apac-nzl-hisf-microsmall-2023": [ "HMS19" ], "apac-sgp-mas-trm-2021": [ "9.2.2", "11.5.5", "12.2.4" ], "americas-can-osfi-b13-2022": [ "3.3.2" ], "americas-can-itsp-10-171-2025": [ "03.01.01.E", "03.03.05.A", "03.14.06.A.01", "03.14.06.A.02", "03.14.06.B", "03.14.06.C" ] } }, { "control_id": "MON-16.1", "title": "Insider Threats", "family": "MON", "description": "Mechanisms exist to monitor internal personnel activity for potential security incidents.", "scf_question": "Does the organization monitor internal personnel activity for potential security incidents?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-02", "E-MON-07" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to monitor internal personnel activity for potential security incidents.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Insider Threat program\n∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Managed Security Services Provider (MSSP)", "small": "∙ Insider Threat program\n∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Insider Threat program\n∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Insider Threat program\n∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Insider Threat program\n∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-csf-2-0": [ "DE.CM-03" ], "general-pci-dss-4-0-1": [ "A3.2.6.1" ], "general-shared-assessments-sig-2025": [ "J.5" ], "general-sparta": [ "CM0052" ], "emea-isr-cmo-1-0": [ "21.10" ], "apac-aus-ism-2024-june": [ "ISM-1625" ], "apac-sgp-mas-trm-2021": [ "3.5.2" ] } }, { "control_id": "MON-16.2", "title": "Third-Party Threats", "family": "MON", "description": "Mechanisms exist to monitor third-party personnel activity for potential security incidents.", "scf_question": "Does the organization monitor third-party personnel activity for potential security incidents?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-02", "E-MON-07" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.\n▪ Generating event logs and the review of those event logs is narrowly-focused to business-critical Technology Assets, Applications, Services and/or Data (TAASD).", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to monitor third-party personnel activity for potential security incidents.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Insider Threat program\n∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)", "small": "∙ Insider Threat program\n∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)", "medium": "∙ Insider Threat program\n∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)", "large": "∙ Insider Threat program\n∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)", "enterprise": "∙ Insider Threat program\n∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-cr-cmm-2026": [ "CR3.1.1" ], "general-nist-csf-2-0": [ "DE.CM-06" ], "general-shared-assessments-sig-2025": [ "J.5" ], "emea-isr-cmo-1-0": [ "21.10" ] } }, { "control_id": "MON-16.3", "title": "Unauthorized Activities", "family": "MON", "description": "Mechanisms exist to monitor for unauthorized activities, accounts, connections, devices and software.", "scf_question": "Does the organization monitor for unauthorized activities, accounts, connections, devices and software?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-02", "E-MON-07" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to monitor for unauthorized activities, accounts, connections, devices and software.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Managed Security Services Provider (MSSP)", "small": "∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)", "large": "∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)", "enterprise": "∙ Indicators of Compromise (IoC)\n∙ Indicators of Exposure (IoE)\n∙ Security Incident Event Manager (SIEM)\n∙ Extended Detection and Response (XDR)\n∙ Managed Security Services Provider (MSSP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-cis-csc-8-1": [ "2.3" ], "general-cis-csc-8-1-ig1": [ "2.3" ], "general-cis-csc-8-1-ig2": [ "2.3" ], "general-cis-csc-8-1-ig3": [ "2.3" ], "general-nist-csf-2-0": [ "DE.CM-03" ], "general-pci-dss-4-0-1": [ "A3.2.6.1" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.4" ], "emea-isr-cmo-1-0": [ "21.10" ], "emea-sau-otcc-1-2022": [ "2-3-1-11", "2-3-1-12" ], "emea-gbr-def-stan-05-138-2024": [ "4106" ], "emea-gbr-def-stan-05-138-l1-2024": [ "4106" ], "emea-gbr-def-stan-05-138-l2-2024": [ "4106" ], "emea-gbr-def-stan-05-138-l3-2024": [ "4106" ] } }, { "control_id": "MON-16.4", "title": "Account Creation and Modification Logging", "family": "MON", "description": "Automated mechanisms exist to generate event logs for permissions changes to privileged accounts and/or groups.", "scf_question": "Does the organization use automated mechanisms to generate event logs for permissions changes to privileged accounts and/or groups?", "relative_weight": 7, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-AST-01" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically generate event logs for permissions changes to privileged accounts and/or groups.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-nist-csf-2-0": [ "DE.CM-06" ], "emea-eu-nis2-annex-2024": [ "3.2.3(b)", "11.2.2(f)" ], "apac-aus-ism-2024-june": [ "ISM-1650" ] } }, { "control_id": "MON-17", "title": "Event Log Analysis & Triage", "family": "MON", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "scf_question": "Does the organization ensure event log reviews include analysis and triage practices that integrate with its established incident response processes?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Review system logs periodically", "small": "∙ Log monitoring policy\n∙ Regular review of key system logs", "medium": "∙ SIEM (e.g., Wazuh)\n∙ Automated log collection and alerting", "large": "∙ Enterprise SIEM (e.g., Splunk, IBM QRadar)\n∙ Continuous monitoring program\n∙ SOC monitoring", "enterprise": "∙ Enterprise SIEM/SOAR platform\n∙ 24/7 SOC monitoring\n∙ Threat hunting\n∙ Automated incident response" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "general-iec-62443-2-1-2024": [ "EVENT 1.1" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 4.4" ], "emea-eu-nis2-annex-2024": [ "3.4.2(c)", "3.4.2(d)" ], "emea-gbr-caf-4-0": [ "C1.d" ], "emea-gbr-def-stan-05-138-2024": [ "3109" ], "emea-gbr-def-stan-05-138-l1-2024": [ "3109" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3109" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3109" ], "apac-aus-essential-8-2024": [ "ML2-P3", "ML2-P4", "ML2-P5", "ML2-P7", "ML3-P3", "ML3-P4", "ML3-P5", "ML3-P7" ], "apac-ind-sebi-2024": [ "DE.CM.S3" ] } }, { "control_id": "MON-17.1", "title": "Event Log Review Escalation Matrix", "family": "MON", "description": "Mechanisms exist to make event log review processes more efficient and effective by developing and maintaining an incident response escalation matrix.", "scf_question": "Does the organization make event log review processes more efficient and effective by developing and maintaining an incident response escalation matrix?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to make event log review processes more efficient and effective by developing and maintaining an incident response escalation matrix.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Review system logs periodically", "small": "∙ Log monitoring policy\n∙ Regular review of key system logs", "medium": "∙ SIEM (e.g., Wazuh)\n∙ Automated log collection and alerting", "large": "∙ Enterprise SIEM (e.g., Splunk, IBM QRadar)\n∙ Continuous monitoring program\n∙ SOC monitoring", "enterprise": "∙ Enterprise SIEM/SOAR platform\n∙ 24/7 SOC monitoring\n∙ Threat hunting\n∙ Automated incident response" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "emea-gbr-def-stan-05-138-2024": [ "3101", "3102" ], "emea-gbr-def-stan-05-138-l1-2024": [ "3101" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3101" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3102" ] } }, { "control_id": "MON-18", "title": "File Activity Monitoring (FAM)", "family": "MON", "description": "Automated mechanisms exist to monitor sensitive/regulated data in Technology Assets, Applications and/or Services (TAAS) and data repositories.", "scf_question": "Does the organization use automated tools to monitor sensitive/regulated data in Technology Assets, Applications and/or Services (TAAS) and data repositories?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Continuous Monitoring (MON) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MON domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Event monitoring-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Monitoring is primarily reactive in nature, focused on identifying incidents that occurred.\n▪ Event log reviews primarily rely on manual processes to identify anomalous behaviors.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to automatically monitor sensitive/regulated data in Technology Assets, Applications and/or Services (TAAS) and data repositories.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Review system logs periodically", "small": "∙ Log monitoring policy\n∙ Regular review of key system logs", "medium": "∙ SIEM (e.g., Wazuh)\n∙ Automated log collection and alerting", "large": "∙ Enterprise SIEM (e.g., Splunk, IBM QRadar)\n∙ Continuous monitoring program\n∙ SOC monitoring", "enterprise": "∙ Enterprise SIEM/SOAR platform\n∙ 24/7 SOC monitoring\n∙ Threat hunting\n∙ Automated incident response" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Continuous Monitoring", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "4.4.3", "4.4.4", "4.4.5" ] } }, { "control_id": "MON-19", "title": "Write Once Read Many (WORM) Event Log Generation", "family": "MON", "description": "Mechanisms exist to produce event logs on hardware-enforced, write-once media (e.g., Write Once Read Many (WORM) technologies).", "scf_question": "Does the organization produce event logs on hardware-enforced, write-once media (e.g., Write Once Read Many (WORM) technologies)?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Continuous Monitoring (MON) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MON domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Continuous monitoring-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Continuous monitoring may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Continuous Monitoring (MON) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MON domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel use a structured process via Standardized Operating Procedures (SOP) to review and analyze logs.\n▪ A Security Operations Center (SOC) team, or similar function, is appropriately staffed and supported to implement and maintain MON domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of continuous monitoring operations (e.g., Security Incident Event Manager (SIEM), etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MON domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce security event logging to contain sufficient information to establish necessary details of activity and allow for forensics analysis.\n▪ An implemented and operational capability exists to produce event logs on hardware-enforced, write-once media (e.g., Write Once Read Many (WORM) technologies).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Review system logs periodically", "small": "∙ Log monitoring policy\n∙ Regular review of key system logs", "medium": "∙ SIEM (e.g., Wazuh)\n∙ Automated log collection and alerting", "large": "∙ Enterprise SIEM (e.g., Splunk, IBM QRadar)\n∙ Continuous monitoring program\n∙ SOC monitoring", "enterprise": "∙ Enterprise SIEM/SOAR platform\n∙ 24/7 SOC monitoring\n∙ Threat hunting\n∙ Automated incident response" }, "risks": [ "R-AC-1", "R-BC-4", "R-EX-6", "R-EX-7", "R-GV-4", "R-GV-6", "R-IR-1", "R-SA-1" ], "threats": [ "NT-7", "MT-2", "MT-8", "MT-9" ], "errata": "- new control (IEC 62443-4-2)", "family_name": "Continuous Monitoring", "crosswalks": { "general-iec-62443-3-3-2013": [ "SR 3.9 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 3.9(1)" ] } }, { "control_id": "CRY-01", "title": "Use of Cryptographic Controls", "family": "CRY", "description": "Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.", "scf_question": "Does the organization facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-CRY-01" ], "pptdf": "Data", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cryptographic Protections (CRY) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CRY domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cryptography management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel provide an encryption solution (software or hardware) for the storage of sensitive/regulated data.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.\n▪ External compliance requirements for cryptography are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity personnel perform an annual review of deployed cryptographic cipher suites and protocols to identify and replace weak and/or deprecated cryptographic cipher suites and protocols.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to implement cryptographic mechanisms that are applicability for statutory, regulatory and/or contractual compliance obligations.\n▪ Sensitive/regulated data is encrypted at rest using cryptographic protections that are commensurate with the sensitivity of the data.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.", "4": "Cryptographic Protections (CRY) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Secure Baseline Configurations (SBC)", "small": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Secure Baseline Configurations (SBC)", "medium": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Secure Baseline Configurations (SBC)", "large": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.1-POF9" ], "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF10", "CC6.1-POF11", "CC6.6-POF2", "CC6.7-POF2", "CC6.7-POF3" ], "general-cis-csc-8-1": [ "3.6", "3.9", "3.1", "3.11" ], "general-cis-csc-8-1-ig1": [ "3.6" ], "general-cis-csc-8-1-ig2": [ "3.6", "3.9", "3.1", "3.11" ], "general-cis-csc-8-1-ig3": [ "3.6", "3.9", "3.1", "3.11" ], "general-csa-cmm-4-1-0": [ "CEK-01", "CEK-02", "CEK-03", "CEK-04", "DSP-10", "LOG-11" ], "general-csa-iot-2": [ "CLS-01", "COM-07", "COM-08", "COM-09", "IOT-10", "SAP-07" ], "general-govramp": [ "SC-08(01)", "SC-13" ], "general-govramp-core": [ "SC-13" ], "general-govramp-low": [ "SC-13" ], "general-govramp-low-plus": [ "SC-13" ], "general-govramp-mod": [ "SC-08(01)", "SC-13" ], "general-govramp-high": [ "SC-08(01)", "SC-13" ], "general-iec-62443-2-1-2024": [ "DATA 1.5" ], "general-iec-62443-3-3-2013": [ "SR 4.1", "SR 4.1 RE 1", "SR 4.3" ], "general-iec-62443-4-2-2019": [ "CR 4.3" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.4" ], "general-iso-27002-2022": [ "8.24", "8.26" ], "general-iso-27017-2015": [ "10.1.1", "14.1.2" ], "general-iso-27018-2025": [ "8.24", "8.26" ], "general-mitre-att&ck-16-1": [ "T1005", "T1025", "T1041", "T1048.003", "T1557.004" ], "general-mpa-csbp-5-3-1": [ "TS-1.0", "TS-3.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(d)" ], "general-nist-800-53-r4": [ "SC-8(1)", "SC-8(2)", "SC-13", "SC-13(1)", "SI-7(6)" ], "general-nist-800-53-r5-2": [ "SC-08(01)", "SC-08(02)", "SC-13", "SI-07(06)" ], "general-nist-800-53-r5-2-privacy": [ "SC-08(01)", "SC-08(02)", "SC-13" ], "general-nist-800-53-r5-2-low": [ "SC-13" ], "general-nist-800-53-r5-2-mod": [ "SC-08(01)" ], "general-nist-800-66-r2": [ "164.312(a)" ], "general-nist-800-82-r3": [ "SC-08(01)", "SC-08(02)", "SC-13", "SI-07(06)" ], "general-nist-800-82-r3-low": [ "SC-13" ], "general-nist-800-82-r3-mod": [ "SC-08(01)", "SC-13" ], "general-nist-800-82-r3-high": [ "SC-08(01)", "SC-13" ], "general-nist-800-160-vol-2-r1": [ "SC-08(01)", "SI-07(06)" ], "general-nist-800-171-r2": [ "3.13.11" ], "general-nist-800-171-r3": [ "03.13.08", "03.13.11" ], "general-nist-800-171a": [ "3.13.8[a]", "3.13.11" ], "general-nist-800-171a-r3": [ "A.03.13.08[01]", "A.03.13.08[02]", "A.03.13.11.ODP[01]", "A.03.13.11" ], "general-nist-800-207": [ "NIST Tenet 2" ], "general-nist-csf-2-0": [ "PR.DS-01", "PR.DS-02", "PR.DS-10" ], "general-owasp-top-10-2025": [ "A02:2025", "A04:2025" ], "general-pci-dss-4-0-1": [ "2.2.7", "3.3.2", "8.3.2", "12.3.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "2.2.7", "8.3.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.7", "8.3.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "2.2.7", "3.3.2", "8.3.2", "12.3.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "2.2.7", "3.3.2", "8.3.2", "12.3.3" ], "general-scf-dpmp-2025": [ "7.2" ], "general-sparta": [ "CM0050" ], "general-swift-cscf-2025": [ "2.6", "5.2" ], "general-tisax-6-0-3": [ "5.1.1" ], "general-ul-2900-2-2-2016": [ "10.1" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.e" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.K" ], "usa-federal-fbi-cjis-6-0": [ "SC-8(1)", "SC-13" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-5d" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.11" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.5" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "5.1" ], "usa-federal-eo-14028": [ "4e(i)(E)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(c)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-08(01)", "SC-08(02)", "SC-13" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-08(01)", "SC-08(02)", "SC-13" ], "usa-federal-gsa-fedramp-5-high": [ "SC-08(01)", "SC-08(02)", "SC-13" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-08(01)", "SC-08(02)", "SC-13" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(3)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(a)(2)(iv)", "164.312(e)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(a)(2)(iv)", "164.312(e)(2)(ii)" ], "usa-federal-irs-1075-2021": [ "2.E.2", "2.E.3", "2.E.3-1", "2.E.3-2", "2.E.3-3", "2.E.3-4", "2.E.3-5", "SC-8(CE-1)", "SC-13" ], "usa-federal-cms-marse-2-0": [ "SC-8(1)", "SC-8(2)", "SC-13" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.10" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "12-2.d", "12-2.e(1)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(2)" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(3)", "17.04(5)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.11(b)(2)", "500.15(a)", "500.15(b)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-13", "SC-13-SID" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-08 (01)", "SC-13" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(36)(f)" ], "emea-eu-gdpr-2016": [ "Article 32.1(a)" ], "emea-eu-nis2-2022": [ "Article 21.2(h)" ], "emea-eu-nis2-annex-2024": [ "9.1", "9.2(a)", "9.2(b)" ], "emea-us-psd2-2015": [ "20", "30" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-c5-2020": [ "CRY-01" ], "emea-isr-cmo-1-0": [ "8.1", "8.8", "15.7", "21.16" ], "emea-sau-cscc-1-2019": [ "2-7", "2-7-1-3" ], "emea-sau-ecc-1-2018": [ "2-8-1", "2-8-2", "2-8-3", "2-8-3-1", "2-8-4" ], "emea-sau-otcc-1-2022": [ "2-2-1-4", "2-7", "2-7-1", "2-7-2" ], "emea-sau-sacs-002-2022": [ "TPC-52", "TPC-54" ], "emea-sau-sama-csf-1-2017": [ "3.3.9" ], "emea-zaf-popia-2013": [ "14.1", "19.1", "19.2" ], "emea-esp-ccn-stic-825-2023": [ "8.4.2 [MP.COM.2]", "8.4.3 [MP.COM.3]", "8.5.2 [MP.SI.2]", "8.7.3 [MP.INFO.3]", "8.7.4 [MP.INFO.4]" ], "emea-gbr-def-stan-05-138-2024": [ "2304", "2317", "2318" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2304", "2317", "2318" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2304", "2317", "2318" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2304", "2317", "2318" ], "apac-aus-ism-2024-june": [ "ISM-0142", "ISM-0457", "ISM-0460", "ISM-0471", "ISM-0472", "ISM-0474", "ISM-0475", "ISM-0476", "ISM-0477", "ISM-0479", "ISM-0481", "ISM-0499", "ISM-0501", "ISM-0994", "ISM-0999", "ISM-1080", "ISM-1091", "ISM-1146", "ISM-1446", "ISM-1629", "ISM-1759", "ISM-1761", "ISM-1762", "ISM-1763", "ISM-1764", "ISM-1765", "ISM-1766", "ISM-1767", "ISM-1768", "ISM-1769", "ISM-1770", "ISM-1771", "ISM-1772" ], "apac-ind-sebi-2024": [ "PR.DS.S1" ], "apac-jpn-ismap": [ "5.1.1.17", "10", "10.1", "10.1.1", "10.1.1.1", "10.1.1.2", "10.1.1.3", "10.1.1.4", "10.1.1.5", "10.1.1.6", "10.1.1.7", "10.1.1.8", "10.1.1.9.PB", "10.1.1.10.P", "13.2.1.6", "14.1.3", "14.1.3.1", "14.1.3.2", "14.1.3.3", "14.1.3.4", "14.1.3.5", "14.1.3.6" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP37", "HML37" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP32" ], "apac-nzl-ism-3-9": [ "8.4.13.C.01", "17.1.52.C.01", "17.1.52.C.02", "17.1.53.C.01", "17.1.53.C.02", "17.1.53.C.03", "17.1.53.C.04", "17.1.54.C.01", "17.1.55.C.01", "17.1.55.C.02", "17.1.55.C.03", "17.1.55.C.04", "17.1.56.C.01", "17.1.56.C.02", "17.1.57.C.01", "17.2.17.C.01", "17.2.18.C.01", "17.2.19.C.01", "17.2.20.C.01", "17.2.20.C.02", "17.2.21.C.01", "17.2.22.C.01", "17.2.22.C.02", "17.2.23.C.01", "17.2.24.C.01", "17.2.24.C.02", "17.2.24.C.03", "17.2.25.C.01", "17.2.26.C.01", "17.2.26.C.02", "17.2.26.C.03", "17.2.27.C.01", "17.2.27.C.02", "17.2.27.C.03", "17.2.28.C.01", "17.3.6.C.01", "17.4.16.C.01", "17.4.16.C.02", "17.5.6.C.01", "17.6.6.C.01", "17.6.7.C.01", "17.7.6.C.01", "17.8.10.C.01", "17.8.10.C.02", "17.8.11.C.01", "17.8.12.C.01", "17.8.13.C.01", "17.8.14.C.01", "17.8.15.C.01", "17.8.16.C.01", "17.8.17.C.01", "17.9.24.C.01", "17.9.24.C.02", "17.9.24.C.03", "17.9.25.C.01", "17.9.26.C.01", "17.9.26.C.02", "17.9.27.C.01", "17.9.27.C.02", "17.9.27.C.03", "17.9.28.C.01", "17.9.29.C.01", "17.9.30.C.01", "17.9.30.C.02", "17.9.31.C.01", "17.9.32.C.01", "17.9.32.C.02", "17.9.32.C.03" ], "apac-sgp-mas-trm-2021": [ "10.1.1", "10.1.2", "10.1.3", "10.1.4", "10.1.5" ], "americas-bmu-mba-coc-2020": [ "6.22" ], "americas-can-osfi-b13-2022": [ "3.2.2" ], "americas-can-itsp-10-171-2025": [ "03.13.08", "03.13.11" ] } }, { "control_id": "CRY-01.1", "title": "Alternate Physical Protection", "family": "CRY", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of information as an alternative to physical safeguards.", "scf_question": "Are cryptographic mechanisms utilized to prevent unauthorized disclosure of information as an alternative to physical safeguards?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-18" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational cryptographic capability exists to prevent unauthorized disclosure of information as an alternative to physical safeguards.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.7-POF3" ], "general-govramp": [ "SC-08(01)" ], "general-govramp-mod": [ "SC-08(01)" ], "general-govramp-high": [ "SC-08(01)" ], "general-nist-800-53-r4": [ "SC-8(1)" ], "general-nist-800-53-r5-2": [ "SC-08(01)" ], "general-nist-800-53-r5-2-privacy": [ "SC-08(01)" ], "general-nist-800-53-r5-2-mod": [ "SC-08(01)" ], "general-nist-800-82-r3": [ "SC-08(01)" ], "general-nist-800-82-r3-mod": [ "SC-08(01)" ], "general-nist-800-82-r3-high": [ "SC-08(01)" ], "general-nist-800-160-vol-2-r1": [ "SC-08(01)" ], "general-nist-800-171-r2": [ "3.8.6", "3.13.8" ], "general-nist-800-171-r3": [ "03.13.08" ], "general-nist-800-171a": [ "3.13.8[b]", "3.13.8[c]" ], "general-nist-csf-2-0": [ "PR.DS-01" ], "usa-federal-fbi-cjis-6-0": [ "SC-8(1)" ], "usa-federal-dow-cmmc-2-level-2": [ "MPL2.-3.8.6", "SCL2.-3.13.8" ], "usa-federal-gsa-fedramp-5-low": [ "SC-08(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-08(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-08(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-08(01)" ], "usa-federal-irs-1075-2021": [ "SC-8(CE-1)" ], "usa-federal-cms-marse-2-0": [ "SC-8(1)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.15(b)" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-08 (01)" ], "emea-isr-cmo-1-0": [ "15.7" ], "americas-can-itsp-10-171-2025": [ "03.13.08" ] } }, { "control_id": "CRY-01.2", "title": "Export-Controlled Cryptography", "family": "CRY", "description": "Mechanisms exist to address the exporting of cryptographic technologies in compliance with relevant statutory and regulatory requirements.", "scf_question": "Does the organization address the exporting of cryptographic technologies in compliance with relevant statutory and regulatory requirements?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to address the exporting of cryptographic technologies in compliance with relevant statutory and regulatory requirements.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program", "small": "∙ IT Asset Management (ITAM) program", "medium": "∙ IT Asset Management (ITAM) program", "large": "∙ IT Asset Management (ITAM) program", "enterprise": "∙ IT Asset Management (ITAM) program" }, "risks": [ "R-AM-3", "R-EX-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-govramp": [ "SC-13" ], "general-govramp-core": [ "SC-13" ], "general-govramp-low": [ "SC-13" ], "general-govramp-low-plus": [ "SC-13" ], "general-govramp-mod": [ "SC-13" ], "general-govramp-high": [ "SC-13" ], "general-iso-27002-2022": [ "5.31" ], "general-iso-27017-2015": [ "18.1.5" ], "general-iso-27018-2025": [ "5.31" ], "general-nist-800-53-r4": [ "SC-13" ], "general-nist-800-53-r5-2": [ "SC-13" ], "general-nist-800-53-r5-2-privacy": [ "SC-13" ], "general-nist-800-53-r5-2-low": [ "SC-13" ], "general-nist-800-82-r3": [ "SC-13" ], "general-nist-800-82-r3-low": [ "SC-13" ], "general-nist-800-82-r3-mod": [ "SC-13" ], "general-nist-800-82-r3-high": [ "SC-13" ], "usa-federal-fbi-cjis-6-0": [ "SC-13" ], "usa-federal-gsa-fedramp-5-low": [ "SC-13" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-13" ], "usa-federal-gsa-fedramp-5-high": [ "SC-13" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-13" ], "usa-federal-irs-1075-2021": [ "SC-13" ], "usa-federal-cms-marse-2-0": [ "SC-13" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-13" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-13" ], "apac-jpn-ismap": [ "18.1.5", "18.1.5.1", "18.1.5.2", "18.1.5.3", "18.1.5.4", "18.1.5.5", "18.1.5.6" ] } }, { "control_id": "CRY-01.3", "title": "Pre/Post Transmission Handling", "family": "CRY", "description": "Cryptographic mechanisms exist to ensure the confidentiality and integrity of information during preparation for transmission and during reception.", "scf_question": "Are cryptographic mechanisms utilized to ensure the confidentiality and integrity of information during preparation for transmission and during reception?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational cryptographic capability exists to ensure the confidentiality and integrity of information during preparation for transmission and during reception.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Enable encryption for sensitive files (e.g., VeraCrypt, BitLocker)", "small": "∙ Full disk encryption\n∙ TLS for data in transit", "medium": "∙ Enterprise encryption standards policy\n∙ PKI management", "large": "∙ Enterprise PKI\n∙ HSM for key management\n∙ Certificate lifecycle management", "enterprise": "∙ Enterprise HSM (e.g., Thales, AWS CloudHSM)\n∙ Enterprise PKI\n∙ Automated certificate management (e.g., Venafi)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-nist-800-53-r4": [ "SC-8(2)" ], "general-nist-800-53-r5-2": [ "SC-08(02)" ], "general-nist-800-53-r5-2-privacy": [ "SC-08(02)" ], "general-nist-800-82-r3": [ "SC-08(02)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-08(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-08(02)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-08(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-08(02)" ], "usa-federal-cms-marse-2-0": [ "SC-8(2)" ], "apac-aus-ism-2024-june": [ "ISM-0548", "ISM-0554" ] } }, { "control_id": "CRY-01.4", "title": "Conceal / Randomize Communications", "family": "CRY", "description": "Cryptographic mechanisms exist to conceal or randomize communication patterns.", "scf_question": "Are cryptographic mechanisms utilized to conceal or randomize communication patterns?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational cryptographic capability exists to conceal or randomize communication patterns.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Enable encryption for sensitive files (e.g., VeraCrypt, BitLocker)", "small": "∙ Full disk encryption\n∙ TLS for data in transit", "medium": "∙ Enterprise encryption standards policy\n∙ PKI management", "large": "∙ Enterprise PKI\n∙ HSM for key management\n∙ Certificate lifecycle management", "enterprise": "∙ Enterprise HSM (e.g., Thales, AWS CloudHSM)\n∙ Enterprise PKI\n∙ Automated certificate management (e.g., Venafi)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-GV-1", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-nist-800-53-r4": [ "SC-8(4)" ], "general-nist-800-53-r5-2": [ "SC-08(04)" ], "general-nist-800-82-r3": [ "SC-08(04)" ], "general-nist-800-160-vol-2-r1": [ "SC-08(04)" ] } }, { "control_id": "CRY-01.5", "title": "Cryptographic Cipher Suites and Protocols Inventory", "family": "CRY", "description": "Mechanisms exist to identify, document and review deployed cryptographic cipher suites and protocols to proactively respond to industry trends regarding the continued viability of utilized cryptographic cipher suites and protocols.", "scf_question": "Does the organization identify, document and review deployed cryptographic cipher suites and protocols to proactively respond to industry trends regarding the continued viability of utilized cryptographic cipher suites and protocols?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify, document and review deployed cryptographic cipher suites and protocols to proactively respond to industry trends regarding the continued viability of utilized cryptographic cipher suites and protocols.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Enable encryption for sensitive files (e.g., VeraCrypt, BitLocker)", "small": "∙ Full disk encryption\n∙ TLS for data in transit", "medium": "∙ Enterprise encryption standards policy\n∙ PKI management", "large": "∙ Enterprise PKI\n∙ HSM for key management\n∙ Certificate lifecycle management", "enterprise": "∙ Enterprise HSM (e.g., Thales, AWS CloudHSM)\n∙ Enterprise PKI\n∙ Automated certificate management (e.g., Venafi)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-GV-1" ], "threats": [ "MT-8", "MT-9", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-nist-800-171-r3": [ "03.13.11" ], "general-pci-dss-4-0-1": [ "12.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.3.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.3.3" ], "emea-sau-cscc-1-2019": [ "2-7-1-3" ], "americas-can-itsp-10-171-2025": [ "03.13.11" ] } }, { "control_id": "CRY-02", "title": "Automated Authentication Through Cryptographic Modules", "family": "CRY", "description": "Automated mechanisms exist to enable systems to authenticate to a cryptographic module.", "scf_question": "Does the organization use automated mechanisms to enable systems to authenticate to a cryptographic module?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cryptographic Protections (CRY) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CRY domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cryptography management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel provide an encryption solution (software or hardware) for the storage of sensitive/regulated data.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically enable systems to authenticate to a cryptographic module.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Enable encryption for sensitive files (e.g., VeraCrypt, BitLocker)", "small": "∙ Full disk encryption\n∙ TLS for data in transit", "medium": "∙ Enterprise encryption standards policy\n∙ PKI management", "large": "∙ Enterprise PKI\n∙ HSM for key management\n∙ Certificate lifecycle management", "enterprise": "∙ Enterprise HSM (e.g., Thales, AWS CloudHSM)\n∙ Enterprise PKI\n∙ Automated certificate management (e.g., Venafi)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed", "family_name": "Cryptographic Protections", "crosswalks": { "general-govramp": [ "IA-07" ], "general-govramp-low": [ "IA-07" ], "general-govramp-low-plus": [ "IA-07" ], "general-govramp-mod": [ "IA-07" ], "general-govramp-high": [ "IA-07" ], "general-nist-800-53-r4": [ "IA-7" ], "general-nist-800-53-r5-2": [ "IA-07" ], "general-nist-800-53-r5-2-privacy": [ "IA-07" ], "general-nist-800-53-r5-2-low": [ "IA-07" ], "general-nist-800-82-r3": [ "IA-07" ], "general-nist-800-82-r3-low": [ "IA-07" ], "general-nist-800-82-r3-mod": [ "IA-07" ], "general-nist-800-82-r3-high": [ "IA-07" ], "general-pci-dss-4-0-1": [ "2.2.7", "3.6.1.1", "3.6.1.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-b-ip": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "2.2.7", "3.6.1.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "2.2.7", "3.6.1.1", "3.6.1.2" ], "usa-federal-fbi-cjis-6-0": [ "IA-7" ], "usa-federal-gsa-fedramp-5-low": [ "IA-07" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-07" ], "usa-federal-gsa-fedramp-5-high": [ "IA-07" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-07" ], "usa-federal-irs-1075-2021": [ "IA-7" ], "usa-federal-cms-marse-2-0": [ "IA-7" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-07" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-07" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-07" ], "emea-isr-cmo-1-0": [ "4.37", "12.10" ], "emea-sau-ecc-1-2018": [ "2-8-3-1" ] } }, { "control_id": "CRY-03", "title": "Transmission Confidentiality", "family": "CRY", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "scf_question": "Are cryptographic mechanisms utilized to protect the confidentiality of data being transmitted?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-CRY-01" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cryptographic Protections (CRY) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CRY domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cryptography management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel provide an encryption solution (software or hardware) for the storage of sensitive/regulated data.\n▪ Sensitive/regulated data is encrypted in transit according to standardized processes.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.\n▪ External compliance requirements for cryptography are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to implement cryptographic mechanisms that are applicability for statutory, regulatory and/or contractual compliance obligations.\n▪ Sensitive/regulated data is encrypted at rest using cryptographic protections that are commensurate with the sensitivity of the data.\n▪ Sensitive/regulated data is encrypted during transmission using cryptographic protections that are commensurate with the sensitivity of the data.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational cryptographic capability exists to protect the confidentiality of data being transmitted.", "4": "Cryptographic Protections (CRY) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Transport Layer Security (TLS)\n∙ IPSec encryption\n∙ Encrypted Multiprotocol Label Switching (MPLS)", "small": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Transport Layer Security (TLS)\n∙ IPSec encryption\n∙ Encrypted Multiprotocol Label Switching (MPLS)", "medium": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Transport Layer Security (TLS)\n∙ IPSec encryption\n∙ Encrypted Multiprotocol Label Switching (MPLS)", "large": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Transport Layer Security (TLS)\n∙ IPSec encryption\n∙ Encrypted Multiprotocol Label Switching (MPLS)", "enterprise": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Transport Layer Security (TLS)\n∙ IPSec encryption\n∙ Encrypted Multiprotocol Label Switching (MPLS)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.3-POF2" ], "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF10", "CC6.7", "CC6.7-POF2" ], "general-cis-csc-8-1": [ "3.1" ], "general-cis-csc-8-1-ig2": [ "3.1" ], "general-cis-csc-8-1-ig3": [ "3.1" ], "general-csa-cmm-4-1-0": [ "CEK-03", "DSP-10" ], "general-csa-iot-2": [ "COM-07", "COM-08", "COM-09", "IOT-10", "SAP-07", "SWS-11" ], "general-govramp": [ "SC-08", "SC-08(01)" ], "general-govramp-low-plus": [ "SC-08" ], "general-govramp-mod": [ "SC-08", "SC-08(01)" ], "general-govramp-high": [ "SC-08", "SC-08(01)" ], "general-iec-62443-3-3-2013": [ "SR 4.1 RE 2" ], "general-iec-62443-4-2-2019": [ "CR 4.1(b)" ], "general-iso-27002-2022": [ "5.14", "8.24", "8.26" ], "general-iso-27017-2015": [ "10.1.1", "13.2.1", "13.2.3", "14.1.2", "14.1.3" ], "general-iso-27018-2025": [ "5.14", "8.24", "8.26" ], "general-mitre-att&ck-16-1": [ "T1020.001", "T1040", "T1090", "T1090.004", "T1550.001", "T1550.004", "T1552.007", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1557.004", "T1562", "T1562.006", "T1562.009", "T1562.010", "T1602", "T1602.001", "T1602.002", "T1622" ], "general-mpa-csbp-5-3-1": [ "TS-1.0", "TS-3.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(d)" ], "general-nist-privacy-framework-1-0": [ "PR.DS-P2" ], "general-nist-800-53-r4": [ "SC-8", "SC-8(1)" ], "general-nist-800-53-r5-2": [ "SC-08", "SC-08(01)" ], "general-nist-800-53-r5-2-privacy": [ "SC-08", "SC-08(01)" ], "general-nist-800-53-r5-2-mod": [ "SC-08", "SC-08(01)" ], "general-nist-800-66-r2": [ "164.312(e)(1)" ], "general-nist-800-82-r3": [ "SC-08", "SC-08(01)" ], "general-nist-800-82-r3-mod": [ "SC-08", "SC-08(01)" ], "general-nist-800-82-r3-high": [ "SC-08", "SC-08(01)" ], "general-nist-800-160-vol-2-r1": [ "SC-08(01)" ], "general-nist-800-161-r1": [ "SC-8" ], "general-nist-800-161-r1-flowdown": [ "SC-8" ], "general-nist-800-161-r1-level-2": [ "SC-8" ], "general-nist-800-161-r1-level-3": [ "SC-8" ], "general-nist-800-171-r2": [ "3.13.8" ], "general-nist-800-171-r3": [ "03.13.08" ], "general-nist-800-171a": [ "3.13.8[a]", "3.13.11" ], "general-nist-800-171a-r3": [ "A.03.13.08[01]", "A.03.13.11.ODP[01]", "A.03.13.11" ], "general-nist-800-207": [ "NIST Tenet 2" ], "general-nist-csf-2-0": [ "PR.DS-02" ], "general-owasp-top-10-2025": [ "A04:2025" ], "general-pci-dss-4-0-1": [ "4.2", "4.2.1", "4.2.1.2", "8.3.2", "A2.1", "A2.1.1", "A2.1.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "4.2.1", "8.3.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "A2.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "4.2.1", "4.2.1.2", "8.3.2", "A2.1.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "4.2.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "4.2.1", "4.2.1.2", "8.3.2", "A2.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "4.2.1", "4.2.1.2", "8.3.2", "A2.1.1", "A2.1.2" ], "general-scf-dpmp-2025": [ "7.2" ], "general-swift-cscf-2025": [ "2.1", "2.5A", "2.6" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.EETRA", "3.PEP.UN.ECOMM" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.K" ], "usa-federal-fbi-cjis-6-0": [ "SC-8", "SC-8(1)" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-5c", "ARCHITECTURE-5d" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.8" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.5" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "5.1.1" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(c)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-08", "SC-08(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-08", "SC-08(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-08", "SC-08(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-08", "SC-08(01)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(6)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(e)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(e)(1)" ], "usa-federal-irs-1075-2021": [ "3.3.1.d", "SC-8", "SC-8(CE-1)", "SC-8(IRS-Defined)" ], "usa-federal-cms-marse-2-0": [ "SC-8", "SC-8(1)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(2)" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(3)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.15(a)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-08", "SC-08-SID" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-08", "SC-08 (01)" ], "usa-state-vt-act-171-2018": [ "2447(c)(3)", "2447(c)(5)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(36)(f)" ], "emea-us-psd2-2015": [ "20", "30" ], "emea-deu-c5-2020": [ "CRY-02" ], "emea-isr-cmo-1-0": [ "4.22", "8.4", "8.5", "8.6", "9.8", "9.20", "12.10", "13.6" ], "emea-sau-cscc-1-2019": [ "2-3-1-5", "2-7-1-1" ], "emea-sau-cgiot-2024": [ "2-4-1", "2-4-2", "2-4-3", "2-7-2" ], "emea-sau-ecc-1-2018": [ "2-8-3-3" ], "emea-sau-otcc-1-2022": [ "2-2-1-4" ], "emea-sau-sacs-002-2022": [ "TPC-52", "TPC-53" ], "emea-zaf-popia-2013": [ "14.1" ], "emea-gbr-caf-4-0": [ "B3.b" ], "emea-gbr-def-stan-05-138-2024": [ "2302", "2306" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2306" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2302", "2306" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2302", "2306" ], "apac-aus-ism-2024-june": [ "ISM-0231", "ISM-0232", "ISM-0241", "ISM-0465", "ISM-0467", "ISM-0469", "ISM-0484", "ISM-0547", "ISM-1139", "ISM-1369", "ISM-1370", "ISM-1372", "ISM-1373", "ISM-1374", "ISM-1375", "ISM-1448", "ISM-1453", "ISM-1506", "ISM-1553", "ISM-1589", "ISM-1781" ], "apac-ind-sebi-2024": [ "PR.DS.S1" ], "americas-can-itsp-10-171-2025": [ "03.13.08" ] } }, { "control_id": "CRY-04", "title": "Transmission Integrity", "family": "CRY", "description": "Cryptographic mechanisms exist to protect the integrity of data being transmitted.", "scf_question": "Are cryptographic mechanisms utilized to protect the integrity of data being transmitted?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-CRY-01" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cryptographic Protections (CRY) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CRY domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cryptography management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel provide an encryption solution (software or hardware) for the storage of sensitive/regulated data.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.\n▪ External compliance requirements for cryptography are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to implement cryptographic mechanisms that are applicability for statutory, regulatory and/or contractual compliance obligations.\n▪ Sensitive/regulated data is encrypted at rest using cryptographic protections that are commensurate with the sensitivity of the data.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational cryptographic capability exists to protect the integrity of data being transmitted.", "4": "Cryptographic Protections (CRY) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Enable encryption for sensitive files (e.g., VeraCrypt, BitLocker)", "small": "∙ Full disk encryption\n∙ TLS for data in transit", "medium": "∙ Enterprise encryption standards policy\n∙ PKI management", "large": "∙ Enterprise PKI\n∙ HSM for key management\n∙ Certificate lifecycle management", "enterprise": "∙ Enterprise HSM (e.g., Thales, AWS CloudHSM)\n∙ Enterprise PKI\n∙ Automated certificate management (e.g., Venafi)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1-POF10" ], "general-csa-iot-2": [ "SAP-07" ], "general-govramp": [ "SC-08", "SC-28(01)" ], "general-govramp-low-plus": [ "SC-08" ], "general-govramp-mod": [ "SC-08", "SC-28(01)" ], "general-govramp-high": [ "SC-08", "SC-28(01)" ], "general-iec-62443-2-1-2024": [ "DATA 1.7" ], "general-iec-62443-3-3-2013": [ "SR 3.1", "SR 3.1 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 3.1", "CR 3.1(1)" ], "general-iso-27002-2022": [ "8.24", "8.26" ], "general-iso-27017-2015": [ "10.1.1", "14.1.3" ], "general-iso-27018-2025": [ "8.24", "8.26" ], "general-mitre-att&ck-16-1": [ "T1020.001", "T1040", "T1090", "T1090.004", "T1550.001", "T1550.004", "T1552.007", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1557.004", "T1562", "T1562.006", "T1562.009", "T1562.010", "T1602", "T1602.001", "T1602.002", "T1622" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P5" ], "general-nist-800-53-r4": [ "SC-8", "SC-16(1)", "SC-28(1)" ], "general-nist-800-53-r5-2": [ "SC-08", "SC-16(01)", "SC-28(01)" ], "general-nist-800-53-r5-2-privacy": [ "SC-08", "SC-16(01)", "SC-28(01)" ], "general-nist-800-53-r5-2-mod": [ "SC-08", "SC-28(01)" ], "general-nist-800-82-r3": [ "SC-08", "SC-16(01)", "SC-28(01)" ], "general-nist-800-82-r3-mod": [ "SC-08", "SC-28(01)" ], "general-nist-800-82-r3-high": [ "SC-08", "SC-28(01)" ], "general-nist-800-160-vol-2-r1": [ "SC-16(01)", "SC-28(01)" ], "general-nist-800-161-r1": [ "SC-8" ], "general-nist-800-161-r1-flowdown": [ "SC-8" ], "general-nist-800-161-r1-level-2": [ "SC-8" ], "general-nist-800-161-r1-level-3": [ "SC-8" ], "general-nist-800-171-r2": [ "NFO - SI-1" ], "general-nist-800-207": [ "NIST Tenet 2" ], "general-nist-csf-2-0": [ "PR.DS-02" ], "general-owasp-top-10-2025": [ "A04:2025" ], "general-pci-dss-4-0-1": [ "3.7.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.7.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.7.5" ], "general-swift-cscf-2025": [ "2.1", "2.5A", "2.6" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.K" ], "usa-federal-fbi-cjis-6-0": [ "SC-8", "SC-28(1)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(c)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-08", "SC-16(01)", "SC-28(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-08", "SC-16(01)", "SC-28(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-08", "SC-16(01)", "SC-28(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-08", "SC-16(01)", "SC-28(01)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(e)(2)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(e)(2)(i)" ], "usa-federal-irs-1075-2021": [ "SC-8", "SC-8(IRS-Defined)", "SC-28(CE-1)" ], "usa-federal-cms-marse-2-0": [ "SC-8", "SC-8-IS.1" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-08" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-08", "SC-28 (01)" ], "emea-us-psd2-2015": [ "20", "30" ], "emea-deu-c5-2020": [ "OPS-09" ], "emea-isr-cmo-1-0": [ "4.22", "9.8", "9.20", "12.10", "13.6" ], "emea-sau-cgiot-2024": [ "2-4-1", "2-4-2", "2-4-3" ], "emea-sau-otcc-1-2022": [ "2-2-1-4" ], "emea-zaf-popia-2013": [ "14.1" ], "apac-aus-ism-2024-june": [ "ISM-0677" ], "apac-jpn-ismap": [ "14.2.5.8" ] } }, { "control_id": "CRY-05", "title": "Encrypting Data At Rest", "family": "CRY", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "scf_question": "Are cryptographic mechanisms utilized to prevent unauthorized disclosure of data at rest?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-CRY-01" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cryptographic Protections (CRY) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CRY domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cryptography management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel provide an encryption solution (software or hardware) for the storage of sensitive/regulated data.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.\n▪ External compliance requirements for cryptography are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to implement cryptographic mechanisms that are applicability for statutory, regulatory and/or contractual compliance obligations.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational cryptographic capability exists to prevent unauthorized disclosure of data at rest.", "4": "Cryptographic Protections (CRY) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)", "small": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)", "medium": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)", "large": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)", "enterprise": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.3-POF2" ], "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF10", "CC6.7", "CC6.7-POF2", "CC6.7-POF3" ], "general-cis-csc-8-1": [ "3.6", "3.9", "3.11" ], "general-cis-csc-8-1-ig1": [ "3.6" ], "general-cis-csc-8-1-ig2": [ "3.6", "3.9", "3.11" ], "general-cis-csc-8-1-ig3": [ "3.6", "3.9", "3.11" ], "general-csa-cmm-4-1-0": [ "CEK-03", "UEM-08" ], "general-csa-iot-2": [ "DAT-04" ], "general-govramp": [ "SC-13", "SC-28", "SC-28(01)" ], "general-govramp-core": [ "SC-13" ], "general-govramp-low": [ "SC-13" ], "general-govramp-low-plus": [ "SC-13", "SC-28" ], "general-govramp-mod": [ "SC-13", "SC-28", "SC-28(01)" ], "general-govramp-high": [ "SC-13", "SC-28", "SC-28(01)" ], "general-iec-62443-4-2-2019": [ "CR 4.1(a)" ], "general-iso-27002-2022": [ "8.24" ], "general-iso-27017-2015": [ "10.1.1" ], "general-iso-27018-2025": [ "8.24" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1005", "T1025", "T1041", "T1048", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1078", "T1078.001", "T1078.003", "T1078.004", "T1213", "T1213.001", "T1213.002", "T1213.004", "T1213.005", "T1530", "T1550.001", "T1552", "T1552.001", "T1552.002", "T1552.003", "T1552.004", "T1565", "T1565.001", "T1565.003", "T1567", "T1599", "T1599.001", "T1602", "T1602.001", "T1602.002" ], "general-mpa-csbp-5-3-1": [ "TS-1.0", "TS-3.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(d)" ], "general-nist-privacy-framework-1-0": [ "PR.DS-P1" ], "general-nist-800-53-r4": [ "SC-13", "SC-28", "SC-28(1)" ], "general-nist-800-53-r5-2": [ "SC-13", "SC-28", "SC-28(01)" ], "general-nist-800-53-r5-2-privacy": [ "SC-13", "SC-28", "SC-28(01)" ], "general-nist-800-53-r5-2-low": [ "SC-13" ], "general-nist-800-53-r5-2-mod": [ "SC-28", "SC-28(01)" ], "general-nist-800-82-r3": [ "SC-13", "SC-28", "SC-28(01)" ], "general-nist-800-82-r3-low": [ "SC-13" ], "general-nist-800-82-r3-mod": [ "SC-13", "SC-28", "SC-28(01)" ], "general-nist-800-82-r3-high": [ "SC-13", "SC-28", "SC-28(01)" ], "general-nist-800-160-vol-2-r1": [ "SC-28(01)" ], "general-nist-800-161-r1": [ "SC-28" ], "general-nist-800-161-r1-flowdown": [ "SC-28" ], "general-nist-800-161-r1-level-2": [ "SC-28" ], "general-nist-800-161-r1-level-3": [ "SC-28" ], "general-nist-800-171-r2": [ "3.8.6", "3.13.16" ], "general-nist-800-171-r3": [ "03.13.08" ], "general-nist-800-171a": [ "3.8.6" ], "general-nist-800-171a-r3": [ "A.03.13.08[02]", "A.03.13.11.ODP[01]", "A.03.13.11" ], "general-nist-csf-2-0": [ "PR.DS-01" ], "general-owasp-top-10-2025": [ "A04:2025" ], "general-pci-dss-4-0-1": [ "3.3.2", "3.5", "3.5.1.2", "3.5.1.3", "8.3.2", "9.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.2" ], "general-pci-dss-4-0-1-saq-c": [ "8.3.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.3.2", "3.5.1.2", "3.5.1.3", "8.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.3.2", "3.5.1.2", "3.5.1.3", "8.3.2" ], "general-scf-dpmp-2025": [ "7.2" ], "general-swift-cscf-2025": [ "2.5A" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DA.PDRES", "3.PEP.DA.PDTRA" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.K" ], "usa-federal-fbi-cjis-6-0": [ "SC-13", "SC-28", "SC-28(1)" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-5a", "ARCHITECTURE-5b", "ARCHITECTURE-5d" ], "usa-federal-dow-cmmc-2-level-2": [ "MPL2.-3.8.6", "SCL2.-3.13.16" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.5" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "5.1.2" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(c)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-13", "SC-28", "SC-28(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-13", "SC-28", "SC-28(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-13", "SC-28", "SC-28(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-13", "SC-28", "SC-28(01)" ], "usa-federal-irs-1075-2021": [ "2.B.6-1", "3.3.1.e", "SC-13", "SC-28", "SC-28(CE-1)" ], "usa-federal-cms-marse-2-0": [ "SC-13", "SC-28", "SC-28-iS" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(2)" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(5)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.15(a)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-13" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-13", "SC-28", "SC-28 (01)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(36)(f)" ], "emea-deu-c5-2020": [ "CRY-03" ], "emea-isr-cmo-1-0": [ "8.7", "15.7" ], "emea-sau-cscc-1-2019": [ "2-7-1-2" ], "emea-sau-cgiot-2024": [ "2-7-2" ], "emea-sau-ecc-1-2018": [ "2-8-3-3" ], "emea-zaf-popia-2013": [ "14.1" ], "emea-gbr-caf-4-0": [ "B3.c" ], "emea-gbr-def-stan-05-138-2024": [ "2310", "2317" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2310", "2317" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2310", "2317" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2310", "2317" ], "apac-aus-ism-2024-june": [ "ISM-0459", "ISM-1080" ], "apac-ind-sebi-2024": [ "PR.DS.S1" ], "apac-jpn-ismap": [ "8.3.1.5" ], "apac-nzl-ism-3-9": [ "8.4.13.C.01" ], "americas-can-itsp-10-171-2025": [ "03.13.08" ] } }, { "control_id": "CRY-05.1", "title": "Storage Media", "family": "CRY", "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of sensitive/regulated data residing on storage media.", "scf_question": "Are cryptographic mechanisms utilized to protect the confidentiality and integrity of sensitive/regulated data residing on storage media?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational cryptographic capability exists to protect the confidentiality and integrity of sensitive/regulated data residing on storage media.", "4": "Cryptographic Protections (CRY) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)", "small": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)", "medium": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)", "large": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)", "enterprise": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.7-POF3" ], "general-cis-csc-8-1": [ "3.9" ], "general-cis-csc-8-1-ig2": [ "3.9" ], "general-cis-csc-8-1-ig3": [ "3.9" ], "general-csa-cmm-4-1-0": [ "UEM-08" ], "general-nist-800-171-r3": [ "03.13.08" ], "general-pci-dss-4-0-1": [ "9.4" ], "general-swift-cscf-2025": [ "2.5A" ], "emea-deu-c5-2020": [ "CRY-03" ], "emea-isr-cmo-1-0": [ "15.7" ], "emea-sau-otcc-1-2022": [ "2-3-1-8", "2-3-1-9" ], "apac-nzl-ism-3-9": [ "8.4.13.C.01" ], "americas-can-itsp-10-171-2025": [ "03.13.08" ] } }, { "control_id": "CRY-05.2", "title": "Offline Storage", "family": "CRY", "description": "Mechanisms exist to remove unused data from online storage and archive it off-line in a secure location until it can be disposed of according to data retention requirements.", "scf_question": "Does the organization remove unused data from online storage and archive it off-line in a secure location until it can be disposed of according to data retention requirements?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cryptographic Protections (CRY) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CRY domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cryptography management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to remove unused data from online storage and archive it off-line in a secure location until it can be disposed of according to data retention requirements.", "4": "Cryptographic Protections (CRY) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Enable encryption for sensitive files (e.g., VeraCrypt, BitLocker)", "small": "∙ Full disk encryption\n∙ TLS for data in transit", "medium": "∙ Enterprise encryption standards policy\n∙ PKI management", "large": "∙ Enterprise PKI\n∙ HSM for key management\n∙ Certificate lifecycle management", "enterprise": "∙ Enterprise HSM (e.g., Thales, AWS CloudHSM)\n∙ Enterprise PKI\n∙ Automated certificate management (e.g., Venafi)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-nist-800-53-r4": [ "SC-28(2)" ], "general-nist-800-53-r5-2": [ "SC-28(02)" ], "general-nist-800-53-r5-2-privacy": [ "SC-28(02)" ], "general-nist-800-82-r3": [ "SC-28(02)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-28(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-28(02)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-28(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-28(02)" ] } }, { "control_id": "CRY-05.3", "title": "Database Encryption", "family": "CRY", "description": "Mechanisms exist to ensure that database servers utilize encryption to protect the confidentiality of the data within the databases.", "scf_question": "Does the organization ensure that database servers utilize encryption to protect the confidentiality of the data within the databases?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cryptographic Protections (CRY) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CRY domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cryptography management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel provide an encryption solution (software or hardware) for the storage of sensitive/regulated data.\n▪ Databases containing sensitive/regulated data use a cryptographic mechanism to prevent the unauthorized disclosure of information in the database (e.g., column-level, Transparent Data Encryption (TDE), etc.).", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that database servers utilize encryption to protect the confidentiality of the data within the databases.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Transparent Data Encryption (TDE)", "small": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Transparent Data Encryption (TDE)", "medium": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Transparent Data Encryption (TDE)", "large": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Transparent Data Encryption (TDE)", "enterprise": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Transparent Data Encryption (TDE)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "apac-aus-ism-2024-june": [ "ISM-1080", "ISM-1277" ] } }, { "control_id": "CRY-06", "title": "Non-Console Administrative Access", "family": "CRY", "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access.", "scf_question": "Are cryptographic mechanisms utilized to protect the confidentiality and integrity of non-console administrative access?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cryptographic Protections (CRY) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CRY domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cryptography management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel provide an encryption solution (software or hardware) for the storage of sensitive/regulated data.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational cryptographic capability exists to protect the confidentiality and integrity of non-console administrative access.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Enable encryption for sensitive files (e.g., VeraCrypt, BitLocker)", "small": "∙ Full disk encryption\n∙ TLS for data in transit", "medium": "∙ Enterprise encryption standards policy\n∙ PKI management", "large": "∙ Enterprise PKI\n∙ HSM for key management\n∙ Certificate lifecycle management", "enterprise": "∙ Enterprise HSM (e.g., Thales, AWS CloudHSM)\n∙ Enterprise PKI\n∙ Automated certificate management (e.g., Venafi)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-cis-csc-8-1": [ "4.6", "12.3" ], "general-cis-csc-8-1-ig1": [ "4.6" ], "general-cis-csc-8-1-ig2": [ "4.6", "12.3" ], "general-cis-csc-8-1-ig3": [ "4.6", "12.3" ], "general-pci-dss-4-0-1": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-a-ep": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-b-ip": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "2.2.7" ] } }, { "control_id": "CRY-07", "title": "Wireless Access Authentication & Encryption", "family": "CRY", "description": "Mechanisms exist to protect the confidentiality and integrity of wireless networking technologies by implementing authentication and strong encryption.", "scf_question": "Does the organization protect the confidentiality and integrity of wireless networking technologies by implementing authentication and strong encryption?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cryptographic Protections (CRY) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CRY domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cryptography management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel provide an encryption solution (software or hardware) for the storage of sensitive/regulated data.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.\n▪ External compliance requirements for cryptography are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to implement cryptographic mechanisms that are applicability for statutory, regulatory and/or contractual compliance obligations.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect the confidentiality and integrity of wireless networking technologies by implementing authentication and strong encryption.", "4": "Cryptographic Protections (CRY) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Wi-Fi Protected Access 3 (WPA3)", "small": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Wi-Fi Protected Access 3 (WPA3)", "medium": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Wi-Fi Protected Access 3 (WPA3)", "large": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Wi-Fi Protected Access 3 (WPA3)", "enterprise": "∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Wi-Fi Protected Access 3 (WPA3)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-csa-iot-2": [ "SWS-07" ], "general-govramp": [ "AC-18" ], "general-govramp-low": [ "AC-18" ], "general-govramp-low-plus": [ "AC-18" ], "general-govramp-mod": [ "AC-18" ], "general-govramp-high": [ "AC-18" ], "general-iec-62443-3-3-2013": [ "SR 1.6" ], "general-iec-62443-4-2-2019": [ "CR 1.6" ], "general-mpa-csbp-5-3-1": [ "TS-2.11" ], "general-nist-800-53-r4": [ "AC-18", "SC-40" ], "general-nist-800-53-r5-2": [ "AC-18", "SC-40" ], "general-nist-800-53-r5-2-privacy": [ "AC-18", "SC-40" ], "general-nist-800-53-r5-2-low": [ "AC-18" ], "general-nist-800-82-r3": [ "AC-18", "SC-40" ], "general-nist-800-82-r3-low": [ "AC-18" ], "general-nist-800-82-r3-mod": [ "AC-18" ], "general-nist-800-82-r3-high": [ "AC-18" ], "general-nist-800-161-r1": [ "AC-18" ], "general-nist-800-161-r1-cscrm": [ "AC-18" ], "general-nist-800-161-r1-level-1": [ "AC-18" ], "general-nist-800-161-r1-level-2": [ "AC-18" ], "general-nist-800-161-r1-level-3": [ "AC-18" ], "general-nist-800-171-r3": [ "03.01.16.a" ], "general-nist-800-207": [ "NIST Tenet 2" ], "general-pci-dss-4-0-1": [ "2.3.1", "2.3.2", "4.2.1.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "2.3.1", "2.3.2" ], "general-pci-dss-4-0-1-saq-c": [ "2.3.1", "2.3.2", "4.2.1.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.3.1", "2.3.2", "4.2.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "2.3.1", "2.3.2", "4.2.1.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "2.3.1", "2.3.2", "4.2.1.2" ], "usa-federal-fbi-cjis-6-0": [ "AC-18" ], "usa-federal-gsa-fedramp-5-low": [ "AC-18", "SC-40" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-18", "SC-40" ], "usa-federal-gsa-fedramp-5-high": [ "AC-18", "SC-40" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-18", "SC-40" ], "usa-federal-irs-1075-2021": [ "AC-18" ], "usa-federal-cms-marse-2-0": [ "AC-18" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-18" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-18" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-18" ], "emea-isr-cmo-1-0": [ "4.22" ], "emea-sau-ecc-1-2018": [ "2-5-3-4" ], "emea-sau-sacs-002-2022": [ "TPC-42" ], "apac-aus-ism-2024-june": [ "ISM-1314", "ISM-1332" ], "apac-nzl-ism-3-9": [ "18.2.9.C.01", "18.2.10.C.01", "18.2.10.C.02", "18.2.11.C.01", "18.2.11.C.02", "18.2.11.C.03", "18.2.11.C.04", "18.2.11.C.05", "18.2.12.C.01", "18.2.12.C.02", "18.2.13.C.01", "18.2.14.C.01", "18.2.15.C.01", "18.2.16.C.01", "18.2.17.C.01", "18.2.18.C.01", "18.2.19.C.01", "18.2.20.C.01", "18.2.20.C.02", "18.2.20.C.03", "18.2.21.C.01", "18.2.22.C.01", "18.2.23.C.01", "18.2.23.C.02", "18.2.24.C.01", "18.2.25.C.01" ], "americas-can-itsp-10-171-2025": [ "03.01.16.A" ] } }, { "control_id": "CRY-08", "title": "Public Key Infrastructure (PKI)", "family": "CRY", "description": "Mechanisms exist to securely implement an internal Public Key Infrastructure (PKI) infrastructure or obtain PKI services from a reputable PKI service provider.", "scf_question": "Does the organization securely implement an internal Public Key Infrastructure (PKI) infrastructure or obtain PKI services from a reputable PKI service provider?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.\n▪ External compliance requirements for cryptography are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to implement cryptographic mechanisms that are applicability for statutory, regulatory and/or contractual compliance obligations.\n▪ The IT department implements Public Key Infrastructure (PKI) key management controls to protect the confidentiality, integrity and availability of keys.\n▪ The IT department implements and maintains an internal PKI infrastructure or obtains PKI services from a reputable PKI service provider.\n▪ The PKI infrastructure enables the secure distribution of symmetric and asymmetric cryptographic keys using industry recognized key management technology and processes.\n▪ The PKI infrastructure ensures the availability of information in the event of the loss of cryptographic keys by individual users.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to securely implement an internal Public Key Infrastructure (PKI) infrastructure or obtain PKI services from a reputable PKI service provider.", "4": "Cryptographic Protections (CRY) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Microsoft Cloud PKI (https://microsoft.com)\n∙ Digitcert (https://digicert.com)\n∙ Entrust (https://entrust.com)\n∙ Vault (https://vaultproject.io)", "small": "∙ Microsoft Cloud PKI (https://microsoft.com)\n∙ Digitcert (https://digicert.com)\n∙ Entrust (https://entrust.com)\n∙ Vault (https://vaultproject.io)", "medium": "∙ Microsoft Cloud PKI (https://microsoft.com)\n∙ Digitcert (https://digicert.com)\n∙ Entrust (https://entrust.com)\n∙ Vault (https://vaultproject.io)", "large": "∙ Microsoft Cloud PKI (https://microsoft.com)\n∙ Digitcert (https://digicert.com)\n∙ Entrust (https://entrust.com)\n∙ Vault (https://vaultproject.io)", "enterprise": "∙ Microsoft Cloud PKI (https://microsoft.com)\n∙ Digitcert (https://digicert.com)\n∙ Entrust (https://entrust.com)\n∙ Vault (https://vaultproject.io)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF10", "CC6.1-POF11" ], "general-csa-cmm-4-1-0": [ "CEK-08", "LOG-11" ], "general-csa-iot-2": [ "CLS-01", "IAM-10", "SDV-01" ], "general-govramp": [ "SC-12", "SC-17" ], "general-govramp-low": [ "SC-12" ], "general-govramp-low-plus": [ "SC-12", "SC-17" ], "general-govramp-mod": [ "SC-12", "SC-17" ], "general-govramp-high": [ "SC-12", "SC-17" ], "general-iec-62443-4-2-2019": [ "CR 1.8" ], "general-mitre-att&ck-16-1": [ "T1072", "T1098.004", "T1521.003", "T1552", "T1552.001", "T1552.002", "T1552.004", "T1563.001", "T1573", "T1573.001", "T1573.002", "T1606" ], "general-nist-800-53-r4": [ "SC-12", "SC-12(4)", "SC-12(5)", "SC-17" ], "general-nist-800-53-r5-2": [ "SC-12", "SC-17" ], "general-nist-800-53-r5-2-low": [ "SC-12" ], "general-nist-800-53-r5-2-mod": [ "SC-17" ], "general-nist-800-82-r3": [ "SC-12", "SC-17" ], "general-nist-800-82-r3-low": [ "SC-12" ], "general-nist-800-82-r3-mod": [ "SC-12", "SC-17" ], "general-nist-800-82-r3-high": [ "SC-12", "SC-17" ], "general-nist-800-171-r2": [ "3.13.10" ], "general-nist-800-171-r3": [ "03.13.10" ], "general-nist-800-171a": [ "3.13.10[a]", "3.13.10[b]" ], "general-nist-800-207": [ "NIST Tenet 2" ], "general-owasp-top-10-2025": [ "A04:2025" ], "usa-federal-fbi-cjis-6-0": [ "SC-12", "SC-17" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.10" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.9.1", "2.1.2", "2.3.6" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-gsa-fedramp-5-low": [ "SC-12" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-12", "SC-17" ], "usa-federal-gsa-fedramp-5-high": [ "SC-12", "SC-17" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-12" ], "usa-federal-irs-1075-2021": [ "SC-12", "SC-17" ], "usa-federal-cms-marse-2-0": [ "SC-12", "SC-17" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-12" ], "usa-state-tx-txramp-2-0-level-1": [ "SC-12" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-12", "SC-17" ], "emea-isr-cmo-1-0": [ "8.2", "8.9" ], "apac-aus-ism-2024-june": [ "ISM-0485", "ISM-1449" ], "apac-nzl-ism-3-9": [ "17.1.51.C.01", "17.1.51.C.02", "17.1.51.C.03", "23.3.21.C.01", "23.3.22.C.01" ], "americas-can-itsp-10-171-2025": [ "03.13.10" ] } }, { "control_id": "CRY-08.1", "title": "Availability", "family": "CRY", "description": "Resiliency mechanisms exist to ensure the availability of data in the event of the loss of cryptographic keys.", "scf_question": "Does the organization ensure the availability of data in the event of the loss of cryptographic keys?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Recover", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the availability of data in the event of the loss of cryptographic keys.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Enable encryption for sensitive files (e.g., VeraCrypt, BitLocker)", "small": "∙ Full disk encryption\n∙ TLS for data in transit", "medium": "∙ Enterprise encryption standards policy\n∙ PKI management", "large": "∙ Enterprise PKI\n∙ HSM for key management\n∙ Certificate lifecycle management", "enterprise": "∙ Enterprise HSM (e.g., Thales, AWS CloudHSM)\n∙ Enterprise PKI\n∙ Automated certificate management (e.g., Venafi)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-pci-dss-4-0-1": [ "3.6.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.6.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.6.1" ], "apac-nzl-ism-3-9": [ "17.1.51.C.01", "17.1.51.C.02", "17.1.51.C.03" ] } }, { "control_id": "CRY-09", "title": "Cryptographic Key Management", "family": "CRY", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "scf_question": "Does the organization facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-CRY-01", "E-CRY-02" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.\n▪ External compliance requirements for cryptography are identified and documented, based on applicable laws, regulations and contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to implement cryptographic mechanisms that are applicability for statutory, regulatory and/or contractual compliance obligations.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "4": "Cryptographic Protections (CRY) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cryptographic governance program", "small": "∙ Cryptographic governance program", "medium": "∙ Cryptographic governance program", "large": "∙ Cryptographic governance program", "enterprise": "∙ Cryptographic governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.1-POF10" ], "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF10", "CC6.1-POF11" ], "general-csa-cmm-4-1-0": [ "CEK-08", "CEK-10", "CEK-11", "CEK-12", "CEK-13", "CEK-14", "CEK-15", "CEK-16", "CEK-17", "CEK-18", "CEK-19", "CEK-20", "CEK-21", "LOG-11" ], "general-csa-iot-2": [ "CLS-01", "IAM-08", "IAM-10", "IAM-11", "IAM-12", "IAM-13", "IAM-14", "IAM-15", "IAM-16", "SDV-01", "SWS-10" ], "general-iec-62443-2-1-2024": [ "DATA 1.6" ], "general-iec-62443-4-2-2019": [ "CR 1.9(d)", "CR 1.9(e)", "CR 1.9(f)" ], "general-iso-27002-2022": [ "8.24" ], "general-iso-27017-2015": [ "10.1.2" ], "general-iso-27018-2025": [ "8.24", "8.24(a)" ], "general-mpa-csbp-5-3-1": [ "TS-3.2" ], "general-nist-800-53-r5-2": [ "SC-28(03)" ], "general-nist-800-82-r3": [ "SC-28(03)" ], "general-nist-800-171-r2": [ "3.13.10" ], "general-nist-800-171-r3": [ "03.13.10" ], "general-nist-800-171a": [ "3.13.10[a]", "3.13.10[b]" ], "general-nist-800-171a-r3": [ "A.03.13.10.ODP[01]", "A.03.13.10[01]", "A.03.13.10[02]" ], "general-owasp-top-10-2025": [ "A04:2025" ], "general-pci-dss-4-0-1": [ "3.5.1.1", "3.6", "3.6.1", "3.6.1.1", "3.6.1.2", "3.6.1.3", "3.6.1.4", "3.7", "3.7.1", "3.7.2", "3.7.3", "3.7.4", "3.7.5", "3.7.6", "3.7.7", "4.2.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.5.1.1", "3.6.1", "3.6.1.2", "3.6.1.3", "3.6.1.4", "3.7.1", "3.7.2", "3.7.3", "3.7.4", "3.7.5", "3.7.6", "3.7.7", "4.2.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.5.1.1", "3.6.1", "3.6.1.1", "3.6.1.2", "3.6.1.3", "3.6.1.4", "3.7.1", "3.7.2", "3.7.3", "3.7.4", "3.7.5", "3.7.6", "3.7.7", "4.2.1.1" ], "general-sparta": [ "CM0030" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-5e" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.10" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.3.6" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.300(c)" ], "emea-eu-nis2-annex-2024": [ "9.2(c)(vi)", "9.2(c)(vii)", "9.2(c)(viii)", "9.2(c)(ix)", "9.2(c)(x)", "9.2(c)(xi)", "9.2(c)(xii)", "9.3" ], "emea-deu-c5-2020": [ "CRY-04" ], "emea-isr-cmo-1-0": [ "8.2", "8.9", "8.10" ], "emea-sau-ecc-1-2018": [ "2-8-3-2" ], "emea-sau-sacs-002-2022": [ "TPC-55" ], "emea-esp-ccn-stic-825-2023": [ "7.3.11 [OP.EXP.11]" ], "emea-gbr-def-stan-05-138-2024": [ "2319" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2319" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2319" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2319" ], "apac-aus-ism-2024-june": [ "ISM-0455", "ISM-0507" ], "apac-jpn-ismap": [ "10.1.2", "10.1.2.1", "10.1.2.2", "10.1.2.3", "10.1.2.4", "10.1.2.5", "10.1.2.6", "10.1.2.7", "10.1.2.8", "10.1.2.9", "10.1.2.10", "10.1.2.11", "10.1.2.12", "10.1.2.13", "10.1.2.14", "10.1.2.15", "10.1.2.16", "10.1.2.17", "10.1.2.18", "10.1.2.19", "10.1.2.20.PB" ], "apac-nzl-ism-3-9": [ "17.1.51.C.01", "17.1.58.C.01", "17.1.58.C.02", "17.1.58.C.03", "23.3.21.C.01", "23.3.22.C.01", "23.4.9.C.02", "23.4.9.C.03" ], "apac-sgp-mas-trm-2021": [ "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.5", "10.2.6", "10.2.7", "10.2.8", "10.2.9", "10.2.10" ], "americas-can-osfi-b13-2022": [ "3.2.2" ], "americas-can-itsp-10-171-2025": [ "03.13.10" ] } }, { "control_id": "CRY-09.1", "title": "Symmetric Keys", "family": "CRY", "description": "Mechanisms exist to facilitate the production and management of symmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes.", "scf_question": "Does the organization facilitate the production and management of symmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-CRY-01" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the production and management of symmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Cryptographic governance program", "small": "∙ Cryptographic governance program", "medium": "∙ Cryptographic governance program", "large": "∙ Cryptographic governance program", "enterprise": "∙ Cryptographic governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF10", "CC6.1-POF11" ], "general-govramp": [ "SC-12(02)" ], "general-govramp-mod": [ "SC-12(02)" ], "general-govramp-high": [ "SC-12(02)" ], "general-iec-62443-4-2-2019": [ "CR 1.14", "CR 1.14(a)", "CR 1.14(b)", "CR 1.14(c)", "CR 1.14(d)" ], "general-nist-800-53-r4": [ "SC-12(2)" ], "general-nist-800-53-r5-2": [ "SC-12(02)" ], "general-nist-800-82-r3": [ "SC-12(02)" ], "usa-federal-cms-marse-2-0": [ "SC-12(2)" ] } }, { "control_id": "CRY-09.2", "title": "Asymmetric Keys", "family": "CRY", "description": "Mechanisms exist to facilitate the production and management of asymmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes that protect the user’s private key.", "scf_question": "Does the organization facilitate the production and management of asymmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes that protect the user’s private key?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-CRY-01" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the production and management of asymmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes that protect the user’s private key.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Cryptographic governance program", "small": "∙ Cryptographic governance program", "medium": "∙ Cryptographic governance program", "large": "∙ Cryptographic governance program", "enterprise": "∙ Cryptographic governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF10", "CC6.1-POF11" ], "general-govramp": [ "SC-12(03)" ], "general-govramp-mod": [ "SC-12(03)" ], "general-govramp-high": [ "SC-12(03)" ], "general-nist-800-53-r4": [ "SC-12(3)" ], "general-nist-800-53-r5-2": [ "SC-12(03)" ], "general-nist-800-82-r3": [ "SC-12(03)" ] } }, { "control_id": "CRY-09.3", "title": "Cryptographic Key Loss or Change", "family": "CRY", "description": "Mechanisms exist to ensure the availability of information in the event of the loss of cryptographic keys by individual users.", "scf_question": "Does the organization ensure the availability of information in the event of the loss of cryptographic keys by individual users?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the availability of information in the event of the loss of cryptographic keys by individual users.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Cryptographic governance program", "small": "∙ Cryptographic governance program", "medium": "∙ Cryptographic governance program", "large": "∙ Cryptographic governance program", "enterprise": "∙ Cryptographic governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1-POF11" ], "general-csa-cmm-4-1-0": [ "CEK-12", "CEK-13", "CEK-14", "CEK-15", "CEK-16", "CEK-17", "CEK-19" ], "general-csa-iot-2": [ "IAM-10", "IAM-11", "IAM-13" ], "general-govramp": [ "SC-12(01)" ], "general-govramp-high": [ "SC-12(01)" ], "general-iso-27002-2022": [ "8.24" ], "general-iso-27017-2015": [ "10.1.2" ], "general-iso-27018-2025": [ "8.24" ], "general-nist-800-53-r4": [ "SC-12(1)" ], "general-nist-800-53-r5-2": [ "SC-12(01)" ], "general-nist-800-53-r5-2-high": [ "SC-12(01)" ], "general-nist-800-82-r3": [ "SC-12(01)" ], "general-nist-800-82-r3-high": [ "SC-12(01)" ], "general-nist-800-171-r3": [ "03.13.10" ], "general-pci-dss-4-0-1": [ "2.3.2", "3.6.1", "3.7.5" ], "general-pci-dss-4-0-1-saq-b-ip": [ "2.3.2" ], "general-pci-dss-4-0-1-saq-c": [ "2.3.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.3.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "2.3.2", "3.6.1", "3.7.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "2.3.2", "3.6.1", "3.7.5" ], "usa-federal-gsa-fedramp-5-high": [ "SC-12(01)" ], "emea-eu-nis2-annex-2024": [ "9.2(c)(v)" ], "emea-isr-cmo-1-0": [ "8.3", "8.11" ], "apac-aus-ism-2024-june": [ "ISM-0455", "ISM-0462" ], "apac-nzl-ism-3-9": [ "7.2.24.C.01", "7.2.25.C.01" ], "americas-can-itsp-10-171-2025": [ "03.13.10" ] } }, { "control_id": "CRY-09.4", "title": "Control & Distribution of Cryptographic Keys", "family": "CRY", "description": "Mechanisms exist to facilitate the secure distribution of symmetric and asymmetric cryptographic keys using industry recognized key management technology and processes.", "scf_question": "Does the organization facilitate the secure distribution of symmetric and asymmetric cryptographic keys using industry recognized key management technology and processes?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the secure distribution of symmetric and asymmetric cryptographic keys using industry recognized key management technology and processes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Cryptographic governance program", "small": "∙ Cryptographic governance program", "medium": "∙ Cryptographic governance program", "large": "∙ Cryptographic governance program", "enterprise": "∙ Cryptographic governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1-POF11" ], "general-csa-cmm-4-1-0": [ "CEK-10", "CEK-11", "CEK-12", "CEK-15" ], "general-iso-27002-2022": [ "8.24" ], "general-iso-27017-2015": [ "10.1.2" ], "general-iso-27018-2025": [ "8.24" ], "general-nist-800-171-r3": [ "03.13.10" ], "general-pci-dss-4-0-1": [ "3.6.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.6.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.6.1" ], "emea-eu-nis2-annex-2024": [ "9.2(c)(i)", "9.2(c)(ii)", "9.2(c)(iii)", "9.2(c)(iv)", "9.2(c)(v)" ], "emea-isr-cmo-1-0": [ "8.9", "8.11" ], "apac-sgp-mas-trm-2021": [ "10.2.5" ], "americas-can-itsp-10-171-2025": [ "03.13.10" ] } }, { "control_id": "CRY-09.5", "title": "Assigned Owners", "family": "CRY", "description": "Mechanisms exist to ensure cryptographic keys are bound to individual identities.", "scf_question": "Does the organization ensure cryptographic keys are bound to individual identities?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure cryptographic keys are bound to individual identities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Cryptographic governance program", "small": "∙ Cryptographic governance program", "medium": "∙ Cryptographic governance program", "large": "∙ Cryptographic governance program", "enterprise": "∙ Cryptographic governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": {} }, { "control_id": "CRY-09.6", "title": "Third-Party Cryptographic Keys", "family": "CRY", "description": "Mechanisms exist to ensure customers are provided with appropriate key management guidance whenever cryptographic keys are shared.", "scf_question": "Does the organization ensure customers are provided with appropriate key management guidance whenever cryptographic keys are shared?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure customers are provided with appropriate key management guidance whenever cryptographic keys are shared.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Cryptographic governance program", "small": "∙ Cryptographic governance program", "medium": "∙ Cryptographic governance program", "large": "∙ Cryptographic governance program", "enterprise": "∙ Cryptographic governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-GV-1" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-pci-dss-4-0-1": [ "3.7.9" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.7.9" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.3.7" ] } }, { "control_id": "CRY-09.7", "title": "External System Cryptographic Key Control", "family": "CRY", "description": "Mechanisms exist to maintain control of cryptographic keys for encrypted material stored or transmitted through an external system.", "scf_question": "Does the organization maintain control of cryptographic keys for encrypted material stored or transmitted through an external system?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain control of cryptographic keys for encrypted material stored or transmitted through an external system.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Cryptographic governance program", "small": "∙ Cryptographic governance program", "medium": "∙ Cryptographic governance program", "large": "∙ Cryptographic governance program", "enterprise": "∙ Cryptographic governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-nist-800-53-r5-2": [ "SA-09(06)" ], "general-nist-800-82-r3": [ "SA-09(06)" ], "usa-federal-irs-1075-2021": [ "SA-9(CE-6)" ], "apac-nzl-ism-3-9": [ "23.4.9.C.02", "23.4.9.C.03" ] } }, { "control_id": "CRY-10", "title": "Transmission of Cybersecurity & Data Protection Attributes", "family": "CRY", "description": "Mechanisms exist to associate Technology Assets, Applications and/or Services (TAAS) security attributes with information exchanged between TAAS.", "scf_question": "Does the organization associate Technology Assets, Applications and/or Services (TAAS) security attributes with information exchanged between TAAS?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to associate Technology Assets, Applications and/or Services (TAAS) security attributes with information exchanged between TAAS.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Cryptographic governance program", "small": "∙ Cryptographic governance program", "medium": "∙ Cryptographic governance program", "large": "∙ Cryptographic governance program", "enterprise": "∙ Cryptographic governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1505", "T1505.002", "T1573", "T1573.001", "T1573.002" ], "general-nist-800-53-r4": [ "SC-16", "SC-16(1)" ], "general-nist-800-53-r5-2": [ "SC-16", "SC-16(01)" ], "general-nist-800-53-r5-2-privacy": [ "SC-16(01)" ], "general-nist-800-82-r3": [ "SC-16", "SC-16(01)" ], "general-nist-800-160-vol-2-r1": [ "SC-16(01)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-16(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-16(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-16(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-16(01)" ] } }, { "control_id": "CRY-11", "title": "Certificate Authorities", "family": "CRY", "description": "Automated mechanisms exist to enable the use of organization-defined Certificate Authorities (CAs) to facilitate the establishment of protected sessions.", "scf_question": "Does the organization use automated mechanisms to enable the use of organization-defined Certificate Authorities (CAs) to facilitate the establishment of protected sessions?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically enable the use of organization-defined Certificate Authorities (CAs) to facilitate the establishment of protected sessions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Cryptographic governance program", "small": "∙ Cryptographic governance program", "medium": "∙ Cryptographic governance program", "large": "∙ Cryptographic governance program", "enterprise": "∙ Cryptographic governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-nist-800-53-r4": [ "SC-23(5)" ], "general-nist-800-53-r5-2": [ "SC-23(05)" ], "general-nist-800-82-r3": [ "SC-23(05)" ], "usa-federal-irs-1075-2021": [ "SC-23(CE-5)" ], "emea-eu-nis2-annex-2024": [ "9.2(c)(ii)" ], "apac-nzl-ism-3-9": [ "23.3.21.C.01", "23.3.22.C.01" ] } }, { "control_id": "CRY-12", "title": "Certificate Monitoring", "family": "CRY", "description": "Automated mechanisms exist to discover when new certificates are issued for organization-controlled domains.", "scf_question": "Does the organization use automated mechanisms to discover when new certificates are issued for organization-controlled domains?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-CRY-03" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cryptographic Protections (CRY) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CRY domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cryptography management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically discover when new certificates are issued for organization-controlled domains.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Cryptographic governance program", "small": "∙ Cryptographic governance program", "medium": "∙ Cryptographic governance program", "large": "∙ Cryptographic governance program", "enterprise": "∙ Cryptographic governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.IN.CTLMO" ] } }, { "control_id": "CRY-13", "title": "Cryptographic Hash", "family": "CRY", "description": "Mechanisms exist to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "scf_question": "Does the organization utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cryptographic Protections (CRY) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with CRY domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cryptography management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel provide an encryption solution (software or hardware) for the storage of sensitive/regulated data.", "2": "Cryptographic Protections (CRY) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Cryptographic management controls-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Cryptographic management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Technology Assets, Applications and/or Services (TAAS) that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.", "3": "Cryptographic Protections (CRY) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with CRY domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with CRY domain capabilities are well-documented and kept current by process owners.\n▪ A security engineering team, or similar function, is appropriately staffed and supported to implement and maintain CRY domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of cryptographic protections operations (e.g., PKI management tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with CRY domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Enable encryption for sensitive files (e.g., VeraCrypt, BitLocker)", "small": "∙ Full disk encryption\n∙ TLS for data in transit", "medium": "∙ Enterprise encryption standards policy\n∙ PKI management", "large": "∙ Enterprise PKI\n∙ HSM for key management\n∙ Certificate lifecycle management", "enterprise": "∙ Enterprise HSM (e.g., Thales, AWS CloudHSM)\n∙ Enterprise PKI\n∙ Automated certificate management (e.g., Venafi)" }, "risks": [ "R-AM-2", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-24", "MT-25", "MT-27" ], "family_name": "Cryptographic Protections", "crosswalks": { "general-nist-800-172": [ "3.14.1e" ], "usa-federal-dow-cmmc-2-level-3": [ "SI.L3-3.14.1E" ] } }, { "control_id": "DCH-01", "title": "Data Protection", "family": "DCH", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "scf_question": "Does the organization facilitate the implementation of data protection controls?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-CRY-01" ], "pptdf": "Data", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ A basic data classification process exists to identify categories of sensitive/regulated data for compliance-related protection requirements.\n▪ Data protection controls are primarily administrative in nature (e.g., policies & standards) to classify, protect and dispose of systems and data, including storage media.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ TAASD are categorized according to data classification and business criticality.\n▪ Data classification and handling criteria govern requirements protect sensitive/regulated regardless of where it is stored, processed and/or transmitted.\n▪ The data retention process is manual and IT and/or cybersecurity personnel work with business stakeholders and process owners to manage the process.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of data protection controls.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "medium": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Data governance program", "large": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Data governance program\n∙ Chief Data Officer (CDO)", "enterprise": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Data governance program\n∙ Chief Data Officer (CDO)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF4", "S7.4" ], "general-aicpa-tsc-2017": [ "A1.2-POF7", "C1.1", "C1.1-POF2", "CC2.1", "CC6.5", "CC6.7", "CC6.7-POF2", "CC8.1-POF16", "CC8.1-POF17", "PI1.4-POF1", "PI1.4-POF2", "PI1.4-POF3", "PI1.4-POF4", "PI1.5", "PI1.5-POF1", "PI1.5-POF2", "PI1.5-POF3", "PI1.5-POF4" ], "general-cis-csc-8-1": [ "3.0", "3.1", "3.3", "11.0", "11.3" ], "general-cis-csc-8-1-ig1": [ "3.1", "3.3", "11.3" ], "general-cis-csc-8-1-ig2": [ "3.1", "3.3", "11.3" ], "general-cis-csc-8-1-ig3": [ "3.1", "3.3", "11.3" ], "general-cobit-2019": [ "APO14.01", "APO14.03", "APO14.08", "APO14.09", "DSS06.02", "DSS06.06" ], "general-coso-2013": [ "13" ], "general-csa-cmm-4-1-0": [ "CEK-04", "DSP-10", "DSP-17" ], "general-csa-iot-2": [ "LGL-08" ], "general-govramp": [ "MP-01" ], "general-govramp-low": [ "MP-01" ], "general-govramp-low-plus": [ "MP-01" ], "general-govramp-mod": [ "MP-01" ], "general-govramp-high": [ "MP-01" ], "general-iec-62443-2-1-2024": [ "DATA 1.2" ], "general-iso-27002-2022": [ "5.9", "5.1", "5.12", "5.33", "7.1", "8.12" ], "general-iso-27017-2015": [ "8.1.1", "8.1.3", "8.2.1", "8.2.3" ], "general-iso-27018-2025": [ "5.9", "5.10", "5.12", "5.33", "7.10", "8.12" ], "general-iso-27701-2025": [ "7.5.3(b)" ], "general-iso-42001-2023": [ "7.5.3", "7.5.3(a)", "7.5.3(b)" ], "general-mpa-csbp-5-3-1": [ "OR-1.4", "OP-1.1", "OP-3.0", "OP-3.1" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(4)(b)", "4.D(2)(b)", "4.D(2)(j)" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P", "GV.PO-P1", "CT.DM-P1", "CT.DM-P2", "CT.DM-P3", "CT.DM-P4", "PR.DS-P" ], "general-nist-800-53-r4": [ "MP-1" ], "general-nist-800-53-r5-2": [ "MP-01" ], "general-nist-800-53-r5-2-privacy": [ "MP-01" ], "general-nist-800-53-r5-2-low": [ "MP-01" ], "general-nist-800-66-r2": [ "164.310(d)", "164.312(c)" ], "general-nist-800-82-r3": [ "MP-01" ], "general-nist-800-82-r3-low": [ "MP-01" ], "general-nist-800-82-r3-mod": [ "MP-01" ], "general-nist-800-82-r3-high": [ "MP-01" ], "general-nist-800-161-r1": [ "MP-1" ], "general-nist-800-161-r1-cscrm": [ "MP-1" ], "general-nist-800-161-r1-level-1": [ "MP-1" ], "general-nist-800-161-r1-level-2": [ "MP-1" ], "general-nist-800-171-r2": [ "3.8.1", "3.8.3", "NFO - MP-1" ], "general-nist-800-171-r3": [ "03.01.01.d.01", "03.01.01.d.02", "03.08.01" ], "general-nist-800-171a": [ "3.8.1[a]", "3.8.1[b]", "3.8.1[c]", "3.8.1[d]" ], "general-nist-800-207": [ "NIST Tenet 1" ], "general-nist-csf-2-0": [ "ID.AM-08", "PR.DS", "PR.DS-01", "PR.DS-02", "PR.DS-10" ], "general-pci-dss-4-0-1": [ "9.4", "9.4.1" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.4.1" ], "general-scf-dpmp-2025": [ "5.0" ], "general-shared-assessments-sig-2025": [ "P.3" ], "general-sparta": [ "CM0001" ], "general-swift-cscf-2025": [ "2.5A", "2.9", "2.11A" ], "general-tisax-6-0-3": [ "5.1.2" ], "usa-federal-dow-cert-rmm-1-2": [ "KIM:SG4", "KIM:SG4.SP1", "KIM:SG4.SP2", "KIM:SG4.SP3", "KIM:SG5", "KIM:SG5.SP1", "KIM:SG5.SP2", "KIM:SG5.SP3", "KIM:SG6", "KIM:SG6.SP1", "KIM:SG6.SP2", "KIM:GG1.GP1", "KIM:GG2", "KIM:GG2.GP2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DA.PDRES" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.L" ], "usa-federal-fbi-cjis-6-0": [ "4.2.3.1", "MP-1" ], "usa-federal-dow-cmmc-2-level-1": [ "MP.L1-B.1.VII" ], "usa-federal-dow-cmmc-2-level-2": [ "MPL2.-3.8.1", "MPL2.-3.8.3" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "5.0" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)", "52.204-21(b)(1)(vii)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)", "609.945" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(a)", "11.10(b)", "11.10(c)", "11.10(d)", "11.10(k)" ], "usa-federal-gsa-fedramp-5-low": [ "MP-01" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-01" ], "usa-federal-gsa-fedramp-5-high": [ "MP-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MP-01" ], "usa-federal-sro-finra": [ "248.30(a)(2)(i)", "248.30(a)(2)(iii)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(1)(i)", "314.4(c)(6)(ii)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)(iv)", "155.260(a)(4)(v)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(3)", "164.310(d)(1)", "164.312(c)(1)", "164.514(d)(3)(i)", "164.530(c)(2)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(3)", "164.310(d)(1)", "164.312(c)(1)" ], "usa-federal-irs-1075-2021": [ "2.B.2", "2.B.4", "2.B.5", "2.C.5", "2.C.5.1", "2.C.5.1-1", "2.C.5.1-2", "2.C.5.1-3", "MP-1" ], "usa-federal-cms-marse-2-0": [ "MP-1", "SI-12" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.8", "CIP-011-3 1.2" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.3(b)", "500.18" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(C)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MP-01" ], "usa-state-tx-txramp-2-0-level-1": [ "MP-01" ], "usa-state-tx-txramp-2-0-level-2": [ "MP-01" ], "emea-eu-ai-act-2024": [ "Article 17.1(f)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-fdpa-2017": [ "Sec 4b", "Sec 9", "Sec 9a", "Sec 16", "Annex" ], "emea-deu-c5-2020": [ "COS-08" ], "emea-grc-pirppd-1997": [ "9" ], "emea-hun-isdfi-2011": [ "7", "8" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-cmo-1-0": [ "5.1", "5.2", "5.3", "5.5", "11.6", "15.1", "15.6", "15.7" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "31", "33", "34", "35", "42" ], "emea-nor-pda-2018": [ "13", "14", "29" ], "emea-pol-act-29-1997": [ "1", "36", "47" ], "emea-rus-federal-law-27-2006": [ "7", "12", "19" ], "emea-sau-cscc-1-2019": [ "2-6", "2-6-1-3" ], "emea-sau-ecc-1-2018": [ "2-1-6", "2-3-3", "2-3-3-2", "2-3-4", "2-7-1", "2-7-2", "2-7-3", "2-7-4", "2-7-3-3" ], "emea-sau-otcc-1-2022": [ "2-6", "2-6-1", "2-6-1-1", "2-6-2" ], "emea-sau-sacs-002-2022": [ "TPC-24", "TPC-39", "TPC-58" ], "emea-srb-act-9-2018": [ "65" ], "emea-zaf-popia-2013": [ "14.1", "19", "21" ], "emea-esp-boe-a-2022-7191": [ "Article 22.1", "Article 22.3" ], "emea-esp-decree-311-2022": [ "22.1", "22.3" ], "emea-esp-ccn-stic-825-2023": [ "8.5.3 [MP.SI.3]" ], "emea-che-fadp-2025": [ "6", "7" ], "emea-tur-lppd-2016": [ "8", "12" ], "emea-gbr-caf-4-0": [ "B3" ], "emea-gbr-cap-1850-2020": [ "B3" ], "emea-gbr-def-stan-05-138-2024": [ "2300", "2308" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2300" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2308" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2308" ], "apac-aus-privacy-act-1998": [ "APP Part 8", "APP Part 11" ], "apac-aus-privacy-principles-2026": [ "APP 11" ], "apac-aus-ism-2024-june": [ "ISM-0337", "ISM-0831", "ISM-1059", "ISM-1549", "ISM-1599" ], "apac-aus-ps-cps-234-2019": [ "20", "21(a)" ], "apac-chn-cybersecurity-law-2017": [ "Article 40" ], "apac-chn-csnip-2012": [ "4" ], "apac-hkg-pdo-2022": [ "Principle 4", "Sec 33" ], "apac-ind-privacy-rules-2011": [ "7", "8" ], "apac-ind-sebi-2024": [ "PR.AA.S14", "PR.DS.S4" ], "apac-jpn-ppi-2020": [ "20" ], "apac-jpn-ismap": [ "5.1.1.10", "5.1.1.14", "8.2", "8.2.3", "8.2.3.1", "13.2", "13.2.1", "13.2.1.10", "13.2.1.12", "13.2.1.13", "13.2.1.14" ], "apac-mys-pdpa-2010": [ "9" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP14", "HHSP34", "HHSP74", "HML14", "HML74" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP12", "HSUP30", "HSUP66" ], "apac-nzl-ism-3-9": [ "4.4.10.C.01", "9.2.12.C.01", "9.2.13.C.01", "9.2.13.C.02", "9.2.14.C.01", "9.2.15.C.01", "9.2.15.C.02", "9.2.17.C.01", "9.2.17.C.02", "9.2.18.C.01", "9.2.19.C.01", "9.2.19.C.02", "9.2.19.C.03", "9.2.19.C.04", "9.2.20.C.01", "13.2.6.C.01", "13.2.7.C.01" ], "apac-phl-dpa-2012": [ "25" ], "apac-sgp-pdpa-2012": [ "24", "26" ], "apac-sgp-mas-trm-2021": [ "11.1.1", "11.1.1(a)", "11.1.1(b)", "11.1.1(c)", "11.1.2", "11.1.3", "11.1.4", "11.1.5", "11.1.6", "11.1.7" ], "apac-twn-pdpa-2025": [ "21" ], "americas-bmu-mba-coc-2020": [ "6.8", "6.10", "6.13" ], "americas-bra-lgpd-2018": [ "46", "47" ], "americas-can-osfi-b13-2022": [ "2.9.2", "3.1.4" ], "americas-can-itsp-10-171-2025": [ "03.01.01.D.01", "03.01.01.D.02", "03.08.01" ], "americas-can-pipeda-2000": [ "Principle 7" ], "americas-chl-act-19628-1999": [ "7" ] } }, { "control_id": "DCH-01.1", "title": "Data Stewardship", "family": "DCH", "description": "Mechanisms exist to ensure data stewardship is assigned, documented and communicated.", "scf_question": "Does the organization ensure data stewardship is assigned, documented and communicated?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-DCH-02", "E-DCH-09" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Data protection controls are primarily administrative in nature (e.g., policies & standards) to classify, protect and dispose of systems and data, including storage media.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to document where sensitive/regulated data is stored, transmitted and/or processed.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure data stewardship is assigned, documented and communicated.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Assigned roles & responsibilities", "small": "∙ Assigned roles & responsibilities", "medium": "∙ Assigned roles & responsibilities", "large": "∙ Assigned roles & responsibilities", "enterprise": "∙ Assigned roles & responsibilities" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1" ], "general-cis-csc-8-1": [ "3.1" ], "general-cis-csc-8-1-ig1": [ "3.1" ], "general-cis-csc-8-1-ig2": [ "3.1" ], "general-cis-csc-8-1-ig3": [ "3.1" ], "general-coso-2013": [ "13" ], "general-csa-cmm-4-1-0": [ "DSP-06" ], "general-mpa-csbp-5-3-1": [ "OP-1.1" ], "general-nist-800-53-r5-2": [ "SA-04(12)" ], "general-nist-800-53-r5-2-privacy": [ "SA-04(12)" ], "general-nist-800-82-r3": [ "SA-04(12)" ], "general-nist-800-82-r3-low": [ "SA-04(12)" ], "general-nist-800-82-r3-mod": [ "SA-04(12)" ], "general-nist-800-82-r3-high": [ "SA-04(12)" ], "general-nist-800-171-r3": [ "03.08.01", "03.08.05.a" ], "general-nist-csf-2-0": [ "ID.AM-08", "PR.DS" ], "general-pci-dss-4-0-1": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.4.1" ], "general-shared-assessments-sig-2025": [ "P.8" ], "general-swift-cscf-2025": [ "2.11A" ], "usa-federal-fbi-cjis-6-0": [ "4.2.3.3" ], "usa-federal-gsa-fedramp-5-low": [ "SA-04(12)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-04(12)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-04(12)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-04(12)" ], "usa-federal-irs-1075-2021": [ "SA-4(CE-12)" ], "emea-deu-c5-2020": [ "AM-06" ], "emea-isr-cmo-1-0": [ "11.6" ], "emea-sau-ecc-1-2018": [ "2-7-3-1" ], "emea-sau-sacs-002-2022": [ "TPC-39", "TPC-58" ], "emea-esp-ccn-stic-825-2023": [ "8.5.3 [MP.SI.3]" ], "apac-jpn-ppi-2020": [ "21" ], "apac-sgp-mas-trm-2021": [ "3.3.1(c)" ], "americas-can-itsp-10-171-2025": [ "03.08.01", "03.08.05.A" ] } }, { "control_id": "DCH-01.2", "title": "Sensitive / Regulated Data Protection", "family": "DCH", "description": "Mechanisms exist to protect sensitive/regulated data wherever it is processed and/or stored.", "scf_question": "Does the organization protect sensitive/regulated data wherever it is processed and/or stored?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-CRY-01", "E-DCH-02", "E-DCH-09" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ TAASD are categorized according to data classification and business criticality.\n▪ Data classification and handling criteria govern requirements protect sensitive/regulated regardless of where it is stored, processed and/or transmitted.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to document where sensitive/regulated data is stored, transmitted and/or processed.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect sensitive/regulated data wherever it is processed and/or stored.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "medium": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Data governance program", "large": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Data governance program", "enterprise": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-GV-1" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF4", "S7.4" ], "general-aicpa-tsc-2017": [ "A1.2-POF7", "C1.1-POF2", "CC8.1-POF17" ], "general-cis-csc-8-1": [ "3.1" ], "general-cis-csc-8-1-ig1": [ "3.1" ], "general-cis-csc-8-1-ig2": [ "3.1" ], "general-cis-csc-8-1-ig3": [ "3.1" ], "general-cobit-2019": [ "DSS06.02", "DSS06.06" ], "general-iec-62443-2-1-2024": [ "DATA 1.2" ], "general-iso-27701-2025": [ "7.5.3(b)" ], "general-iso-42001-2023": [ "7.5.3", "7.5.3(a)", "7.5.3(b)" ], "general-mpa-csbp-5-3-1": [ "OR-1.4", "OP-3.0" ], "general-nist-privacy-framework-1-0": [ "CT.DM-P1", "CT.DM-P2" ], "general-nist-800-66-r2": [ "164.312(c)" ], "general-nist-800-171-r2": [ "3.10.6" ], "general-nist-800-171-r3": [ "03.01.01.d.01", "03.01.01.d.02", "03.01.02", "03.01.20.a", "03.01.20.b", "03.01.20.c.01", "03.01.20.d", "03.06.05.d", "03.08.01", "03.08.02", "03.08.05.a", "03.17.01.c" ], "general-nist-800-172": [ "3.14.5e" ], "general-nist-800-207": [ "NIST Tenet 4" ], "general-nist-csf-2-0": [ "PR.DS" ], "general-pci-dss-4-0-1": [ "3.5", "3.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.5.1" ], "general-sparta": [ "CM0001" ], "general-swift-cscf-2025": [ "2.5A", "2.9", "2.11A" ], "general-tisax-6-0-3": [ "1.3.2", "8.2.6" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DA.PDRES" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.L" ], "usa-federal-fbi-cjis-6-0": [ "4.2.4" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.6" ], "usa-federal-dow-zt-roadmap-1-1": [ "5.4.4" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "5.0" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(c)(1)", "164.514(d)(3)(i)", "164.530(c)(2)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(c)(1)" ], "usa-federal-irs-1075-2021": [ "2.C.5", "2.C.7", "2.C.7-1", "2.C.7-2", "2.C.8", "2.C.8.1", "2.C.8.2" ], "usa-federal-nispom-2020": [ "§117.15(a)", "§117.15(a)(1)", "§117.15(a)(2)", "§117.15(a)(2)(i)", "§117.15(a)(2)(ii)", "§117.15(a)(3)", "§117.15(a)(3)(i)", "§117.15(a)(3)(ii)", "§117.15(a)(3)(iii)", "§117.15(a)(3)(iii)(A)", "§117.15(a)(3)(iii)(B)", "§117.15(a)(3)(iii)(C)", "§117.15(a)(3)(iii)(D)", "§117.15(a)(3)(iii)(E)", "§117.15(a)(3)(iii)(F)", "§117.15(a)(3)(iv)", "§117.15(a)(3)(iv)(A)", "§117.15(a)(3)(iv)(B)", "§117.15(b)", "§117.15(c)", "§117.15(c)(1)", "§117.15(c)(2)", "§117.15(c)(3)", "§117.15(e)(2)", "§117.15(e)(3)", "§117.15(e)(3)(i)", "§117.15(e)(3)(ii)", "§117.15(e)(3)(iii)", "§117.15(e)(3)(iv)", "§117.15(e)(6)", "§117.15(f)", "§117.15(f)(1)", "§117.15(f)(2)", "§117.15(f)(3)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2", "9-2.a" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(g)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.18" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(C)(3)" ], "usa-state-tx-sb2610-2025": [ "542.004(a)(3)(A)", "542.004(a)(3)(B)", "542.004(a)(3)(C)" ], "usa-state-vt-act-171-2018": [ "2447(b)(3)" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 1.1(3)(e)" ], "emea-sau-otcc-1-2022": [ "2-6-1-1" ], "emea-sau-sacs-002-2022": [ "TPC-24", "TPC-39", "TPC-58" ], "emea-esp-boe-a-2022-7191": [ "Article 22.1", "Article 22.3" ], "emea-esp-decree-311-2022": [ "22.1", "22.3" ], "emea-gbr-cap-1850-2020": [ "B3" ], "emea-gbr-def-stan-05-138-2024": [ "2308" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2308" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2308" ], "apac-aus-ism-2024-june": [ "ISM-1802" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP14", "HHSP74", "HML14", "HML74" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP12", "HSUP66" ], "apac-nzl-ism-3-9": [ "18.6.8.C.01" ], "americas-can-osfi-b13-2022": [ "2.9.2", "3.1.4" ], "americas-can-itsp-10-171-2025": [ "03.01.01.D.01", "03.01.01.D.02", "03.01.02", "03.01.20.A", "03.01.20.B", "03.01.20.C.01", "03.01.20.D", "03.06.05.D", "03.08.01", "03.08.02", "03.08.05.A", "03.17.01.C" ] } }, { "control_id": "DCH-01.3", "title": "Sensitive / Regulated Media Records", "family": "DCH", "description": "Mechanisms exist to ensure media records for sensitive/regulated data contain sufficient information to determine the potential impact in the event of a data loss incident.", "scf_question": "Does the organization ensure media records for sensitive/regulated data contain sufficient information to determine the potential impact in the event of a data loss incident?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-08" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure media records for sensitive/regulated data contain sufficient information to determine the potential impact in the event of a data loss incident.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Metadata tagging", "small": "∙ Data classification program\n∙ Metadata tagging", "medium": "∙ Data classification program\n∙ Metadata tagging", "large": "∙ Data classification program\n∙ Metadata tagging", "enterprise": "∙ Data classification program\n∙ Metadata tagging" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-mpa-csbp-5-3-1": [ "OP-3.0" ], "general-nist-800-171-r3": [ "03.08.05.c" ], "general-nist-csf-2-0": [ "PR.DS" ], "general-scf-dpmp-2025": [ "5.2" ], "apac-jpn-ismap": [ "8.2.3.3", "8.2.3.4", "8.3.1.3" ], "americas-can-itsp-10-171-2025": [ "03.08.05.C" ] } }, { "control_id": "DCH-01.4", "title": "Defining Access Authorizations for Sensitive / Regulated Data", "family": "DCH", "description": "Mechanisms exist to explicitly define authorizations for specific individuals and/or roles for logical and /or physical access to sensitive/regulated data.", "scf_question": "Does the organization explicitly define authorizations for specific individuals and/or roles for logical and /or physical access to sensitive/regulated data?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-DCH-02", "E-DCH-08" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to explicitly define authorizations for specific individuals and/or roles for logical and /or physical access to sensitive/regulated data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "medium": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Data governance program", "large": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Data governance program", "enterprise": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF4" ], "general-cis-csc-8-1": [ "3.1", "3.3" ], "general-cis-csc-8-1-ig1": [ "3.1", "3.3" ], "general-cis-csc-8-1-ig2": [ "3.1", "3.3" ], "general-cis-csc-8-1-ig3": [ "3.1", "3.3" ], "general-cobit-2019": [ "DSS06.02", "DSS06.06" ], "general-csa-cmm-4-1-0": [ "BCR-05" ], "general-iso-42001-2023": [ "7.5.3", "7.5.3(a)", "7.5.3(b)" ], "general-mpa-csbp-5-3-1": [ "OP-3.1" ], "general-nist-800-171-r3": [ "03.01.02", "03.01.03", "03.01.04.b", "03.08.01", "03.08.02", "03.10.01.a", "03.15.02.c", "03.17.01.c" ], "general-nist-800-171a-r3": [ "A.03.15.02.c", "A.03.17.01.c" ], "general-nist-800-207": [ "NIST Tenet 3", "NIST Tenet 4" ], "general-nist-csf-2-0": [ "PR.DS" ], "general-tisax-6-0-3": [ "1.3.2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.L" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "5.0" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)(ii)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.a" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 1.1(3)(e)" ], "emea-gbr-def-stan-05-138-2024": [ "2301" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2301" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2301" ], "apac-jpn-ismap": [ "8.2.3.2" ], "americas-can-itsp-10-171-2025": [ "03.01.02", "03.01.03", "03.01.04.B", "03.08.01", "03.08.02", "03.10.01.A", "03.15.02.C", "03.17.01.C" ] } }, { "control_id": "DCH-02", "title": "Data & Asset Classification", "family": "DCH", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "scf_question": "Does the organization ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-DCH-01", "E-DCH-02" ], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ TAASD are categorized according to data classification and business criticality.\n▪ Data classification and handling criteria govern requirements protect sensitive/regulated regardless of where it is stored, processed and/or transmitted.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to categorize data in accordance with organizational policies and standards.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to document where sensitive/regulated data is stored, transmitted and/or processed.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ IT Asset Management (ITAM) program", "small": "∙ Data classification program\n∙ IT Asset Management (ITAM) program", "medium": "∙ Data classification program\n∙ IT Asset Management (ITAM) program\n∙ Data governance program", "large": "∙ Data classification program\n∙ IT Asset Management (ITAM) program\n∙ Data governance program", "enterprise": "∙ Data classification program\n∙ IT Asset Management (ITAM) program\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.3" ], "general-aicpa-tsc-2017": [ "C1.1", "CC2.1", "CC2.1-POF7", "CC6.1-POF1" ], "general-cis-csc-8-1": [ "3.1", "3.7" ], "general-cis-csc-8-1-ig1": [ "3.1" ], "general-cis-csc-8-1-ig2": [ "3.1", "3.7" ], "general-cis-csc-8-1-ig3": [ "3.1", "3.7" ], "general-cobit-2019": [ "APO14.05" ], "general-coso-2013": [ "13" ], "general-csa-cmm-4-1-0": [ "DCS-06", "DSP-04" ], "general-csa-iot-2": [ "DAT-01", "GVN-06" ], "general-iec-62443-2-1-2024": [ "DATA 1.1", "DATA 1.2" ], "general-iso-27002-2022": [ "5.9", "5.12" ], "general-iso-27017-2015": [ "8.1.1", "8.2.1" ], "general-iso-27018-2025": [ "5.9", "5.12" ], "general-mpa-csbp-5-3-1": [ "OR-1.4" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.6" ], "general-nist-800-37-r2": [ "TASK P-12", "TASK C-2" ], "general-nist-800-171-r3": [ "03.04.11.a", "03.08.01", "03.08.04" ], "general-nist-800-207": [ "NIST Tenet 1" ], "general-nist-csf-2-0": [ "ID.AM-05", "PR.DS" ], "general-pci-dss-4-0-1": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.2" ], "general-scf-dpmp-2025": [ "1.2" ], "general-sparta": [ "CM0001" ], "general-tisax-6-0-3": [ "1.2.3", "1.3.2", "5.1.2", "8.2.4", "8.2.6" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DA.DLABE" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.L" ], "usa-federal-fbi-cjis-6-0": [ "4.1.1", "4.2.1", "4.2.2", "4.3" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.1", "4.2" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "5.0", "5.6" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)(ii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(A)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "RA-02-SID" ], "emea-eu-ai-act-2024": [ "Article 17.1(f)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.3(17)", "3.3.3(18)", "3.3.3(19)", "3.5(54)" ], "emea-eu-nis2-annex-2024": [ "2.1.3", "12.1.1", "12.1.2(a)" ], "emea-deu-bsrit-2017": [ "7.13", "7.14", "12.4" ], "emea-deu-c5-2020": [ "AM-02", "AM-06", "COS-08", "PI-01" ], "emea-isr-cmo-1-0": [ "5.3", "15.2" ], "emea-sau-cscc-1-2019": [ "2-6-1-2" ], "emea-sau-cgiot-2024": [ "2-6-1" ], "emea-sau-ecc-1-2018": [ "2-1-5", "2-7-3-2", "4-2-3-1" ], "emea-sau-otcc-1-2022": [ "2-6-1-1" ], "emea-sau-sacs-002-2022": [ "TPC-24" ], "emea-esp-boe-a-2022-7191": [ "Article 40.1", "Article 40.2", "Article 41.2" ], "emea-esp-decree-311-2022": [ "40.1", "40.2", "41.2" ], "emea-esp-ccn-stic-825-2023": [ "8.7.2 [MP.INFO.2]" ], "emea-gbr-caf-4-0": [ "B3.a" ], "emea-gbr-cap-1850-2020": [ "B3" ], "emea-gbr-def-stan-05-138-2024": [ "2301" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2301" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2301" ], "apac-aus-ism-2024-june": [ "ISM-0270", "ISM-0271", "ISM-0272", "ISM-0294", "ISM-0296", "ISM-0323", "ISM-0393" ], "apac-aus-ps-cps-234-2019": [ "20", "21(a)" ], "apac-ind-sebi-2024": [ "PR.DS.S2" ], "apac-jpn-ismap": [ "8.2.1", "8.2.1.1", "8.2.1.2", "8.2.1.3", "8.2.1.4", "8.2.1.5", "8.2.1.6", "8.2.1.7", "8.2.1.8", "8.2.1.9", "8.2.1.10" ], "apac-nzl-hisf-mlhsp-2023": [ "HML34" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP30" ], "apac-nzl-ism-3-9": [ "12.3.4.C.01", "12.3.5.C.01", "12.3.5.C.02", "12.3.6.C.01", "12.3.7.C.01", "18.6.8.C.01" ], "apac-sgp-mas-trm-2021": [ "3.3.1(b)" ], "americas-bmu-mba-coc-2020": [ "6.8" ], "americas-can-osfi-b13-2022": [ "2.2.2", "3.1.4" ], "americas-can-itsp-10-171-2025": [ "03.04.11.A", "03.08.01", "03.08.04" ] } }, { "control_id": "DCH-02.1", "title": "Highest Classification Level", "family": "DCH", "description": "Mechanisms exist to ensure that Technology Assets, Applications and/or Services (TAAS) are classified according to the highest level of data sensitivity that is stored, transmitted and/or processed.", "scf_question": "Does the organization ensure that Technology Assets, Applications and/or Services (TAAS) are classified according to the highest level of data sensitivity that is stored, transmitted and/or processed?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ TAASD are categorized according to data classification and business criticality.\n▪ Data classification and handling criteria govern requirements protect sensitive/regulated regardless of where it is stored, processed and/or transmitted.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to categorize data in accordance with organizational policies and standards.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that Technology Assets, Applications and/or Services (TAAS) are classified according to the highest level of data sensitivity that is stored, transmitted and/or processed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ IT Asset Management (ITAM) program", "small": "∙ Data classification program\n∙ IT Asset Management (ITAM) program", "medium": "∙ Data classification program\n∙ IT Asset Management (ITAM) program\n∙ Data governance program", "large": "∙ Data classification program\n∙ IT Asset Management (ITAM) program\n∙ Data governance program", "enterprise": "∙ Data classification program\n∙ IT Asset Management (ITAM) program\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-cis-csc-8-1": [ "3.7", "3.12" ], "general-cis-csc-8-1-ig2": [ "3.7", "3.12" ], "general-cis-csc-8-1-ig3": [ "3.7", "3.12" ], "general-csa-cmm-4-1-0": [ "DSP-17" ], "general-csa-iot-2": [ "GVN-06" ], "emea-eu-nis2-annex-2024": [ "12.1.2(b)" ], "emea-sau-cscc-1-2019": [ "2-6-1-1" ], "emea-sau-otcc-1-2022": [ "2-6-1-4" ], "emea-sau-sacs-002-2022": [ "TPC-24" ], "apac-aus-ism-2024-june": [ "ISM-0323", "ISM-0325" ], "apac-nzl-ism-3-9": [ "4.4.9.C.01", "13.2.8.C.01", "13.2.9.C.01", "18.6.9.C.01" ] } }, { "control_id": "DCH-03", "title": "Media Access", "family": "DCH", "description": "Mechanisms exist to control and restrict access to digital and non-digital media to authorized individuals.", "scf_question": "Does the organization control and restrict access to digital and non-digital media to authorized individuals?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-02" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to control and restrict access to digital and non-digital media to authorized individuals.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)", "medium": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Data governance program", "large": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Data governance program", "enterprise": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "C1.1" ], "general-cis-csc-8-1": [ "3.1", "3.3" ], "general-cis-csc-8-1-ig1": [ "3.1", "3.3" ], "general-cis-csc-8-1-ig2": [ "3.1", "3.3" ], "general-cis-csc-8-1-ig3": [ "3.1", "3.3" ], "general-govramp": [ "MP-02" ], "general-govramp-low": [ "MP-02" ], "general-govramp-low-plus": [ "MP-02" ], "general-govramp-mod": [ "MP-02" ], "general-govramp-high": [ "MP-02" ], "general-iso-27002-2022": [ "7.1" ], "general-iso-27018-2025": [ "7.10" ], "general-nist-800-53-r4": [ "MP-2" ], "general-nist-800-53-r5-2": [ "MP-02" ], "general-nist-800-53-r5-2-privacy": [ "MP-02" ], "general-nist-800-53-r5-2-low": [ "MP-02" ], "general-nist-800-66-r2": [ "164.310(d)" ], "general-nist-800-82-r3": [ "MP-02" ], "general-nist-800-82-r3-low": [ "MP-02" ], "general-nist-800-82-r3-mod": [ "MP-02" ], "general-nist-800-82-r3-high": [ "MP-02" ], "general-nist-800-171-r2": [ "3.1.3", "3.8.2" ], "general-nist-800-171-r3": [ "03.01.03", "03.08.01", "03.08.02" ], "general-nist-800-171a": [ "3.1.3[c]", "3.8.2" ], "general-nist-800-171a-r3": [ "A.03.08.02" ], "general-nist-csf-2-0": [ "PR.DS" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.L" ], "usa-federal-fbi-cjis-6-0": [ "MP-2" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.3", "MPL2.-3.8.2" ], "usa-federal-gsa-fedramp-5-low": [ "MP-02" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-02" ], "usa-federal-gsa-fedramp-5-high": [ "MP-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MP-02" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(d)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(d)(1)" ], "usa-federal-irs-1075-2021": [ "MP-2" ], "usa-federal-cms-marse-2-0": [ "MP-2" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MP-02" ], "usa-state-tx-txramp-2-0-level-1": [ "MP-02" ], "usa-state-tx-txramp-2-0-level-2": [ "MP-02" ], "emea-sau-sacs-002-2022": [ "TPC-39" ], "emea-gbr-def-stan-05-138-2024": [ "2301" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2301" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2301" ], "americas-can-itsp-10-171-2025": [ "03.01.03", "03.08.01", "03.08.02" ] } }, { "control_id": "DCH-03.1", "title": "Disclosure of Information", "family": "DCH", "description": "Mechanisms exist to restrict the disclosure of sensitive/regulated data to authorized parties with a need to know.", "scf_question": "Does the organization restrict the disclosure of sensitive/regulated data to authorized parties with a need to know?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict the disclosure of sensitive/regulated data to authorized parties with a need to know.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Non-Disclosure Agreements (NDAs)", "small": "∙ Non-Disclosure Agreements (NDAs)", "medium": "∙ Non-Disclosure Agreements (NDAs)\n∙ Data Loss Prevention (DLP)", "large": "∙ Non-Disclosure Agreements (NDAs)\n∙ Data Loss Prevention (DLP)", "enterprise": "∙ Non-Disclosure Agreements (NDAs)\n∙ Data Loss Prevention (DLP)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF5" ], "general-aicpa-tsc-2017": [ "P6.0", "P6.1-POF2", "P6.1-POF3", "P6.1-POF4", "P6.4-POF1" ], "general-cis-csc-8-1": [ "3.1", "3.3" ], "general-cis-csc-8-1-ig1": [ "3.1", "3.3" ], "general-cis-csc-8-1-ig2": [ "3.1", "3.3" ], "general-cis-csc-8-1-ig3": [ "3.1", "3.3" ], "general-csa-cmm-4-1-0": [ "BCR-05", "DSP-18" ], "general-iso-22301-2019": [ "7.4(a)", "7.4(b)", "7.4(c)", "7.4(d)", "7.4(e)", "7.5.3.1", "7.5.3.1(a)", "7.5.3.2", "7.5.3.2(a)", "7.5.3.2(b)", "7.5.3.2(c)", "7.5.3.2(d)" ], "general-iso-42001-2023": [ "7.5.3", "7.5.3(a)", "7.5.3(b)" ], "general-nist-800-171-r3": [ "03.01.22.a", "03.15.02.c", "03.17.01.c" ], "general-nist-800-171a-r3": [ "A.03.15.02.c", "A.03.17.01.c" ], "general-pci-dss-4-0-1": [ "7.1" ], "general-swift-cscf-2025": [ "2.1", "2.4", "2.11A" ], "usa-federal-fbi-cjis-6-0": [ "4.2.3.3" ], "usa-federal-doc-data-privacy-framework-2023": [ "III.8.c.i", "III.8.d.i", "III.14.d.i" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(k)(1)" ], "usa-federal-law-ferpa-2010": [ "1232g(d)", "1232h(c)(1)(B)", "1232h(c)(1)(B)(i)", "1232h(c)(1)(B)(ii)", "1232h(c)(1)(B)(iii)", "1232h(c)(1)(B)(iv)", "1232h(c)(1)(B)(v)", "1232h(c)(1)(B)(vi)", "1232h(c)(1)(B)(vii)", "1232h(c)(1)(B)(viii)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.510(b)(1)(i)", "164.510(b)(1)(ii)", "164.510(b)(2)", "164.510(b)(4)", "164.510(b)(5)", "164.512", "164.512(a)(1)", "164.512(c)(1)", "164.512(c)(1)(i)", "164.512(c)(1)(ii)", "164.512(c)(1)(iii)(A)", "164.512(c)(1)(iii)(B)", "164.512(c)(2)", "164.512(c)(2)(i)", "164.512(c)(2)(ii)", "164.512(d)(1)", "164.512(d)(1)(i)", "164.512(d)(1)(ii)", "164.512(d)(1)(iii)", "164.512(d)(1)(iv)", "164.512(e)(1)", "164.512(e)(1)(i)", "164.512(e)(1)(ii)", "164.512(e)(1)(ii)(A)", "164.512(e)(1)(ii)(B)", "164.512(e)(1)(iii)", "164.512(e)(1)(iii)(A)", "164.512(e)(1)(iii)(B)", "164.512(e)(1)(iii)(C)", "164.512(e)(1)(iii)(C)(1)", "164.512(e)(1)(iii)(C)(2)", "164.512(e)(1)(iv)", "164.512(e)(1)(iv)(A)", "164.512(e)(1)(iv)(B)", "164.512(e)(1)(v)", "164.512(e)(1)(v)(A)", "164.512(e)(1)(v)(B)", "164.512(e)(1)(vi)", "164.512(f)", "164.512(f)(1)", "164.512(f)(1)(i)", "164.512(f)(1)(ii)(A)", "164.512(f)(1)(ii)(B)", "164.512(f)(1)(ii)(C)", "164.512(f)(1)(ii)(C)(1)", "164.512(f)(1)(ii)(C)(2)", "164.512(f)(1)(ii)(C)(3)", "164.512(f)(2)", "164.512(f)(2)(i)(A)", "164.512(f)(2)(i)(B)", "164.512(f)(2)(i)(C)", "164.512(f)(2)(i)(D)", "164.512(f)(2)(i)(E)", "164.512(f)(2)(i)(F)", "164.512(f)(2)(i)(G)", "164.512(f)(2)(i)(H)", "164.512(f)(2)(ii)", "164.512(f)(3)", "164.512(f)(3)(i)", "164.512(f)(3)(ii)", "164.512(f)(3)(ii)(A)", "164.512(f)(3)(ii)(B)", "164.512(f)(3)(ii)(C)", "164.512(f)(4)", "164.512(f)(5)", "164.512(f)(6)(i)", "164.512(f)(6)(i)(A)", "164.512(f)(6)(i)(B)", "164.512(f)(6)(i)(C)", "164.512(f)(6)(ii)", "164.512(g)(1)", "164.512(g)(2)", "164.512(h)", "164.512(i)(1)", "164.512(j)(1)", "164.514(d)(3)(i)", "164.514(d)(3)(ii)(A)", "164.514(d)(3)(ii)(B)", "164.514(d)(3)(iii)", "164.514(d)(3)(iii)(A)", "164.514(d)(3)(iii)(B)", "164.514(d)(3)(iii)(C)", "164.514(d)(3)(iii)(D)", "164.514(d)(4)", "164.514(d)(4)(i)", "164.514(d)(4)(ii)", "164.514(d)(4)(iii)(A)", "164.514(d)(4)(iii)(B)", "164.514(d)(5)", "164.514(e)(1)", "164.514(e)(2)", "164.514(e)(2)(i)", "164.514(e)(2)(ii)", "164.514(e)(2)(iii)", "164.514(e)(2)(iv)", "164.514(e)(2)(v)", "164.514(e)(2)(vi)", "164.514(e)(2)(vii)", "164.514(e)(2)(viii)", "164.514(e)(2)(ix)", "164.514(e)(2)(x)", "164.514(e)(2)(xi)", "164.514(e)(2)(xii)", "164.514(e)(2)(xiii)", "164.514(e)(2)(xiv)", "164.514(e)(2)(xv)", "164.514(e)(2)(xvi)", "164.514(e)(3)(i)", "164.514(e)(3)(ii)", "164.514(e)(4)(i)", "164.514(e)(4)(ii)", "164.514(e)(4)(ii)(A)", "164.514(e)(4)(ii)(B)", "164.514(e)(4)(ii)(C)", "164.514(e)(4)(ii)(C)(1)", "164.514(e)(4)(ii)(C)(2)", "164.514(e)(4)(ii)(C)(3)", "164.514(e)(4)(ii)(C)(4)", "164.514(e)(4)(ii)(C)(5)", "164.532(a)", "164.532(b)", "164.532(c)", "164.532(c)(1)", "164.532(d)" ], "usa-federal-nispom-2020": [ "§117.15(h)", "§117.15(h)(1)", "§117.15(h)(2)", "§117.15(h)(2)(i)", "§117.15(h)(2)(i)(A)", "§117.15(h)(2)(i)(B)", "§117.19(b)(3)(i)", "§117.19(b)(4)(i)", "§117.19(b)(5)(i)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "8-3.a(2)" ], "usa-state-ak-pipa-2009": [ "45.48.400", "45.48.430", "45.48.430.1", "45.48.430.2", "45.48.430.3", "45.48.430.4", "45.48.430.5", "45.48.430.6" ], "emea-isr-cmo-1-0": [ "10.5" ], "emea-sau-cscc-1-2019": [ "2-6-1-3" ], "emea-sau-otcc-1-2022": [ "2-6-1-4" ], "emea-sau-pdpl-2023": [ "Article 15.3", "Article 15.4", "Article 15.5", "Article 15.6", "Article 16.1", "Article 16.2", "Article 16.3", "Article 16.4", "Article 16.5", "Article 16.6", "Article 16.7", "Article 16.8", "Article 16.9" ], "emea-sau-sacs-002-2022": [ "TPC-39" ], "americas-can-itsp-10-171-2025": [ "03.01.22.A", "03.15.02.C", "03.17.01.C" ] } }, { "control_id": "DCH-03.2", "title": "Masking Displayed Data", "family": "DCH", "description": "Mechanisms exist to apply data masking to sensitive/regulated information that is displayed or printed.", "scf_question": "Does the organization apply data masking to sensitive/regulated information that is displayed or printed?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to apply data masking to sensitive/regulated information that is displayed or printed.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ IT Asset Management (ITAM) program", "small": "∙ Data classification program\n∙ IT Asset Management (ITAM) program", "medium": "∙ Data classification program\n∙ IT Asset Management (ITAM) program\n∙ Data governance program", "large": "∙ Data classification program\n∙ IT Asset Management (ITAM) program\n∙ Data governance program", "enterprise": "∙ Data classification program\n∙ IT Asset Management (ITAM) program\n∙ Data governance program" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-iso-27002-2022": [ "8.11" ], "general-iso-27018-2025": [ "8.11" ], "general-pci-dss-4-0-1": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-b": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-c": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.4.1" ], "usa-state-ak-pipa-2009": [ "45.48.750" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(C)" ], "usa-state-il-ipa-2009": [ "35(a)(4)", "37(a)(4)" ] } }, { "control_id": "DCH-03.3", "title": "Controlled Release", "family": "DCH", "description": "Automated mechanisms exist to validate cybersecurity and data protection attributes prior to releasing information to external Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization use automated mechanisms to validate cybersecurity and data protection attributes prior to releasing information to external Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 4, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically validate cybersecurity and data protection attributes prior to releasing information to external Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-1", "R-AM-3", "R-BC-5", "R-GV-1", "R-GV-4" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r4": [ "AC-3(9)" ], "general-nist-800-53-r5-2": [ "AC-03(09)" ], "general-nist-800-82-r3": [ "AC-03(09)" ], "general-nist-800-161-r1": [ "AC-3(9)" ], "general-nist-800-161-r1-level-2": [ "AC-3(9)" ], "general-nist-800-161-r1-level-3": [ "AC-3(9)" ], "general-swift-cscf-2025": [ "2.1" ], "usa-federal-irs-1075-2021": [ "AC-3(CE-9)", "AC-3(CE-9).a", "AC-3(CE-9).b" ], "usa-federal-cms-marse-2-0": [ "AC-3(9)", "AC-3(9).a", "AC-3(9).b" ] } }, { "control_id": "DCH-04", "title": "Media Marking", "family": "DCH", "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "scf_question": "Does the organization mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Metadata tagging\n∙ IT Asset Management (ITAM) program", "small": "∙ Data classification program\n∙ Metadata tagging\n∙ IT Asset Management (ITAM) program", "medium": "∙ Data classification program\n∙ Metadata tagging\n∙ IT Asset Management (ITAM) program\n∙ Data governance program", "large": "∙ Data classification program\n∙ Metadata tagging\n∙ IT Asset Management (ITAM) program\n∙ Data governance program", "enterprise": "∙ Data classification program\n∙ Metadata tagging\n∙ IT Asset Management (ITAM) program\n∙ Data governance program" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-govramp": [ "MP-03" ], "general-govramp-low-plus": [ "MP-03" ], "general-govramp-mod": [ "MP-03" ], "general-govramp-high": [ "MP-03" ], "general-iso-27002-2022": [ "5.1", "5.13" ], "general-iso-27017-2015": [ "8.1.3", "8.2.2" ], "general-iso-27018-2025": [ "5.10", "5.13" ], "general-mpa-csbp-5-3-1": [ "OP-3.0" ], "general-nist-800-53-r4": [ "MP-3" ], "general-nist-800-53-r5-2": [ "MP-03" ], "general-nist-800-53-r5-2-privacy": [ "MP-03" ], "general-nist-800-53-r5-2-mod": [ "MP-03" ], "general-nist-800-82-r3": [ "MP-03" ], "general-nist-800-82-r3-mod": [ "MP-03" ], "general-nist-800-82-r3-high": [ "MP-03" ], "general-nist-800-171-r2": [ "3.8.4" ], "general-nist-800-171-r3": [ "03.08.04" ], "general-nist-800-171a": [ "3.8.4[a]", "3.8.4[b]" ], "general-nist-800-171a-r3": [ "A.03.08.04[01]", "A.03.08.04[02]", "A.03.08.04[03]" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DA.DLABE" ], "usa-federal-fbi-cjis-6-0": [ "MP-3" ], "usa-federal-dow-cmmc-2-level-2": [ "MPL2.-3.8.4" ], "usa-federal-gsa-fedramp-5-low": [ "MP-03" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-03" ], "usa-federal-gsa-fedramp-5-high": [ "MP-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MP-03" ], "usa-federal-irs-1075-2021": [ "2.B.6-1", "MP-3" ], "usa-federal-cms-marse-2-0": [ "MP-3", "MP-3.a", "MP-3.b" ], "usa-federal-nispom-2020": [ "§117.14(a)(1)", "§117.14(a)(2)", "§117.14(b)", "§117.14(c)", "§117.14(d)", "§117.14(e)", "§117.14(f)", "§117.14(f)(1)", "§117.14(f)(2)", "§117.14(g)", "§117.14(g)(1)", "§117.14(g)(2)", "§117.14(h)", "§117.14(i)", "§117.14(i)(1)", "§117.14(i)(1)(i)", "§117.14(i)(1)(ii)", "§117.14(i)(2)", "§117.14(i)(3)", "§117.14(i)(4)", "§117.14(j)", "§117.14(j)(1)", "§117.14(j)(1)(i)", "§117.14(j)(1)(ii)", "§117.14(j)(1)(iii)", "§117.14(j)(2)", "§117.14(j)(3)", "§117.14(k)", "§117.14(k)(1)", "§117.14(k)(2)", "§117.14(k)(3)", "§117.14(k)(3)(i)", "§117.14(k)(3)(ii)", "§117.14(k)(3)(iii)", "§117.14(l)", "§117.14(m)", "§117.14(m)(1)", "§117.14(m)(2)", "§117.14(m)(2)(i)", "§117.14(m)(2)(ii)", "§117.14(m)(2)(iii)", "§117.14(m)(3)", "§117.14(n)", "§117.14(n)(1)", "§117.14(n)(2)", "§117.14(n)(3)", "§117.14(o)", "§117.14(p)", "§117.14(q)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "2-6", "2-7", "2-7.a(1)", "2-7.a(2)", "2-7.a(3)", "2-7.b", "2-7.b(1)(a)", "2-7.b(1)(b)", "2-7.b(2)(a)", "2-7.b(2)(b)", "2-7.c(1)", "2-7.c(2)", "2-7.c(2)(a)", "2-7.c(2)(b)", "2-7.c(2)(c)", "9-2.c" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(A)" ], "usa-state-tx-txramp-2-0-level-2": [ "MP-03" ], "emea-deu-c5-2020": [ "AM-06" ], "emea-isr-cmo-1-0": [ "15.2" ], "emea-esp-ccn-stic-825-2023": [ "8.5.1 [MP.SI.1]" ], "apac-aus-ism-2024-june": [ "ISM-0201", "ISM-0270", "ISM-0272", "ISM-0294", "ISM-0296", "ISM-0332", "ISM-0356", "ISM-0358", "ISM-0360" ], "apac-jpn-ismap": [ "8.2.2", "8.2.2.1", "8.2.2.2", "8.2.2.3", "8.2.2.4", "8.2.2.5", "8.2.2.6", "8.2.2.7.PB", "8.2.3.6" ], "apac-nzl-ism-3-9": [ "4.4.10.C.01", "12.3.4.C.01", "12.3.5.C.01", "12.3.5.C.02", "12.3.6.C.01", "12.3.7.C.01", "13.2.12.C.01", "13.2.12.C.02", "13.2.12.C.03", "13.2.12.C.04", "13.2.13.C.01", "13.2.14.C.01", "13.2.14.C.02", "21.1.21.C.01" ], "americas-can-itsp-10-171-2025": [ "03.08.04" ] } }, { "control_id": "DCH-04.1", "title": "Automated Marking", "family": "DCH", "description": "Automated mechanisms exist to mark physical media and digital files to indicate the distribution limitations, handling requirements and applicable security markings (if any) of the information to aid Data Loss Prevention (DLP) technologies.", "scf_question": "Does the organization use automated mechanisms to mark physical media and digital files to indicate the distribution limitations, handling requirements and applicable security markings (if any) of the information to aid Data Loss Prevention (DLP) technologies?", "relative_weight": 2, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically mark physical media and digital files to indicate the distribution limitations, handling requirements and applicable security markings (if any) of the information to aid Data Loss Prevention (DLP) technologies.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Metadata tagging\n∙ IT Asset Management (ITAM) program", "small": "∙ Data classification program\n∙ Metadata tagging\n∙ IT Asset Management (ITAM) program", "medium": "∙ Data classification program\n∙ Metadata tagging\n∙ IT Asset Management (ITAM) program\n∙ Data governance program", "large": "∙ Data classification program\n∙ Metadata tagging\n∙ IT Asset Management (ITAM) program\n∙ Data governance program", "enterprise": "∙ Data classification program\n∙ Metadata tagging\n∙ IT Asset Management (ITAM) program\n∙ Data governance program" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-csa-cmm-4-1-0": [ "UEM-11" ], "general-govramp": [ "MP-03" ], "general-govramp-low-plus": [ "MP-03" ], "general-govramp-mod": [ "MP-03" ], "general-govramp-high": [ "MP-03" ], "general-nist-800-53-r5-2": [ "MP-03" ], "general-nist-800-53-r5-2-privacy": [ "MP-03" ], "general-nist-800-53-r5-2-mod": [ "MP-03" ], "general-nist-800-82-r3": [ "MP-03" ], "general-nist-800-82-r3-mod": [ "MP-03" ], "general-nist-800-82-r3-high": [ "MP-03" ], "usa-federal-fbi-cjis-6-0": [ "MP-3" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "5.6.1" ], "usa-federal-gsa-fedramp-5-low": [ "MP-03" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-03" ], "usa-federal-gsa-fedramp-5-high": [ "MP-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MP-03" ], "usa-federal-irs-1075-2021": [ "MP-3" ], "usa-federal-cms-marse-2-0": [ "MP-3" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(A)" ], "usa-state-tx-txramp-2-0-level-2": [ "MP-03" ], "apac-aus-ism-2024-june": [ "ISM-0271" ] } }, { "control_id": "DCH-05", "title": "Cybersecurity & Data Protection Attributes", "family": "DCH", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "scf_question": "Does the organization bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Metadata tagging", "small": "∙ Data classification program\n∙ Metadata tagging", "medium": "∙ Data classification program\n∙ Metadata tagging\n∙ Data governance program", "large": "∙ Data classification program\n∙ Metadata tagging\n∙ Data governance program", "enterprise": "∙ Data classification program\n∙ Metadata tagging\n∙ Data governance program" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-csa-iot-2": [ "DAT-01" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.003", "T1005", "T1020.001", "T1025", "T1040", "T1041", "T1048", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1070", "T1070.001", "T1070.002", "T1070.008", "T1114", "T1114.001", "T1114.002", "T1114.003", "T1119", "T1213", "T1213.001", "T1213.002", "T1213.004", "T1213.005", "T1222", "T1222.001", "T1222.002", "T1505", "T1505.002", "T1530", "T1537", "T1547.007", "T1548", "T1548.003", "T1548.006", "T1550.001", "T1552", "T1552.004", "T1552.005", "T1556.009", "T1557", "T1557.002", "T1558", "T1558.002", "T1558.003", "T1558.004", "T1564.004", "T1565", "T1565.001", "T1565.002", "T1567", "T1602", "T1602.001", "T1602.002", "T1647" ], "general-nist-privacy-framework-1-0": [ "CT.DM-P7" ], "general-nist-800-53-r4": [ "AC-16" ], "general-nist-800-53-r5-2": [ "AC-16" ], "general-nist-800-82-r3": [ "AC-16" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.3.3", "4.3.5", "5.1.2" ] } }, { "control_id": "DCH-05.1", "title": "Dynamic Attribute Association", "family": "DCH", "description": "Mechanisms exist to dynamically associate cybersecurity and data protection attributes with individuals and objects as information is created, combined, or transformed, in accordance with organization-defined cybersecurity and data protection policies.", "scf_question": "Does the organization dynamically associate cybersecurity and data protection attributes with individuals and objects as information is created, combined, or transformed, in accordance with organization-defined cybersecurity and data protection policies?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to dynamically associate cybersecurity and data protection attributes with individuals and objects as information is created, combined, or transformed, in accordance with organization-defined cybersecurity and data protection policies.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-16(01)" ], "general-nist-800-82-r3": [ "AC-16(01)" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.6" ] } }, { "control_id": "DCH-05.2", "title": "Attribute Value Changes By Authorized Individuals", "family": "DCH", "description": "Mechanisms exist to provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated cybersecurity and data protection attributes.", "scf_question": "Does the organization provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated cybersecurity and data protection attributes?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated cybersecurity and data protection attributes.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-16(02)" ], "general-nist-800-82-r3": [ "AC-16(02)" ] } }, { "control_id": "DCH-05.3", "title": "Maintenance of Attribute Associations By System", "family": "DCH", "description": "Mechanisms exist to maintain the association and integrity of cybersecurity and data protection attributes to individuals and objects.", "scf_question": "Does the organization maintain the association and integrity of cybersecurity and data protection attributes to individuals and objects?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain the association and integrity of cybersecurity and data protection attributes to individuals and objects.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-16(03)" ], "general-nist-800-82-r3": [ "AC-16(03)" ] } }, { "control_id": "DCH-05.4", "title": "Association of Attributes By Authorized Individuals", "family": "DCH", "description": "Mechanisms exist to provide the capability to associate cybersecurity and data protection attributes with individuals and objects by authorized individuals (or processes acting on behalf of individuals).", "scf_question": "Does the organization provide the capability to associate cybersecurity and data protection attributes with individuals and objects by authorized individuals (or processes acting on behalf of individuals)?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide the capability to associate cybersecurity and data protection attributes with individuals and objects by authorized individuals (or processes acting on behalf of individuals).", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-16(04)" ], "general-nist-800-82-r3": [ "AC-16(04)" ] } }, { "control_id": "DCH-05.5", "title": "Attribute Displays for Output Devices", "family": "DCH", "description": "Mechanisms exist to display cybersecurity and data protection attributes in human-readable form on each object that the system transmits to output devices to identify special dissemination, handling or distribution instructions using human-readable, standard naming conventions.", "scf_question": "Does the organization display cybersecurity and data protection attributes in human-readable form on each object that the system transmits to output devices to identify special dissemination, handling or distribution instructions using human-readable, standard naming conventions?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to display cybersecurity and data protection attributes in human-readable form on each object that the system transmits to output devices to identify special dissemination, handling or distribution instructions using human-readable, standard naming conventions.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-16(05)" ], "general-nist-800-82-r3": [ "AC-16(05)" ] } }, { "control_id": "DCH-05.6", "title": "Data Subject Attribute Associations", "family": "DCH", "description": "Mechanisms exist to require personnel to associate and maintain the association of cybersecurity and data protection attributes with individuals and objects in accordance with cybersecurity and data protection policies.", "scf_question": "Does the organization require personnel to associate and maintain the association of cybersecurity and data protection attributes with individuals and objects in accordance with cybersecurity and data protection policies?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require personnel to associate and maintain the association of cybersecurity and data protection attributes with individuals and objects in accordance with cybersecurity and data protection policies.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-16(06)" ], "general-nist-800-82-r3": [ "AC-16(06)" ] } }, { "control_id": "DCH-05.7", "title": "Consistent Attribute Interpretation", "family": "DCH", "description": "Mechanisms exist to provide a consistent, organizationally agreed upon interpretation of cybersecurity and data protection attributes employed in access enforcement and flow enforcement decisions between distributed system components.", "scf_question": "Does the organization provide a consistent, organizationally agreed upon interpretation of cybersecurity and data protection attributes employed in access enforcement and flow enforcement decisions between distributed system components?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide a consistent, organizationally agreed upon interpretation of cybersecurity and data protection attributes employed in access enforcement and flow enforcement decisions between distributed system components.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-16(07)" ], "general-nist-800-82-r3": [ "AC-16(07)" ] } }, { "control_id": "DCH-05.8", "title": "Identity Association Techniques & Technologies", "family": "DCH", "description": "Mechanisms exist to associate cybersecurity and data protection attributes to information.", "scf_question": "Does the organization associate cybersecurity and data protection attributes to information?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to associate cybersecurity and data protection attributes to information.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-16(08)" ], "general-nist-800-82-r3": [ "AC-16(08)" ] } }, { "control_id": "DCH-05.9", "title": "Attribute Reassignment", "family": "DCH", "description": "Mechanisms exist to reclassify data as required, due to changing business/technical requirements.", "scf_question": "Does the organization reclassify data as required, due to changing business/technical requirements?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to reclassify data as required, due to changing business/technical requirements.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-16(09)" ], "general-nist-800-82-r3": [ "AC-16(09)" ], "apac-aus-ism-2024-june": [ "ISM-0325" ] } }, { "control_id": "DCH-05.10", "title": "Attribute Configuration By Authorized Individuals", "family": "DCH", "description": "Mechanisms exist to provide authorized individuals the capability to define or change the type and value of cybersecurity and data protection attributes available for association with subjects and objects.", "scf_question": "Does the organization provide authorized individuals the capability to define or change the type and value of cybersecurity and data protection attributes available for association with subjects and objects?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide authorized individuals the capability to define or change the type and value of cybersecurity and data protection attributes available for association with subjects and objects.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-16(10)" ], "general-nist-800-82-r3": [ "AC-16(10)" ] } }, { "control_id": "DCH-05.11", "title": "Audit Changes", "family": "DCH", "description": "Mechanisms exist to audit changes to cybersecurity and data protection attributes and responds to events in accordance with incident response procedures.", "scf_question": "Does the organization audit changes to cybersecurity and data protection attributes and responds to events in accordance with incident response procedures?", "relative_weight": 7, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Data protection controls are primarily administrative in nature (e.g., policies & standards) to classify, protect and dispose of systems and data, including storage media.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to audit changes to cybersecurity and data protection attributes and responds to events in accordance with incident response procedures.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": {} }, { "control_id": "DCH-06", "title": "Media Storage", "family": "DCH", "description": "Mechanisms exist to: \n(1) Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and\n(2) Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures.", "scf_question": "Does the organization: \n (1) Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and\n (2) Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-DCH-02", "E-DCH-13" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Data protection controls are primarily administrative in nature (e.g., policies & standards) to classify, protect and dispose of systems and data, including storage media.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to: \n(1) Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and\n(2) Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Physical Access Control (PAC)", "small": "∙ Physical Access Control (PAC)", "medium": "∙ Physical Access Control (PAC)", "large": "∙ Physical Access Control (PAC)\n∙ Data governance program", "enterprise": "∙ Physical Access Control (PAC)\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-govramp": [ "MP-04" ], "general-govramp-low-plus": [ "MP-04" ], "general-govramp-mod": [ "MP-04" ], "general-govramp-high": [ "MP-04" ], "general-iso-27002-2022": [ "7.1" ], "general-iso-27018-2025": [ "7.10" ], "general-mpa-csbp-5-3-1": [ "OP-1.3", "OP-3.2" ], "general-nist-800-53-r4": [ "MP-4" ], "general-nist-800-53-r5-2": [ "MP-04" ], "general-nist-800-53-r5-2-mod": [ "MP-04" ], "general-nist-800-82-r3": [ "MP-04" ], "general-nist-800-82-r3-mod": [ "MP-04" ], "general-nist-800-82-r3-high": [ "MP-04" ], "general-nist-800-161-r1": [ "MP-4" ], "general-nist-800-161-r1-flowdown": [ "MP-4" ], "general-nist-800-161-r1-level-1": [ "MP-4" ], "general-nist-800-161-r1-level-2": [ "MP-4" ], "general-nist-800-171-r2": [ "3.8.1" ], "general-nist-800-171-r3": [ "03.08.01" ], "general-nist-800-171a-r3": [ "A.03.08.01[01]", "A.03.08.01[02]" ], "general-nist-csf-2-0": [ "ID.AM-07" ], "general-pci-dss-4-0-1": [ "9.1", "9.4", "9.4.1", "9.4.1.2" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.1", "9.4.1.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.1", "9.4.1.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.4.1" ], "general-tisax-6-0-3": [ "8.2.6" ], "usa-federal-fbi-cjis-6-0": [ "MP-4" ], "usa-federal-dow-cmmc-2-level-2": [ "MPL2.-3.8.1" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-04" ], "usa-federal-gsa-fedramp-5-high": [ "MP-04" ], "usa-federal-irs-1075-2021": [ "2.D.5", "MP-4" ], "usa-federal-cms-marse-2-0": [ "MP-4", "MP-4.a", "MP-4.b", "MP-4-IS.1" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(C)(1)" ], "usa-state-tx-txramp-2-0-level-2": [ "MP-04" ], "emea-isr-cmo-1-0": [ "15.3" ], "emea-sau-ecc-1-2018": [ "2-3-3-2" ], "emea-gbr-def-stan-05-138-2024": [ "2308" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2308" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2308" ], "apac-ind-sebi-2024": [ "PR.AA.S14" ], "apac-jpn-ismap": [ "8.3.1.4" ], "apac-nzl-ism-3-9": [ "8.4.10.C.01", "8.4.11.C.01", "8.4.12.C.01", "8.4.13.C.01", "13.3.5.C.01" ], "americas-can-itsp-10-171-2025": [ "03.08.01" ] } }, { "control_id": "DCH-06.1", "title": "Physically Secure All Media", "family": "DCH", "description": "Mechanisms exist to physically secure all media that contains sensitive information.", "scf_question": "Does the organization physically secure all media that contains sensitive information?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to physically secure all media that contains sensitive information.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Physical Access Control (PAC)", "small": "∙ Physical Access Control (PAC)", "medium": "∙ Physical Access Control (PAC)", "large": "∙ Physical Access Control (PAC)", "enterprise": "∙ Physical Access Control (PAC)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-mpa-csbp-5-3-1": [ "OP-1.3" ], "general-nist-800-171-r3": [ "03.08.01" ], "general-pci-dss-4-0-1": [ "9.1", "9.4", "9.4.1", "9.4.1.2" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.1", "9.4.1.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.1", "9.4.1.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.4.1" ], "usa-federal-irs-1075-2021": [ "2.B.6", "2.B.6-2", "2.B.6-3" ], "apac-jpn-ismap": [ "8.3.1.4" ], "americas-can-itsp-10-171-2025": [ "03.08.01" ] } }, { "control_id": "DCH-06.2", "title": "Sensitive Data Inventories", "family": "DCH", "description": "Mechanisms exist to maintain inventory logs of all sensitive media and conduct sensitive media inventories at least annually.", "scf_question": "Does the organization maintain inventory logs of all sensitive media and conduct sensitive media inventories at least annually?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-08" ], "pptdf": "Data", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to document where sensitive/regulated data is stored, transmitted and/or processed.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain inventory logs of all sensitive media and conduct sensitive media inventories at least annually.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Sensitive data inventories", "small": "∙ Data classification program\n∙ Sensitive data inventories", "medium": "∙ Data classification program\n∙ Sensitive data inventories", "large": "∙ Data classification program\n∙ Sensitive data inventories\n∙ Data governance program", "enterprise": "∙ Data classification program\n∙ Sensitive data inventories\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.4" ], "general-aicpa-tsc-2017": [ "C1.1-POF1", "CC2.1-POF6" ], "general-cis-csc-8-1": [ "3.2" ], "general-cis-csc-8-1-ig1": [ "3.2" ], "general-cis-csc-8-1-ig2": [ "3.2" ], "general-cis-csc-8-1-ig3": [ "3.2" ], "general-cobit-2019": [ "DSS06.02" ], "general-csa-cmm-4-1-0": [ "DSP-17" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P3" ], "general-nist-800-171-r3": [ "03.04.11.a", "03.04.11.b" ], "general-nist-800-172": [ "3.1.2e" ], "general-nist-800-207": [ "NIST Tenet 1" ], "general-nist-csf-2-0": [ "ID.AM-07" ], "general-pci-dss-4-0-1": [ "9.4.1.2", "9.4.5", "9.4.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.1.2", "9.4.5", "9.4.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.1.2", "9.4.5", "9.4.5.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DA.DINVE" ], "usa-federal-dow-cmmc-2-level-3": [ "AC.L3-3.1.2E" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(A)" ], "emea-gbr-caf-4-0": [ "B3.a" ], "apac-aus-ism-2024-june": [ "ISM-0336" ], "apac-ind-sebi-2024": [ "ID.AM.S5" ], "apac-nzl-hisf-microsmall-2023": [ "HMS03" ], "americas-can-osfi-b13-2022": [ "2.2.2", "3.1.4" ], "americas-can-itsp-10-171-2025": [ "03.04.11.A", "03.04.11.B" ] } }, { "control_id": "DCH-06.3", "title": "Periodic Scans for Sensitive / Regulated Data", "family": "DCH", "description": "Mechanisms exist to periodically scan unstructured data sources for sensitive/regulated data or data requiring special protection measures by statutory, regulatory or contractual obligations.", "scf_question": "Does the organization periodically scan unstructured data sources for sensitive/regulated data or data requiring special protection measures by statutory, regulatory or contractual obligations?", "relative_weight": 7, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-DCH-10" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to periodically scan unstructured data sources for sensitive/regulated data or data requiring special protection measures by statutory, regulatory or contractual obligations.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-cis-csc-8-1": [ "3.2" ], "general-cis-csc-8-1-ig1": [ "3.2" ], "general-cis-csc-8-1-ig2": [ "3.2" ], "general-cis-csc-8-1-ig3": [ "3.2" ], "general-nist-csf-2-0": [ "ID.AM-07" ], "general-pci-dss-4-0-1": [ "A3.2.5", "A3.2.5.1" ] } }, { "control_id": "DCH-06.4", "title": "Making Sensitive Data Unreadable In Storage", "family": "DCH", "description": "Mechanisms exist to ensure sensitive/regulated data is rendered human unreadable anywhere sensitive/regulated data is stored.", "scf_question": "Does the organization ensure sensitive/regulated data is rendered human unreadable anywhere sensitive/regulated data is stored?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure sensitive/regulated data is rendered human unreadable anywhere sensitive/regulated data is stored.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Sensitive data inventories\n∙ Cryptographic governance program", "small": "∙ Data classification program\n∙ Sensitive data inventories\n∙ Cryptographic governance program", "medium": "∙ Data classification program\n∙ Sensitive data inventories\n∙ Cryptographic governance program", "large": "∙ Data classification program\n∙ Sensitive data inventories\n∙ Cryptographic governance program\n∙ Data governance program", "enterprise": "∙ Data classification program\n∙ Sensitive data inventories\n∙ Cryptographic governance program\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-csa-cmm-4-1-0": [ "DSP-17" ], "general-nist-800-171-r3": [ "03.08.01" ], "general-pci-dss-4-0-1": [ "9.4" ], "apac-nzl-ism-3-9": [ "8.4.13.C.01" ], "americas-can-itsp-10-171-2025": [ "03.08.01" ] } }, { "control_id": "DCH-06.5", "title": "Storing Authentication Data", "family": "DCH", "description": "Mechanisms exist to prohibit the storage of sensitive transaction authentication data after authorization.", "scf_question": "Does the organization prohibit the storage of sensitive transaction authentication data after authorization?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit the storage of sensitive transaction authentication data after authorization.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-pci-dss-4-0-1": [ "3.3", "3.3.1", "3.3.1.1", "3.3.1.2", "3.3.1.3", "3.3.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "3.3.1", "3.3.1.2", "3.3.1.3" ], "general-pci-dss-4-0-1-saq-b": [ "3.3.1", "3.3.1.1", "3.3.1.2", "3.3.1.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "3.3.1", "3.3.1.1", "3.3.1.2", "3.3.1.3" ], "general-pci-dss-4-0-1-saq-c": [ "3.3.1", "3.3.1.2", "3.3.1.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "3.3.1", "3.3.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.3.1", "3.3.1.2", "3.3.1.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.3.1", "3.3.1.2", "3.3.1.3", "3.3.3" ], "general-pci-dss-4-0-1-saq-p2pe": [ "3.3.1.2" ] } }, { "control_id": "DCH-07", "title": "Media Transportation", "family": "DCH", "description": "Mechanisms exist to protect and control digital and non-digital media during transport outside of controlled areas using appropriate security measures.", "scf_question": "Does the organization protect and control digital and non-digital media during transport outside of controlled areas using appropriate security measures?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-DCH-14" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ Data classification and handling criteria govern user behavior for media handling.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect and control digital and non-digital media during transport outside of controlled areas using appropriate security measures.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Assigned couriers", "small": "∙ Assigned couriers", "medium": "∙ Assigned couriers", "large": "∙ Assigned couriers", "enterprise": "∙ Assigned couriers" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-csa-cmm-4-1-0": [ "DCS-05" ], "general-govramp": [ "MP-05" ], "general-govramp-low-plus": [ "MP-05" ], "general-govramp-mod": [ "MP-05" ], "general-govramp-high": [ "MP-05" ], "general-iso-27002-2022": [ "5.14", "7.1" ], "general-iso-27017-2015": [ "8.3.3", "13.2.1" ], "general-iso-27018-2025": [ "5.14", "5.14(a)", "7.10" ], "general-mpa-csbp-5-3-1": [ "OP-1.1", "OP-1.2", "OP-1.3" ], "general-nist-800-53-r4": [ "MP-5" ], "general-nist-800-53-r5-2": [ "MP-05" ], "general-nist-800-53-r5-2-mod": [ "MP-05" ], "general-nist-800-66-r2": [ "164.310(d)" ], "general-nist-800-82-r3": [ "MP-05" ], "general-nist-800-82-r3-mod": [ "MP-05" ], "general-nist-800-82-r3-high": [ "MP-05" ], "general-nist-800-161-r1": [ "MP-5" ], "general-nist-800-161-r1-level-1": [ "MP-5" ], "general-nist-800-161-r1-level-2": [ "MP-5" ], "general-nist-800-171-r2": [ "3.8.5" ], "general-nist-800-171-r3": [ "03.08.05.a", "03.08.05.b" ], "general-nist-800-171a": [ "3.8.5[a]", "3.8.5[b]" ], "general-nist-800-171a-r3": [ "A.03.08.05.a[01]", "A.03.08.05.a[02]", "A.03.08.05.b", "A.03.08.05.c" ], "general-pci-dss-4-0-1": [ "9.4", "9.4.3" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.3" ], "usa-federal-fbi-cjis-6-0": [ "MP-5" ], "usa-federal-dow-cmmc-2-level-2": [ "MPL2.-3.8.5" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-05" ], "usa-federal-gsa-fedramp-5-high": [ "MP-05" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(d)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(d)(1)" ], "usa-federal-irs-1075-2021": [ "2.B.4", "2.B.4.1", "MP-5" ], "usa-federal-cms-marse-2-0": [ "MP-5", "MP-5.a", "MP-5.b", "MP-5.c", "MP-5.d", "MP-5-IS.1", "MP-5-IS.2", "MP-5-IS.3", "MP-CMS-1", "MP-CMS-1-IS.1", "MP-CMS-1-IS.1.a", "MP-CMS-1-IS.1.b", "MP-CMS-1-IS.1.c", "MP-CMS-1-IS.1.d", "MP-CMS-1-IS.1.e", "MP-CMS-1-IS.1.f" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-3.c", "11-5", "11-5.a", "11-5.b" ], "usa-state-tx-txramp-2-0-level-2": [ "MP-05" ], "emea-eu-nis2-annex-2024": [ "12.3.2(c)" ], "emea-isr-cmo-1-0": [ "15.7" ], "emea-sau-otcc-1-2022": [ "2-6-1-4" ], "emea-esp-ccn-stic-825-2023": [ "8.5.4 [MP.SI.4]" ], "emea-gbr-def-stan-05-138-2024": [ "2302", "2506" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2302", "2506" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2302", "2506" ], "apac-jpn-ismap": [ "8.3.3", "8.3.3.1", "8.3.3.2", "8.3.3.3", "8.3.3.4", "8.3.3.5", "13.2.2.5" ], "americas-can-itsp-10-171-2025": [ "03.08.05.A", "03.08.05.B" ] } }, { "control_id": "DCH-07.1", "title": "Custodians", "family": "DCH", "description": "Mechanisms exist to identify custodians throughout the transport of digital or non-digital media.", "scf_question": "Does the organization identify custodians throughout the transport of digital or non-digital media?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ Data classification and handling criteria govern user behavior for media handling.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify custodians throughout the transport of digital or non-digital media.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Chain of custody", "small": "∙ Chain of custody", "medium": "∙ Chain of custody", "large": "∙ Chain of custody", "enterprise": "∙ Chain of custody" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-csa-cmm-4-1-0": [ "DCS-05" ], "general-iso-27002-2022": [ "5.1", "5.14" ], "general-iso-27017-2015": [ "8.1.3", "8.2.3", "13.2.1" ], "general-iso-27018-2025": [ "5.10", "5.14" ], "general-mpa-csbp-5-3-1": [ "OP-1.1", "OP-1.2", "OP-1.3" ], "general-nist-800-53-r4": [ "MP-5(3)" ], "general-nist-800-53-r5-2": [ "MP-05(03)" ], "general-nist-800-66-r2": [ "164.310(d)" ], "general-nist-800-82-r3": [ "MP-05(03)" ], "general-nist-800-171-r3": [ "03.08.05.a", "03.08.05.b" ], "general-pci-dss-4-0-1": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.3" ], "general-tisax-6-0-3": [ "8.2.7" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(d)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(d)(1)" ], "usa-federal-irs-1075-2021": [ "2.B.4", "MP-5(CE-3)" ], "usa-federal-nispom-2020": [ "§117.15(f)(4)", "§117.15(f)(4)(i)", "§117.15(f)(4)(ii)", "§117.15(f)(4)(iii)", "§117.15(f)(4)(iv)" ], "emea-isr-cmo-1-0": [ "15.7" ], "emea-sau-otcc-1-2022": [ "2-6-1-4" ], "emea-esp-ccn-stic-825-2023": [ "8.5.3 [MP.SI.3]" ], "apac-jpn-ismap": [ "8.3.1.10" ], "americas-can-itsp-10-171-2025": [ "03.08.05.A", "03.08.05.B" ] } }, { "control_id": "DCH-07.2", "title": "Encrypting Data In Storage Media", "family": "DCH", "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.", "scf_question": "Are cryptographic mechanisms utilized to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational cryptographic capability exists to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Cryptographic governance program\n∙ Secure Baseline Configurations (SBC)\n∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)", "small": "∙ Cryptographic governance program\n∙ Secure Baseline Configurations (SBC)\n∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)", "medium": "∙ Cryptographic governance program\n∙ Secure Baseline Configurations (SBC)\n∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)", "large": "∙ Cryptographic governance program\n∙ Secure Baseline Configurations (SBC)\n∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)", "enterprise": "∙ Cryptographic governance program\n∙ Secure Baseline Configurations (SBC)\n∙ NIST Cryptographic Module Validation Program (CMVP) (https://csrc.nist.gov)\n∙ Microsoft BitLocker (https://microsoft.com)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-csa-cmm-4-1-0": [ "DCS-05" ], "general-govramp": [ "SC-28(01)" ], "general-govramp-mod": [ "SC-28(01)" ], "general-govramp-high": [ "SC-28(01)" ], "general-iso-27002-2022": [ "7.1" ], "general-iso-27018-2025": [ "7.10" ], "general-nist-800-53-r4": [ "MP-5(4)" ], "general-nist-800-53-r5-2": [ "SC-28(01)" ], "general-nist-800-53-r5-2-privacy": [ "SC-28(01)" ], "general-nist-800-53-r5-2-mod": [ "SC-28(01)" ], "general-nist-800-82-r3": [ "SC-28(01)" ], "general-nist-800-82-r3-mod": [ "SC-28(01)" ], "general-nist-800-82-r3-high": [ "SC-28(01)" ], "general-nist-800-160-vol-2-r1": [ "SC-28(01)" ], "general-nist-800-171-r3": [ "03.08.05.a" ], "usa-federal-fbi-cjis-6-0": [ "SC-28(1)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-28(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-28(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-28(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-28(01)" ], "usa-federal-irs-1075-2021": [ "SC-28(CE-1)" ], "usa-federal-cms-marse-2-0": [ "MP-5(4)" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-28 (01)" ], "emea-eu-nis2-annex-2024": [ "12.3.2(c)" ], "emea-gbr-def-stan-05-138-2024": [ "2302" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2302" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2302" ], "apac-nzl-ism-3-9": [ "8.4.13.C.01" ], "americas-can-itsp-10-171-2025": [ "03.08.05.A" ] } }, { "control_id": "DCH-08", "title": "Physical Media Disposal", "family": "DCH", "description": "Mechanisms exist to securely dispose of media when it is no longer required, using formal procedures.", "scf_question": "Does the organization securely dispose of media when it is no longer required, using formal procedures?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-03" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ The data retention process is manual and IT and/or cybersecurity personnel work with business stakeholders and process owners to manage the process.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to dispose of, destroy, erase, and/or anonymize sensitive/regulated data.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to securely dispose of media when it is no longer required, using formal procedures.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "small": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "medium": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "large": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "enterprise": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "C1.2-POF2", "CC6.5", "CC6.5-POF2", "P4.3-POF2", "P4.3-POF3" ], "general-cis-csc-8-1": [ "3.1", "3.5" ], "general-cis-csc-8-1-ig1": [ "3.1", "3.5" ], "general-cis-csc-8-1-ig2": [ "3.1", "3.5" ], "general-cis-csc-8-1-ig3": [ "3.1", "3.5" ], "general-csa-cmm-4-1-0": [ "DCS-02" ], "general-csa-iot-2": [ "POL-04" ], "general-govramp": [ "MP-06" ], "general-govramp-low": [ "MP-06" ], "general-govramp-low-plus": [ "MP-06" ], "general-govramp-mod": [ "MP-06" ], "general-govramp-high": [ "MP-06" ], "general-iso-27002-2022": [ "7.1", "8.1" ], "general-iso-27017-2015": [ "8.3.2" ], "general-iso-27018-2025": [ "7.10", "8.10" ], "general-nist-800-53-r4": [ "MP-6" ], "general-nist-800-53-r5-2": [ "MP-06" ], "general-nist-800-53-r5-2-privacy": [ "MP-06" ], "general-nist-800-53-r5-2-low": [ "MP-06" ], "general-nist-800-82-r3": [ "MP-06" ], "general-nist-800-82-r3-low": [ "MP-06" ], "general-nist-800-82-r3-mod": [ "MP-06" ], "general-nist-800-82-r3-high": [ "MP-06" ], "general-nist-800-161-r1": [ "MP-6" ], "general-nist-800-161-r1-cscrm": [ "MP-6" ], "general-nist-800-161-r1-flowdown": [ "MP-6" ], "general-nist-800-161-r1-level-2": [ "MP-6" ], "general-nist-800-161-r1-level-3": [ "MP-6" ], "general-nist-800-171-r2": [ "3.8.3" ], "general-nist-800-171-r3": [ "03.08.03" ], "general-pci-dss-4-0-1": [ "9.4", "9.4.6" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.4.6" ], "usa-federal-fbi-cjis-6-0": [ "MP-6" ], "usa-federal-dow-cmmc-2-level-1": [ "MP.L1-B.1.VII" ], "usa-federal-dow-cmmc-2-level-2": [ "MPL2.-3.8.3" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(vii)" ], "usa-federal-gsa-fedramp-5-low": [ "MP-06" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-06" ], "usa-federal-gsa-fedramp-5-high": [ "MP-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MP-06" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(6)(i)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)(vi)" ], "usa-federal-irs-1075-2021": [ "2.F.3-1", "2.F.3-2" ], "usa-federal-cms-marse-2-0": [ "MP-6" ], "usa-federal-nispom-2020": [ "§117.15(h)(8)(iii)", "§117.15(i)", "§117.15(i)(1)", "§117.15(i)(2)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(16)" ], "usa-state-il-pipa-2006": [ "40(b)(2)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(C)(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MP-06" ], "usa-state-tx-txramp-2-0-level-1": [ "MP-06" ], "usa-state-tx-txramp-2-0-level-2": [ "MP-06" ], "emea-us-psd2-2015": [ "24" ], "emea-deu-c5-2020": [ "PI-03" ], "emea-isr-cmo-1-0": [ "15.4" ], "emea-sau-otcc-1-2022": [ "2-6-1-3" ], "emea-sau-sama-csf-1-2017": [ "3.3.11" ], "emea-esp-ccn-stic-825-2023": [ "8.5.5 [MP.SI.5]" ], "emea-gbr-dpa-1998": [ "Chapter29-Schedule1-Part1-Principle 5" ], "apac-aus-ism-2024-june": [ "ISM-0311", "ISM-0312", "ISM-0315", "ISM-0363", "ISM-0368", "ISM-0374", "ISM-0375", "ISM-0378", "ISM-0839", "ISM-0840", "ISM-1160", "ISM-1217", "ISM-1218", "ISM-1361", "ISM-1517", "ISM-1550", "ISM-1722", "ISM-1723", "ISM-1724", "ISM-1725", "ISM-1726", "ISM-1727" ], "apac-jpn-ismap": [ "8.3.2.4", "8.3.2.5", "8.3.2.6" ], "apac-nzl-ism-3-9": [ "11.7.35.C.01", "12.6.6.C.01", "12.6.6.C.02", "12.6.7.C.01", "12.6.7.C.02", "13.5.23.C.01", "13.5.24.C.01", "13.5.24.C.02", "13.5.24.C.03", "13.5.24.C.04", "13.5.25.C.01", "13.5.26.C.01", "13.5.26.C.02", "13.5.26.C.03", "13.5.29.C.01", "13.5.29.C.02", "13.5.30.C.01" ], "apac-sgp-mas-trm-2021": [ "11.1.7" ], "americas-can-itsp-10-171-2025": [ "03.08.03" ] } }, { "control_id": "DCH-09", "title": "System Media Sanitization", "family": "DCH", "description": "Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "scf_question": "Does the organization sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-03", "E-DCH-07" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ The data retention process is manual and IT and/or cybersecurity personnel work with business stakeholders and process owners to manage the process.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to dispose of, destroy, erase, and/or anonymize sensitive/regulated data.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "small": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "medium": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "large": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "enterprise": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "C1.2-POF2", "CC6.5", "CC6.5-POF2" ], "general-cis-csc-8-1": [ "3.1", "3.5" ], "general-cis-csc-8-1-ig1": [ "3.1", "3.5" ], "general-cis-csc-8-1-ig2": [ "3.1", "3.5" ], "general-cis-csc-8-1-ig3": [ "3.1", "3.5" ], "general-csa-cmm-4-1-0": [ "DCS-02", "LOG-08" ], "general-govramp": [ "MP-06", "MP-06(03)" ], "general-govramp-low": [ "MP-06" ], "general-govramp-low-plus": [ "MP-06" ], "general-govramp-mod": [ "MP-06" ], "general-govramp-high": [ "MP-06", "MP-06(03)" ], "general-iec-62443-4-2-2019": [ "CR 4.2", "CR 4.2(1)", "CR 4.2(2)" ], "general-iso-27002-2022": [ "8.1" ], "general-iso-27018-2025": [ "8.10" ], "general-mpa-csbp-5-3-1": [ "OP-3.2" ], "general-nist-privacy-framework-1-0": [ "CT.DM-P5" ], "general-nist-800-53-r4": [ "MP-6", "MP-6(3)" ], "general-nist-800-53-r5-2": [ "MP-06", "MP-06(03)" ], "general-nist-800-53-r5-2-privacy": [ "MP-06", "MP-06(03)" ], "general-nist-800-53-r5-2-low": [ "MP-06" ], "general-nist-800-53-r5-2-high": [ "MP-06(03)" ], "general-nist-800-66-r2": [ "164.310(d)" ], "general-nist-800-82-r3": [ "MP-06", "MP-06(03)" ], "general-nist-800-82-r3-low": [ "MP-06" ], "general-nist-800-82-r3-mod": [ "MP-06" ], "general-nist-800-82-r3-high": [ "MP-06", "MP-06(03)" ], "general-nist-800-161-r1": [ "MP-6" ], "general-nist-800-161-r1-cscrm": [ "MP-6" ], "general-nist-800-161-r1-flowdown": [ "MP-6" ], "general-nist-800-161-r1-level-2": [ "MP-6" ], "general-nist-800-161-r1-level-3": [ "MP-6" ], "general-nist-800-171-r2": [ "3.7.3", "3.8.3" ], "general-nist-800-171-r3": [ "03.07.04.c", "03.08.03" ], "general-nist-800-171a": [ "3.7.3", "3.8.3[a]", "3.8.3[b]" ], "general-nist-800-171a-r3": [ "A.03.08.03" ], "general-pci-dss-4-0-1": [ "9.4.7" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.7" ], "usa-federal-fbi-cjis-6-0": [ "MP-6" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-2h" ], "usa-federal-dow-cmmc-2-level-1": [ "MP.L1-B.1.VII" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "MP.L1-B.1.VII[a]", "MP.L1-B.1.VII[b]" ], "usa-federal-dow-cmmc-2-level-2": [ "MAL2.-3.7.3", "MPL2.-3.8.3" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(vii)" ], "usa-federal-gsa-fedramp-5-low": [ "MP-06", "MP-06(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-06", "MP-06(03)" ], "usa-federal-gsa-fedramp-5-high": [ "MP-06", "MP-06(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MP-06", "MP-06(03)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)(vi)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(d)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(d)(2)(ii)" ], "usa-federal-irs-1075-2021": [ "2.F.3.1-1", "2.F.3.1-2", "2.F.3.1-3", "3.3.1.j" ], "usa-federal-cms-marse-2-0": [ "MP-6", "MP-6.a", "MP-6.b", "MP-6-IS.1", "MP-6-IS.2", "MP-6-IS.4" ], "usa-federal-nerc-cip-2024": [ "CIP-011-3 2.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(16)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MP-06" ], "usa-state-tx-txramp-2-0-level-1": [ "MP-06" ], "usa-state-tx-txramp-2-0-level-2": [ "MP-06" ], "emea-isr-cmo-1-0": [ "15.4" ], "emea-sau-otcc-1-2022": [ "2-6-1-3" ], "emea-sau-sacs-002-2022": [ "TPC-19", "TPC-66" ], "emea-esp-ccn-stic-825-2023": [ "8.7.6 [MP.INFO.6]" ], "emea-gbr-caf-4-0": [ "B3.e" ], "emea-gbr-def-stan-05-138-2024": [ "2313", "2323" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2323" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2313", "2323" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2313", "2323" ], "apac-aus-ism-2024-june": [ "ISM-0311", "ISM-0313", "ISM-0317", "ISM-0348", "ISM-0351", "ISM-0352", "ISM-0354", "ISM-0356", "ISM-0357", "ISM-0358", "ISM-0359", "ISM-0360", "ISM-0361", "ISM-0362", "ISM-0835", "ISM-0836", "ISM-0947", "ISM-1065", "ISM-1067", "ISM-1287", "ISM-1300", "ISM-1600", "ISM-1735" ], "apac-jpn-ismap": [ "11.2.7.3" ], "apac-nzl-ism-3-9": [ "13.4.9.C.01", "13.4.11.C.01", "13.4.12.C.01", "13.4.13.C.01", "13.4.13.C.02", "13.4.13.C.03", "13.4.13.C.04", "13.4.13.C.05", "13.4.14.C.01", "13.4.15.C.01", "12.6.5.C.05", "13.4.19.C.02", "13.4.16.C.01", "13.4.17.C.01", "13.4.18.C.01", "13.4.19.C.01", "13.4.20.C.01", "13.4.20.C.02", "13.4.20.C.03", "13.4.21.C.01", "13.4.22.C.01" ], "apac-sgp-mas-trm-2021": [ "11.1.7" ], "americas-bmu-mba-coc-2020": [ "6.17" ], "americas-can-itsp-10-171-2025": [ "03.07.04.C", "03.08.03" ] } }, { "control_id": "DCH-09.1", "title": "System Media Sanitization Documentation", "family": "DCH", "description": "Mechanisms exist to supervise, track, document and verify system media sanitization and disposal actions.", "scf_question": "Does the organization supervise, track, document and verify system media sanitization and disposal actions?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-03", "E-DCH-07" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ The data retention process is manual and IT and/or cybersecurity personnel work with business stakeholders and process owners to manage the process.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to supervise, track, document and verify system media sanitization and disposal actions.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Certificate of destruction", "small": "∙ Certificate of destruction", "medium": "∙ Certificate of destruction", "large": "∙ Certificate of destruction", "enterprise": "∙ Certificate of destruction" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-govramp": [ "MP-06(01)" ], "general-govramp-low-plus": [ "MP-06(01)" ], "general-govramp-mod": [ "MP-06(01)" ], "general-govramp-high": [ "MP-06(01)" ], "general-iso-27002-2022": [ "8.1" ], "general-iso-27018-2025": [ "8.10" ], "general-nist-800-53-r4": [ "MP-6(1)" ], "general-nist-800-53-r5-2": [ "MP-06(01)" ], "general-nist-800-53-r5-2-high": [ "MP-06(01)" ], "general-nist-800-82-r3": [ "MP-06(01)" ], "general-nist-800-82-r3-high": [ "MP-06(01)" ], "general-pci-dss-4-0-1": [ "9.4.7" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.7" ], "usa-federal-gsa-fedramp-5-high": [ "MP-06(01)" ], "usa-federal-irs-1075-2021": [ "2.F.4-2", "MP-6(CE-1)" ], "usa-federal-cms-marse-2-0": [ "MP-6-IS.3", "MP-6-IS.3.a", "MP-6-IS.3.b", "MP-6-IS.3.c", "MP-6-IS.3.d", "MP-6-IS.3.e", "MP-6(1)", "MP-6(1)-IS" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MP-06(1)", "MP-06(1)-SID" ], "emea-isr-cmo-1-0": [ "15.8" ], "emea-gbr-def-stan-05-138-2024": [ "2323" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2323" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2323" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2323" ], "apac-aus-ism-2024-june": [ "ISM-0316", "ISM-0363", "ISM-0370", "ISM-0371", "ISM-0372", "ISM-0373" ], "apac-jpn-ismap": [ "8.3.2.7" ], "apac-nzl-ism-3-9": [ "13.5.22.C.01", "13.5.27.C.01", "13.5.27.C.02", "13.5.27.C.03", "13.5.28.C.01", "13.5.28.C.02" ] } }, { "control_id": "DCH-09.2", "title": "Equipment Testing", "family": "DCH", "description": "Mechanisms exist to test sanitization equipment and procedures to verify that the intended result is achieved.", "scf_question": "Does the organization test sanitization equipment and procedures to verify that the intended result is achieved?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to test sanitization equipment and procedures to verify that the intended result is achieved.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-govramp": [ "MP-06(02)" ], "general-govramp-mod": [ "MP-06(02)" ], "general-govramp-high": [ "MP-06(02)" ], "general-nist-800-53-r4": [ "MP-6(2)" ], "general-nist-800-53-r5-2": [ "MP-06(02)" ], "general-nist-800-53-r5-2-high": [ "MP-06(02)" ], "general-nist-800-82-r3": [ "MP-06(02)" ], "general-nist-800-82-r3-high": [ "MP-06(02)" ], "usa-federal-gsa-fedramp-5-high": [ "MP-06(02)" ], "usa-federal-cms-marse-2-0": [ "MP-6(2)" ], "emea-isr-cmo-1-0": [ "15.8" ], "apac-nzl-ism-3-9": [ "13.4.23.C.01" ] } }, { "control_id": "DCH-09.3", "title": "Sanitization of Personal Data (PD)", "family": "DCH", "description": "Mechanisms exist to facilitate the sanitization of Personal Data (PD).", "scf_question": "Does the organization facilitate the sanitization of Personal Data (PD)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ The data retention process is manual and IT and/or cybersecurity personnel work with business stakeholders and process owners to manage the process.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the sanitization of Personal Data (PD).", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ De-identifying sensitive Personal Data (sPD)", "small": "∙ De-identifying sensitive Personal Data (sPD)", "medium": "∙ De-identifying sensitive Personal Data (sPD)", "large": "∙ De-identifying sensitive Personal Data (sPD)", "enterprise": "∙ De-identifying sensitive Personal Data (sPD)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "P4.3" ], "general-govramp": [ "MP-06", "MP-06(03)" ], "general-govramp-low": [ "MP-06" ], "general-govramp-low-plus": [ "MP-06" ], "general-govramp-mod": [ "MP-06" ], "general-govramp-high": [ "MP-06", "MP-06(03)" ], "general-iso-27002-2022": [ "8.1" ], "general-iso-27018-2025": [ "8.10" ], "general-nist-800-53-r5-2": [ "MP-06", "MP-06(03)" ], "general-nist-800-53-r5-2-privacy": [ "MP-06", "MP-06(03)" ], "general-nist-800-53-r5-2-low": [ "MP-06" ], "general-nist-800-53-r5-2-high": [ "MP-06(03)" ], "general-nist-800-82-r3": [ "MP-06", "MP-06(03)" ], "general-nist-800-82-r3-low": [ "MP-06" ], "general-nist-800-82-r3-mod": [ "MP-06" ], "general-nist-800-82-r3-high": [ "MP-06", "MP-06(03)" ], "general-nist-800-161-r1": [ "MP-6" ], "general-nist-800-161-r1-cscrm": [ "MP-6" ], "general-nist-800-161-r1-flowdown": [ "MP-6" ], "general-nist-800-161-r1-level-2": [ "MP-6" ], "general-nist-800-161-r1-level-3": [ "MP-6" ], "general-scf-dpmp-2025": [ "5.5" ], "general-tisax-6-0-3": [ "8.2.6" ], "usa-federal-fbi-cjis-6-0": [ "MP-6" ], "usa-federal-gsa-fedramp-5-low": [ "MP-06", "MP-06(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-06", "MP-06(03)" ], "usa-federal-gsa-fedramp-5-high": [ "MP-06", "MP-06(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MP-06", "MP-06(03)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)(vi)" ], "usa-federal-irs-1075-2021": [ "MP-6", "MP-6(IRS-Defined)-1", "MP-6(IRS-Defined)-2" ], "usa-federal-cms-marse-2-0": [ "MP-6" ], "usa-state-ak-pipa-2009": [ "45.48.500 - .590" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(16)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MP-06" ], "usa-state-tx-txramp-2-0-level-1": [ "MP-06" ], "usa-state-tx-txramp-2-0-level-2": [ "MP-06" ], "emea-us-psd2-2015": [ "24" ], "emea-isr-cmo-1-0": [ "15.4" ], "emea-zaf-popia-2013": [ "16.1" ], "apac-ind-dpdpa-2023": [ "8(7)(a)" ], "americas-arg-ppd-2018": [ "4.7", "16.7", "25.2" ], "americas-bra-lgpd-2018": [ "16" ] } }, { "control_id": "DCH-09.4", "title": "First Time Use Sanitization", "family": "DCH", "description": "Mechanisms exist to apply nondestructive sanitization techniques to portable storage devices prior to first use.", "scf_question": "Does the organization apply nondestructive sanitization techniques to portable storage devices prior to first use?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to apply nondestructive sanitization techniques to portable storage devices prior to first use.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "small": "∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "medium": "∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "large": "∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "enterprise": "∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-govramp": [ "MP-06(03)" ], "general-govramp-high": [ "MP-06(03)" ], "general-nist-800-53-r4": [ "MP-6(3)" ], "general-nist-800-53-r5-2": [ "MP-06(03)" ], "general-nist-800-53-r5-2-privacy": [ "MP-06(03)" ], "general-nist-800-53-r5-2-high": [ "MP-06(03)" ], "general-nist-800-82-r3": [ "MP-06(03)" ], "general-nist-800-82-r3-high": [ "MP-06(03)" ], "usa-federal-gsa-fedramp-5-low": [ "MP-06(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-06(03)" ], "usa-federal-gsa-fedramp-5-high": [ "MP-06(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MP-06(03)" ], "apac-aus-ism-2024-june": [ "ISM-1600", "ISM-1642" ] } }, { "control_id": "DCH-09.5", "title": "Dual Authorization for Sensitive Data Destruction", "family": "DCH", "description": "Mechanisms exist to enforce dual authorization for the destruction, disposal or sanitization of digital media that contains sensitive/regulated data.", "scf_question": "Does the organization enforce dual authorization for the destruction, disposal or sanitization of digital media that contains sensitive/regulated data?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce dual authorization for the destruction, disposal or sanitization of digital media that contains sensitive/regulated data.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "small": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "medium": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "large": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "enterprise": "∙ Logical Access Control (LAC)\n∙ Physical Access Control (PAC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r4": [ "MP-6(7)" ], "general-nist-800-53-r5-2": [ "MP-06(07)" ], "general-nist-800-82-r3": [ "MP-06(07)" ] } }, { "control_id": "DCH-10", "title": "Media Use", "family": "DCH", "description": "Mechanisms exist to restrict the use of types of digital media on systems or system components.", "scf_question": "Does the organization restrict the use of types of digital media on systems or system components?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict the use of types of digital media on systems or system components.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.7" ], "general-govramp": [ "MP-07" ], "general-govramp-high": [ "MP-07" ], "general-iso-27002-2022": [ "7.1" ], "general-iso-27017-2015": [ "8.3.1" ], "general-iso-27018-2025": [ "7.10" ], "general-mitre-att&ck-16-1": [ "T1025", "T1052", "T1052.001", "T1091", "T1092", "T1200" ], "general-nist-800-53-r4": [ "MP-7", "SC-8(2)" ], "general-nist-800-53-r5-2": [ "MP-07", "SC-08(02)" ], "general-nist-800-53-r5-2-privacy": [ "MP-07", "SC-08(02)" ], "general-nist-800-53-r5-2-low": [ "MP-07" ], "general-nist-800-82-r3": [ "MP-07", "SC-08(02)" ], "general-nist-800-82-r3-low": [ "MP-07" ], "general-nist-800-82-r3-mod": [ "MP-07" ], "general-nist-800-82-r3-high": [ "MP-07" ], "general-nist-800-171-r2": [ "3.8.7" ], "general-nist-800-171-r3": [ "03.08.07.a" ], "general-nist-800-171a": [ "3.8.7" ], "general-nist-800-171a-r3": [ "A.03.08.07.ODP[01]", "A.03.08.07.a" ], "usa-federal-fbi-cjis-6-0": [ "MP-7" ], "usa-federal-dow-cmmc-2-level-2": [ "MPL2.-3.8.7" ], "usa-federal-gsa-fedramp-5-low": [ "MP-07", "SC-08(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-07", "SC-08(02)" ], "usa-federal-gsa-fedramp-5-high": [ "MP-07", "SC-08(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MP-07", "SC-08(02)" ], "usa-federal-irs-1075-2021": [ "MP-7", "MP-7(IRS-Defined)", "MP-7(IRS-Defined).a", "MP-7(IRS-Defined).b" ], "usa-federal-cms-marse-2-0": [ "MP-7", "SC-8(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MP-07" ], "usa-state-tx-txramp-2-0-level-1": [ "MP-07" ], "usa-state-tx-txramp-2-0-level-2": [ "MP-07" ], "emea-sau-ecc-1-2018": [ "2-3-3-2" ], "emea-gbr-def-stan-05-138-2024": [ "2310" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2310" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2310" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2310" ], "apac-aus-ism-2024-june": [ "ISM-0341", "ISM-0343" ], "apac-nzl-ism-3-9": [ "13.3.4.C.01" ], "americas-can-itsp-10-171-2025": [ "03.08.07.A" ] } }, { "control_id": "DCH-10.1", "title": "Limitations on Use", "family": "DCH", "description": "Mechanisms exist to restrict the use and distribution of sensitive/regulated data.", "scf_question": "Does the organization restrict the use and distribution of sensitive/regulated data?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Data protection controls are primarily administrative in nature (e.g., policies & standards) to classify, protect and dispose of systems and data, including storage media.\n▪ Limited media handling guidance exists for users.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict the use and distribution of sensitive/regulated data.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-iso-27002-2022": [ "7.1" ], "general-iso-27018-2025": [ "7.10" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(2)" ], "apac-aus-ism-2024-june": [ "ISM-0343" ], "apac-nzl-ism-3-9": [ "13.3.4.C.01" ] } }, { "control_id": "DCH-10.2", "title": "Prohibit Use Without Owner", "family": "DCH", "description": "Mechanisms exist to prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.", "scf_question": "Does the organization prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-govramp": [ "MP-07" ], "general-govramp-high": [ "MP-07" ], "general-nist-800-53-r4": [ "MP-7(1)" ], "general-nist-800-53-r5-2": [ "MP-07" ], "general-nist-800-53-r5-2-privacy": [ "MP-07" ], "general-nist-800-53-r5-2-low": [ "MP-07" ], "general-nist-800-82-r3": [ "MP-07" ], "general-nist-800-82-r3-low": [ "MP-07" ], "general-nist-800-82-r3-mod": [ "MP-07" ], "general-nist-800-82-r3-high": [ "MP-07" ], "general-nist-800-171-r2": [ "3.8.8" ], "general-nist-800-171-r3": [ "03.08.07.b" ], "general-nist-800-171a": [ "3.8.8" ], "general-nist-800-171a-r3": [ "A.03.08.07.b" ], "usa-federal-fbi-cjis-6-0": [ "MP-7" ], "usa-federal-dow-cmmc-2-level-2": [ "MPL2.-3.8.8" ], "usa-federal-gsa-fedramp-5-low": [ "MP-07" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-07" ], "usa-federal-gsa-fedramp-5-high": [ "MP-07" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MP-07" ], "usa-federal-irs-1075-2021": [ "MP-7" ], "usa-federal-cms-marse-2-0": [ "MP-7", "MP-7(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MP-07" ], "usa-state-tx-txramp-2-0-level-1": [ "MP-07" ], "usa-state-tx-txramp-2-0-level-2": [ "MP-07" ], "americas-can-itsp-10-171-2025": [ "03.08.07.B" ] } }, { "control_id": "DCH-11", "title": "Data Reclassification", "family": "DCH", "description": "Mechanisms exist to reclassify data, including associated Technology Assets, Applications and/or Services (TAAS), commensurate with the security category and/or classification level of the information.", "scf_question": "Does the organization reclassify data, including associated Technology Assets, Applications and/or Services (TAAS), commensurate with the security category and/or classification level of the information?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to reclassify data, including associated Technology Assets, Applications and/or Services (TAAS), commensurate with the security category and/or classification level of the information.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program", "small": "∙ Data classification program", "medium": "∙ Data classification program", "large": "∙ Data classification program\n∙ Data governance program", "enterprise": "∙ Data classification program\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF7" ], "general-nist-800-53-r4": [ "MP-8" ], "general-nist-800-53-r5-2": [ "MP-08", "MP-08(03)" ], "general-nist-800-82-r3": [ "MP-08", "MP-08(03)" ], "apac-aus-ism-2024-june": [ "ISM-0325", "ISM-0330" ], "apac-nzl-ism-3-9": [ "13.2.10.C.01", "13.2.11.C.01" ] } }, { "control_id": "DCH-12", "title": "Removable Media Security", "family": "DCH", "description": "Mechanisms exist to restrict removable media in accordance with data handling and acceptable usage parameters.", "scf_question": "Does the organization restrict removable media in accordance with data handling and acceptable usage parameters?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict removable media in accordance with data handling and acceptable usage parameters.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Data classification program\n∙ IT Asset Management (ITAM) program", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Data classification program\n∙ IT Asset Management (ITAM) program", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Data classification program\n∙ IT Asset Management (ITAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Data classification program\n∙ IT Asset Management (ITAM) program\n∙ Data governance program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Data classification program\n∙ IT Asset Management (ITAM) program\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.3-POF4" ], "general-aicpa-tsc-2017": [ "CC6.7", "CC6.7-POF3" ], "general-iec-62443-2-1-2024": [ "COMP 1.2", "COMP 2.1" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.5" ], "general-iso-27002-2022": [ "7.1" ], "general-iso-27017-2015": [ "8.3.1" ], "general-iso-27018-2025": [ "7.10" ], "general-nist-privacy-framework-1-0": [ "PR.PT-P1" ], "general-nist-800-171-r3": [ "03.08.07.a" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.V" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-3g" ], "emea-eu-nis2-annex-2024": [ "12.3.1", "12.3.2(a)", "12.3.2(d)" ], "emea-isr-cmo-1-0": [ "12.24" ], "emea-sau-ecc-1-2018": [ "2-3-3-2" ], "emea-gbr-def-stan-05-138-2024": [ "2310" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2310" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2310" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2310" ], "apac-aus-ism-2024-june": [ "ISM-1359", "ISM-1713" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP14", "HML14" ], "apac-nzl-hisf-microsmall-2023": [ "HMS09" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP12" ], "apac-nzl-ism-3-9": [ "13.3.6.C.01", "13.3.6.C.02", "13.3.6.C.03", "13.3.10.C.01" ], "americas-can-itsp-10-171-2025": [ "03.08.07.A" ] } }, { "control_id": "DCH-13", "title": "Use of External Technology Assets, Applications and/or Services (TAAS)", "family": "DCH", "description": "Mechanisms exist to govern how external parties, including Technology Assets, Applications and/or Services (TAAS), are used to securely store, process and transmit data.", "scf_question": "Does the organization govern how external parties, including Technology Assets, Applications and/or Services (TAAS), are used to securely store, process and transmit data?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to document where sensitive/regulated data is stored, transmitted and/or processed.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern how external parties, including Technology Assets, Applications and/or Services (TAAS), are used to securely store, process and transmit data.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.7" ], "general-govramp": [ "AC-20" ], "general-govramp-low": [ "AC-20" ], "general-govramp-low-plus": [ "AC-20" ], "general-govramp-mod": [ "AC-20" ], "general-govramp-high": [ "AC-20" ], "general-mitre-att&ck-16-1": [ "T1020.001", "T1021", "T1021.001", "T1021.004", "T1021.007", "T1021.008", "T1041", "T1048", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1070.008", "T1072", "T1078.002", "T1078.004", "T1098.001", "T1098.002", "T1098.003", "T1098.004", "T1098.005", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1111", "T1114", "T1114.001", "T1114.002", "T1114.003", "T1119", "T1133", "T1134.005", "T1136", "T1136.001", "T1136.002", "T1136.003", "T1200", "T1505.005", "T1530", "T1537", "T1539", "T1550.001", "T1552", "T1552.004", "T1552.005", "T1555", "T1556", "T1556.001", "T1556.003", "T1556.004", "T1557", "T1557.002", "T1565", "T1565.001", "T1565.002", "T1567", "T1567.001", "T1567.002", "T1578.005", "T1602", "T1602.001", "T1602.002" ], "general-nist-800-53-r4": [ "AC-20" ], "general-nist-800-53-r5-2": [ "AC-20" ], "general-nist-800-53-r5-2-low": [ "AC-20" ], "general-nist-800-82-r3": [ "AC-20" ], "general-nist-800-82-r3-low": [ "AC-20" ], "general-nist-800-82-r3-mod": [ "AC-20" ], "general-nist-800-82-r3-high": [ "AC-20" ], "general-nist-800-161-r1": [ "AC-20" ], "general-nist-800-161-r1-cscrm": [ "AC-20" ], "general-nist-800-161-r1-flowdown": [ "AC-20" ], "general-nist-800-161-r1-level-1": [ "AC-20" ], "general-nist-800-161-r1-level-2": [ "AC-20" ], "general-nist-800-161-r1-level-3": [ "AC-20" ], "general-nist-800-171-r2": [ "3.1.20" ], "general-nist-800-171-r3": [ "03.01.20.a", "03.01.20.b", "03.01.20.c.01", "03.01.20.c.02", "03.01.20.d" ], "general-nist-800-171a": [ "3.1.20[a]", "3.1.20[b]", "3.1.20[c]", "3.1.20[d]", "3.1.20[e]", "3.1.20[f]" ], "general-nist-800-171a-r3": [ "A.03.01.20.ODP[01]", "A.03.01.20.a", "A.03.01.20.b", "A.03.01.20.c.01", "A.03.01.20.c.02" ], "usa-federal-fbi-cjis-6-0": [ "AC-20" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.III" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "AC.L1-B.1.III[a]", "AC.L1-B.1.III[b]", "AC.L1-B.1.III[c]", "AC.L1-B.1.III[d]", "AC.L1-B.1.III[e]", "AC.L1-B.1.III[f]" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.20" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iii)" ], "usa-federal-gsa-fedramp-5-low": [ "AC-20" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-20" ], "usa-federal-gsa-fedramp-5-high": [ "AC-20" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-20" ], "usa-federal-irs-1075-2021": [ "AC-20", "AC-20(IRS-Defined)" ], "usa-federal-cms-marse-2-0": [ "AC-20", "AC-20.a", "AC-20.b", "AC-20-IS", "AC-20-IS.1", "AC-20-IS.2", "AC-20-IS.3" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-20" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-20" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-20" ], "emea-isr-cmo-1-0": [ "11.6" ], "emea-sau-ecc-1-2018": [ "4-2-3-1" ], "americas-can-itsp-10-171-2025": [ "03.01.20.A", "03.01.20.B", "03.01.20.C.01", "03.01.20.C.02", "03.01.20.D" ] } }, { "control_id": "DCH-13.1", "title": "Limits of Authorized Use", "family": "DCH", "description": "Mechanisms exist to prohibit external parties, including Technology Assets, Applications and/or Services (TAAS), from storing, processing and transmitting data unless authorized individuals first: \n(1) Verifying the implementation of required security, compliance and/or resilience controls; or\n(2) Retaining a processing agreement with the entity hosting the external TAAS.", "scf_question": "Does the organization prohibit external parties, including Technology Assets, Applications and/or Services (TAAS), from storing, processing and transmitting data unless authorized individuals first: \n(1) Verifying the implementation of required security, compliance and/or resilience controls; or\n(2) Retaining a processing agreement with the entity hosting the external TAAS?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit external parties, including Technology Assets, Applications and/or Services (TAAS), from storing, processing and transmitting data unless authorized individuals first: \n(1) Verifying the implementation of required security, compliance and/or resilience controls; or\n(2) Retaining a processing agreement with the entity hosting the external TAAS.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Data Classification & Handling", "crosswalks": { "general-cis-csc-8-1": [ "3.3" ], "general-cis-csc-8-1-ig1": [ "3.3" ], "general-cis-csc-8-1-ig2": [ "3.3" ], "general-cis-csc-8-1-ig3": [ "3.3" ], "general-govramp": [ "AC-20(01)" ], "general-govramp-low-plus": [ "AC-20(01)" ], "general-govramp-mod": [ "AC-20(01)" ], "general-govramp-high": [ "AC-20(01)" ], "general-nist-800-53-r4": [ "AC-20(1)" ], "general-nist-800-53-r5-2": [ "AC-20(01)" ], "general-nist-800-53-r5-2-mod": [ "AC-20(01)" ], "general-nist-800-82-r3": [ "AC-20(01)" ], "general-nist-800-82-r3-mod": [ "AC-20(01)" ], "general-nist-800-82-r3-high": [ "AC-20(01)" ], "general-nist-800-161-r1": [ "AC-20(1)" ], "general-nist-800-161-r1-level-2": [ "AC-20(1)" ], "general-nist-800-161-r1-level-3": [ "AC-20(1)" ], "general-nist-800-171-r2": [ "3.1.20" ], "general-nist-800-171-r3": [ "03.01.20.a", "03.01.20.b", "03.01.20.c.01", "03.01.20.c.02", "03.01.20.d" ], "general-nist-800-207": [ "NIST Tenet 5" ], "general-pci-dss-4-0-1": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.5.1" ], "usa-federal-fbi-cjis-6-0": [ "AC-20(1)" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.III" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.20" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iii)" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-20(01)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-20(01)" ], "usa-federal-cms-marse-2-0": [ "AC-20(1)", "AC-20(1).a", "AC-20(1).b" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-20 (01)" ], "emea-srb-act-9-2018": [ "5.1" ], "americas-can-itsp-10-171-2025": [ "03.01.20.A", "03.01.20.B", "03.01.20.C.01", "03.01.20.C.02", "03.01.20.D" ] } }, { "control_id": "DCH-13.2", "title": "Portable Storage Devices", "family": "DCH", "description": "Mechanisms exist to restrict or prohibit the use of portable storage devices by users on external systems.", "scf_question": "Does the organization restrict or prohibit the use of portable storage devices by users on external systems?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict or prohibit the use of portable storage devices by users on external systems.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program", "small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.7", "CC6.7-POF3" ], "general-cobit-2019": [ "DSS06.06" ], "general-govramp": [ "AC-20(02)" ], "general-govramp-mod": [ "AC-20(02)" ], "general-govramp-high": [ "AC-20(02)" ], "general-iec-62443-2-1-2024": [ "COMP 1.2" ], "general-nist-800-53-r4": [ "AC-20(2)", "AC-20(5)" ], "general-nist-800-53-r5-2": [ "AC-20(02)", "AC-20(05)" ], "general-nist-800-53-r5-2-mod": [ "AC-20(02)" ], "general-nist-800-66-r2": [ "164.310(d)" ], "general-nist-800-82-r3": [ "AC-20(02)", "AC-20(05)" ], "general-nist-800-82-r3-mod": [ "AC-20(02)" ], "general-nist-800-82-r3-high": [ "AC-20(02)" ], "general-nist-800-171-r2": [ "3.1.21" ], "general-nist-800-171-r3": [ "03.01.20.a", "03.01.20.d" ], "general-nist-800-171a": [ "3.1.21[a]", "3.1.21[b]", "3.1.21[c]" ], "general-nist-800-171a-r3": [ "A.03.01.20.d" ], "usa-federal-fbi-cjis-6-0": [ "AC-20(2)" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.21" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-20(02)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-20(02)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(d)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(d)(1)" ], "usa-federal-irs-1075-2021": [ "AC-20(CE-2)", "AC-20(CE-5)" ], "usa-federal-cms-marse-2-0": [ "AC-20(2)", "AC-20(2)-IS.a" ], "emea-sau-ecc-1-2018": [ "5-1-3-5" ], "emea-sau-otcc-1-2022": [ "2-3-1-8", "2-3-1-9" ], "apac-nzl-ism-3-9": [ "13.3.7.C.01", "13.3.7.C.02", "13.3.8.C.01", "13.3.8.C.02", "13.3.9.C.01", "13.3.9.C.02", "13.3.10.C.01" ], "americas-can-itsp-10-171-2025": [ "03.01.20.A", "03.01.20.D" ] } }, { "control_id": "DCH-13.3", "title": "Protecting Sensitive / Regulated Data on External Technology Assets, Applications and/or Services (TAAS)", "family": "DCH", "description": "Mechanisms exist to ensure that the requirements for the protection of sensitive/regulated data processed, stored or transmitted on external Technology Assets, Applications and/or Services (TAAS), are implemented in accordance with applicable statutory, regulatory and contractual obligations.", "scf_question": "Does the organization ensure that the requirements for the protection of sensitive/regulated data processed, stored or transmitted on external Technology Assets, Applications and/or Services (TAAS), are implemented in accordance with applicable statutory, regulatory and contractual obligations?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Data protection controls are primarily administrative in nature (e.g., policies & standards) to classify, protect and dispose of systems and data, including storage media.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that the requirements for the protection of sensitive/regulated data processed, stored or transmitted on external Technology Assets, Applications and/or Services (TAAS), are implemented in accordance with applicable statutory, regulatory and contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-csa-cmm-4-1-0": [ "DSP-17" ], "general-nist-800-53-r5-2": [ "PM-17" ], "general-nist-800-53-r5-2-privacy": [ "PM-17" ], "general-nist-800-82-r3": [ "PM-17" ], "general-nist-800-82-r3-low": [ "PM-17" ], "general-nist-800-82-r3-mod": [ "PM-17" ], "general-nist-800-82-r3-high": [ "PM-17" ], "general-nist-800-161-r1": [ "PM-17" ], "general-nist-800-161-r1-level-2": [ "PM-17" ], "general-nist-800-171-r3": [ "03.01.20.b", "03.01.20.c.01" ], "general-nist-800-207": [ "NIST Tenet 3", "NIST Tenet 4" ], "emea-isr-cmo-1-0": [ "11.6" ], "americas-can-itsp-10-171-2025": [ "03.01.20.B", "03.01.20.C.01" ] } }, { "control_id": "DCH-13.4", "title": "Non-Organizationally Owned Technology Assets, Applications and/or Services (TAAS)", "family": "DCH", "description": "Mechanisms exist to restrict the use of non-organizationally owned Technology Assets, Applications and/or Services (TAAS) to process, store or transmit organizational information.", "scf_question": "Does the organization restrict the use of non-organizationally owned Technology Assets, Applications and/or Services (TAAS) to process, store or transmit organizational information?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict the use of non-organizationally owned Technology Assets, Applications and/or Services (TAAS) to process, store or transmit organizational information.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Rules of Behavior (RoB) / Acceptable Use", "small": "∙ Rules of Behavior (RoB) / Acceptable Use", "medium": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Network Access Control (NAC)", "large": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Network Access Control (NAC)", "enterprise": "∙ Rules of Behavior (RoB) / Acceptable Use\n∙ Network Access Control (NAC)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r4": [ "AC-20(3)" ], "general-nist-800-53-r5-2": [ "AC-20(03)" ], "general-nist-800-82-r3": [ "AC-20(03)" ], "general-nist-800-161-r1": [ "AC-20(3)" ], "general-nist-800-161-r1-level-2": [ "AC-20(3)" ], "general-nist-800-161-r1-level-3": [ "AC-20(3)" ], "general-nist-800-171-r3": [ "03.01.20.a", "03.01.20.c.01", "03.01.20.d" ], "general-nist-800-207": [ "NIST Tenet 1" ], "usa-federal-irs-1075-2021": [ "AC-20(CE-3)" ], "americas-can-itsp-10-171-2025": [ "03.01.20.A", "03.01.20.C.01", "03.01.20.D" ] } }, { "control_id": "DCH-14", "title": "Information Sharing", "family": "DCH", "description": "Mechanisms exist to utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected.", "scf_question": "Does the organization utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-DCH-09", "E-SAT-05" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program", "small": "∙ Data classification program", "medium": "∙ Data classification program", "large": "∙ Data classification program\n∙ Data governance program", "enterprise": "∙ Data classification program\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.7" ], "general-cis-csc-8-1": [ "3.3" ], "general-cis-csc-8-1-ig1": [ "3.3" ], "general-cis-csc-8-1-ig2": [ "3.3" ], "general-cis-csc-8-1-ig3": [ "3.3" ], "general-csa-cmm-4-1-0": [ "DSP-10" ], "general-govramp": [ "AC-21" ], "general-govramp-mod": [ "AC-21" ], "general-govramp-high": [ "AC-21" ], "general-iso-21434-2021": [ "RQ-05-09" ], "general-iso-27002-2022": [ "5.14" ], "general-iso-27017-2015": [ "13.2.1", "13.2.2" ], "general-iso-27018-2025": [ "5.14" ], "general-mitre-att&ck-16-1": [ "T1213", "T1213.001", "T1213.002", "T1213.004", "T1213.005" ], "general-nist-800-53-r4": [ "AC-21" ], "general-nist-800-53-r5-2": [ "AC-21" ], "general-nist-800-53-r5-2-privacy": [ "AC-21" ], "general-nist-800-53-r5-2-mod": [ "AC-21" ], "general-nist-800-82-r3": [ "AC-21" ], "general-nist-800-161-r1": [ "AC-21" ], "general-nist-800-161-r1-level-1": [ "AC-21" ], "general-nist-800-161-r1-level-2": [ "AC-21" ], "general-nist-800-171-r3": [ "03.01.20.b" ], "general-swift-cscf-2025": [ "2.1", "2.4", "2.11A" ], "usa-federal-fbi-cjis-6-0": [ "5.1", "5.1.1", "AC-21" ], "usa-federal-gsa-fedramp-5-low": [ "AC-21" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-21" ], "usa-federal-gsa-fedramp-5-high": [ "AC-21" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-21" ], "usa-federal-irs-1075-2021": [ "AC-21" ], "usa-federal-cms-marse-2-0": [ "AC-21", "AC-21.a", "AC-21.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7153(a)" ], "emea-isr-cmo-1-0": [ "5.4", "10.5" ], "emea-zaf-popia-2013": [ "72" ], "apac-aus-ism-2024-june": [ "ISM-0657", "ISM-0661", "ISM-0663", "ISM-0664", "ISM-0665", "ISM-0669", "ISM-0675", "ISM-1187", "ISM-1535" ], "apac-jpn-ismap": [ "13.2.1.5", "13.2.1.9" ], "apac-nzl-ism-3-9": [ "20.1.6.C.01", "20.1.6.C.02", "20.1.7.C.01", "20.1.7.C.02", "20.1.8.C.01", "20.1.9.C.01", "20.1.10.C.01", "20.1.10.C.02", "20.1.11.C.01", "20.1.12.C.01", "20.1.13.C.01", "20.2.3.C.01", "20.2.4.C.01", "20.2.5.C.01", "20.2.6.C.01", "20.2.6.C.02", "20.2.6.C.03", "20.2.7.C.01", "20.2.8.C.01", "20.2.9.C.01", "20.2.9.C.02", "20.2.9.C.03", "20.2.9.C.04", "20.2.10.C.01", "20.2.10.C.02", "20.2.11.C.01", "20.2.11.C.02", "20.2.11.C.03" ], "americas-can-itsp-10-171-2025": [ "03.01.20.B" ] } }, { "control_id": "DCH-14.1", "title": "Information Search & Retrieval", "family": "DCH", "description": "Mechanisms exist to ensure Technology Assets, Applications and/or Services (TAAS) implement data search and retrieval functions that properly enforce data protection / sharing restrictions.", "scf_question": "Does the organization ensure Technology Assets, Applications and/or Services (TAAS) implement data search and retrieval functions that properly enforce data protection / sharing restrictions?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure Technology Assets, Applications and/or Services (TAAS) implement data search and retrieval functions that properly enforce data protection / sharing restrictions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data Loss Prevention (DLP)", "small": "∙ Data Loss Prevention (DLP)", "medium": "∙ Data Loss Prevention (DLP)", "large": "∙ Data Loss Prevention (DLP)", "enterprise": "∙ Data Loss Prevention (DLP)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r4": [ "AC-21(2)" ], "general-nist-800-53-r5-2": [ "AC-21(02)" ], "general-nist-800-82-r3": [ "AC-21(02)" ] } }, { "control_id": "DCH-14.2", "title": "Transfer Authorizations", "family": "DCH", "description": "Mechanisms exist to verify that individuals or Technology Assets, Applications and/or Services (TAAS) transferring data between interconnecting TAAS have the requisite authorizations (e.g., write permissions or privileges) prior to transferring said data.", "scf_question": "Does the organization verify that individuals or Technology Assets, Applications and/or Services (TAAS) transferring data between interconnecting TAAS have the requisite authorizations (e.g., write permissions or privileges) prior to transferring said data?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to verify that individuals or Technology Assets, Applications and/or Services (TAAS) transferring data between interconnecting TAAS have the requisite authorizations (e.g., write permissions or privileges) prior to transferring said data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-cis-csc-8-1": [ "3.3" ], "general-cis-csc-8-1-ig1": [ "3.3" ], "general-cis-csc-8-1-ig2": [ "3.3" ], "general-cis-csc-8-1-ig3": [ "3.3" ], "general-csa-cmm-4-1-0": [ "DSP-10" ], "general-nist-800-53-r5-2": [ "CA-03(06)" ], "general-nist-800-53-r5-2-high": [ "CA-03(06)" ], "general-nist-800-82-r3": [ "CA-03(06)" ], "general-nist-800-82-r3-high": [ "CA-03(06)" ], "general-nist-800-171-r3": [ "03.01.20.b", "03.01.20.c.02", "03.12.05.a" ], "general-nist-800-207": [ "NIST Tenet 3", "NIST Tenet 4" ], "general-swift-cscf-2025": [ "2.1", "2.4" ], "usa-federal-gsa-fedramp-5-high": [ "CA-03(06)" ], "usa-federal-irs-1075-2021": [ "2.E.6.2" ], "emea-ken-pda-2019": [ "25(h)" ], "emea-sau-cscc-1-2019": [ "2-6-1-5" ], "emea-srb-act-9-2018": [ "64", "64.1", "64.2", "64.3", "64.4" ], "apac-nzl-ism-3-9": [ "20.1.8.C.01", "20.2.4.C.01" ], "americas-can-itsp-10-171-2025": [ "03.01.20.B", "03.01.20.C.02", "03.12.05.A" ] } }, { "control_id": "DCH-14.3", "title": "Data Access Mapping", "family": "DCH", "description": "Mechanisms exist to leverage data-specific Access Control Lists (ACL) or Interconnection Security Agreements (ISAs) to generate a logical map of the parties with whom sensitive/regulated data is shared.", "scf_question": "Does the organization leverage data-specific Access Control Lists (ACL) or Interconnection Security Agreements (ISAs) to generate a logical map of the parties with whom sensitive/regulated data is shared?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited media handling guidance exists for users.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to document where sensitive/regulated data is stored, transmitted and/or processed.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to leverage data-specific Access Control Lists (ACL) or Interconnection Security Agreements (ISAs) to generate a logical map of the parties with whom sensitive/regulated data is shared.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Access Control Lists (ACL)\n∙ Interconnection Security Agreements (ISAs)", "small": "∙ Access Control Lists (ACL)\n∙ Interconnection Security Agreements (ISAs)", "medium": "∙ Access Control Lists (ACL)\n∙ Interconnection Security Agreements (ISAs)", "large": "∙ Access Control Lists (ACL)\n∙ Interconnection Security Agreements (ISAs)", "enterprise": "∙ Access Control Lists (ACL)\n∙ Interconnection Security Agreements (ISAs)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-cis-csc-8-1": [ "3.3", "3.8" ], "general-cis-csc-8-1-ig1": [ "3.3" ], "general-cis-csc-8-1-ig2": [ "3.3", "3.8" ], "general-cis-csc-8-1-ig3": [ "3.3", "3.8" ], "general-nist-800-171-r3": [ "03.01.03", "03.01.20.c.02", "03.12.05.a" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DA.DAUTE" ], "emea-gbr-caf-4-0": [ "B3.a" ], "apac-nzl-ism-3-9": [ "16.2.5.C.01", "16.2.6.C.01" ], "americas-can-itsp-10-171-2025": [ "03.01.03", "03.01.20.C.02", "03.12.05.A" ] } }, { "control_id": "DCH-15", "title": "Publicly Accessible Content", "family": "DCH", "description": "Mechanisms exist to control publicly-accessible content.", "scf_question": "Does the organization control publicly-accessible content?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-DCH-12" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Data protection controls are primarily administrative in nature (e.g., policies & standards) to classify, protect and dispose of systems and data, including storage media.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to control publicly-accessible content.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-govramp": [ "AC-22" ], "general-govramp-mod": [ "AC-22" ], "general-govramp-high": [ "AC-22" ], "general-nist-800-53-r4": [ "AC-22" ], "general-nist-800-53-r5-2": [ "AC-22" ], "general-nist-800-53-r5-2-low": [ "AC-22" ], "general-nist-800-82-r3": [ "AC-22" ], "general-nist-800-82-r3-low": [ "AC-22" ], "general-nist-800-82-r3-mod": [ "AC-22" ], "general-nist-800-82-r3-high": [ "AC-22" ], "general-nist-800-161-r1": [ "AC-22" ], "general-nist-800-161-r1-cscrm": [ "AC-22" ], "general-nist-800-161-r1-level-2": [ "AC-22" ], "general-nist-800-161-r1-level-3": [ "AC-22" ], "general-nist-800-171-r2": [ "3.1.22" ], "general-nist-800-171-r3": [ "03.01.22.a", "03.01.22.b" ], "general-nist-800-171a": [ "3.1.22[a]", "3.1.22[b]", "3.1.22[c]", "3.1.22[d]", "3.1.22[e]" ], "general-nist-800-171a-r3": [ "A.03.01.22.a", "A.03.01.22.b[01]", "A.03.01.22.b[02]" ], "general-pci-dss-4-0-1": [ "1.4.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.4.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.4.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.4.4" ], "usa-federal-fbi-cjis-6-0": [ "AC-22" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.IV" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "AC.L1-B.1.IV[a]", "AC.L1-B.1.IV[b]", "AC.L1-B.1.IV[c]", "AC.L1-B.1.IV[d]", "AC.L1-B.1.IV[e]" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.22" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iv)" ], "usa-federal-gsa-fedramp-5-low": [ "AC-22" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-22" ], "usa-federal-gsa-fedramp-5-high": [ "AC-22" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-22" ], "usa-federal-irs-1075-2021": [ "AC-22" ], "usa-federal-cms-marse-2-0": [ "AC-22", "AC-22.a", "AC-22.b", "AC-22.c", "AC-22.d" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-22" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-22" ], "emea-gbr-def-stan-05-138-2024": [ "2321" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2321" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2321" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2321" ], "americas-can-itsp-10-171-2025": [ "03.01.22.A", "03.01.22.B" ] } }, { "control_id": "DCH-16", "title": "Data Mining Protection", "family": "DCH", "description": "Mechanisms exist to protect data storage objects against unauthorized data mining and data harvesting techniques.", "scf_question": "Does the organization protect data storage objects against unauthorized data mining and data harvesting techniques?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Data protection controls are primarily administrative in nature (e.g., policies & standards) to classify, protect and dispose of systems and data, including storage media.\n▪ Media is securely stored until it is destroyed or sanitized using approved equipment, techniques and procedures.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect data storage objects against unauthorized data mining and data harvesting techniques.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Defense-in-depth (DiD) architecture", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Defense-in-depth (DiD) architecture", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Defense-in-depth (DiD) architecture", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Defense-in-depth (DiD) architecture", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Defense-in-depth (DiD) architecture" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1005", "T1025", "T1041", "T1048", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1213", "T1213.001", "T1213.002", "T1213.004", "T1213.005", "T1552.007", "T1567", "T1589", "T1589.002", "T1589.003", "T1590", "T1591", "T1591.001", "T1591.002", "T1591.003", "T1591.004", "T1593.001", "T1593.002", "T1594", "T1595", "T1595.001", "T1595.002", "T1596", "T1596.005", "T1597" ], "general-nist-800-53-r4": [ "AC-23" ], "general-nist-800-53-r5-2": [ "AC-23" ], "general-nist-800-53-r5-2-privacy": [ "AC-23" ], "general-nist-800-82-r3": [ "AC-23" ], "general-nist-800-160-vol-2-r1": [ "AC-23" ], "general-nist-800-161-r1": [ "AC-23" ], "general-nist-800-161-r1-flowdown": [ "AC-23" ], "general-nist-800-161-r1-level-2": [ "AC-23" ], "general-nist-800-161-r1-level-3": [ "AC-23" ], "usa-federal-gsa-fedramp-5-low": [ "AC-23" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-23" ], "usa-federal-gsa-fedramp-5-high": [ "AC-23" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-23" ], "usa-federal-irs-1075-2021": [ "AC-23" ], "apac-nzl-ism-3-9": [ "20.4.3.C.01", "20.4.3.C.02", "20.4.3.C.03", "20.4.3.C.04", "20.4.4.C.01", "20.4.4.C.02", "20.4.5.C.01", "20.4.5.C.02", "20.4.6.C.01", "20.4.6.C.02" ] } }, { "control_id": "DCH-17", "title": "Ad-Hoc Transfers", "family": "DCH", "description": "Mechanisms exist to secure ad-hoc exchanges of large digital files with internal or external parties.", "scf_question": "Does the organization secure ad-hoc exchanges of large digital files with internal or external parties?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Restrictions for ad-hoc data transfers are primarily administrative in nature (e.g., policies & standards).", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to document where sensitive/regulated data is stored, transmitted and/or processed.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to secure ad-hoc exchanges of large digital files with internal or external parties.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Secure Baseline Configurations (SBC)\n∙ Content / DNS filtering", "small": "∙ Data classification program\n∙ Secure Baseline Configurations (SBC)\n∙ Content / DNS filtering", "medium": "∙ Data classification program\n∙ Secure Baseline Configurations (SBC)\n∙ Content / DNS filtering", "large": "∙ Data classification program\n∙ Secure Baseline Configurations (SBC)\n∙ Content / DNS filtering∙ Data governance program", "enterprise": "∙ Data classification program\n∙ Secure Baseline Configurations (SBC)\n∙ Content / DNS filtering∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.3" ], "general-aicpa-tsc-2017": [ "CC6.7", "CC6.7-POF1" ], "general-csa-cmm-4-1-0": [ "DSP-10" ], "general-iso-27002-2022": [ "5.14" ], "general-iso-27017-2015": [ "13.2.1" ], "general-iso-27018-2025": [ "5.14" ], "general-mpa-csbp-5-3-1": [ "TS-1.16" ], "general-nist-800-171-r2": [ "3.1.20" ], "general-nist-800-171-r3": [ "03.01.20.a" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.III" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.20" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iii)" ], "usa-federal-irs-1075-2021": [ "2.E.2" ], "emea-isr-cmo-1-0": [ "5.1", "5.4", "10.5" ], "emea-sau-cscc-1-2019": [ "2-6-1-5" ], "apac-aus-ism-2024-june": [ "ISM-0347", "ISM-0947", "ISM-1778", "ISM-1779" ], "apac-nzl-ism-3-9": [ "20.1.11.C.01", "20.2.6.C.01", "20.2.6.C.02", "20.2.6.C.03", "20.2.7.C.01", "20.2.8.C.01", "20.2.9.C.01", "20.2.9.C.02", "20.2.9.C.03", "20.2.9.C.04" ], "americas-can-itsp-10-171-2025": [ "03.01.20.A" ] } }, { "control_id": "DCH-18", "title": "Media & Data Retention", "family": "DCH", "description": "Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.", "scf_question": "Does the organization retain media and data in accordance with applicable statutory, regulatory and contractual obligations?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-AST-11" ], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Data protection controls are primarily administrative in nature (e.g., policies & standards) to classify, protect and dispose of systems and data, including storage media.\n▪ A manual data retention process exists.\n▪ Media is securely stored until it is destroyed or sanitized using approved equipment, techniques and procedures.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ The data retention process is manual and IT and/or cybersecurity personnel work with business stakeholders and process owners to manage the process.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to dispose of, destroy, erase, and/or anonymize sensitive/regulated data.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data retention program\n∙ Data classification program", "small": "∙ Data retention program\n∙ Data classification program", "medium": "∙ Data retention program\n∙ Data classification program", "large": "∙ Data retention program\n∙ Data classification program\n∙ Data governance program", "enterprise": "∙ Data retention program\n∙ Data classification program\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-pmf-2020": [ "U4.2-POF1", "U4.2-POF2" ], "general-aicpa-tsc-2017": [ "C1.1-POF3", "PI1.5" ], "general-cis-csc-8-1": [ "3.1", "3.4" ], "general-cis-csc-8-1-ig1": [ "3.1", "3.4" ], "general-cis-csc-8-1-ig2": [ "3.1", "3.4" ], "general-cis-csc-8-1-ig3": [ "3.1", "3.4" ], "general-cobit-2019": [ "APO14.09" ], "general-csa-cmm-4-1-0": [ "DSP-16" ], "general-govramp": [ "MP-07", "SI-12" ], "general-govramp-low": [ "SI-12" ], "general-govramp-low-plus": [ "SI-12" ], "general-govramp-mod": [ "SI-12" ], "general-govramp-high": [ "MP-07", "SI-12" ], "general-iec-62443-2-1-2024": [ "DATA 1.4" ], "general-iso-27002-2022": [ "5.33", "8.1" ], "general-iso-27017-2015": [ "18.1.3" ], "general-iso-27018-2025": [ "5.33", "8.10" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.003", "T1020.001", "T1040", "T1070", "T1070.001", "T1070.002", "T1070.008", "T1114", "T1114.001", "T1114.002", "T1114.003", "T1119", "T1213.004", "T1530", "T1548", "T1548.004", "T1550.001", "T1552", "T1552.004", "T1557", "T1557.002", "T1557.004", "T1558", "T1558.002", "T1558.003", "T1558.004", "T1558.005", "T1565", "T1565.001", "T1565.002", "T1602", "T1602.001", "T1602.002" ], "general-mpa-csbp-5-3-1": [ "PS-1.3", "PS-3.0", "TS-1.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.B(4)" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.5-003" ], "general-nist-privacy-framework-1-0": [ "CT.DM-P3", "CT.DM-P4" ], "general-nist-800-53-r4": [ "MP-7", "SI-12" ], "general-nist-800-53-r5-2": [ "MP-07", "SI-12" ], "general-nist-800-53-r5-2-privacy": [ "MP-07", "SI-12" ], "general-nist-800-53-r5-2-low": [ "MP-07", "SI-12" ], "general-nist-800-66-r2": [ "164.316(b)" ], "general-nist-800-82-r3": [ "MP-07", "SI-12" ], "general-nist-800-82-r3-low": [ "MP-07" ], "general-nist-800-82-r3-mod": [ "MP-07", "SI-12" ], "general-nist-800-82-r3-high": [ "MP-07", "SI-12" ], "general-nist-800-161-r1": [ "SI-12" ], "general-nist-800-161-r1-cscrm": [ "SI-12" ], "general-nist-800-161-r1-level-3": [ "SI-12" ], "general-nist-800-171-r3": [ "03.01.20.c.02", "03.14.08" ], "general-nist-800-171a-r3": [ "A.03.14.08[01]", "A.03.14.08[02]", "A.03.14.08[03]", "A.03.14.08[04]" ], "general-pci-dss-4-0-1": [ "3.2", "3.2.1", "9.4.6", "9.4.7", "10.5", "10.5.1", "11.4.1" ], "general-pci-dss-4-0-1-saq-a": [ "3.2.1", "9.4.6" ], "general-pci-dss-4-0-1-saq-a-ep": [ "3.2.1", "9.4.6", "10.5.1", "11.4.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.6", "10.5.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.2.1", "9.4.6", "9.4.7", "10.5.1", "11.4.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.2.1", "9.4.6", "9.4.7", "10.5.1", "11.4.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "3.2.1", "9.4.6" ], "general-scf-dpmp-2025": [ "5.4" ], "general-swift-cscf-2025": [ "6.4" ], "usa-federal-fbi-cjis-6-0": [ "MP-7", "SI-12" ], "usa-federal-sro-fca-crm-2023": [ "609.945" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(e)" ], "usa-federal-gsa-fedramp-5-low": [ "MP-07", "SI-12" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-07", "SI-12" ], "usa-federal-gsa-fedramp-5-high": [ "MP-07", "SI-12" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MP-07", "SI-12" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(6)(ii)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.316(b)(2)(i)", "164.530(j)(2)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.316(b)(2)(i)" ], "usa-federal-irs-1075-2021": [ "MP-7", "SI-12" ], "usa-federal-cms-marse-2-0": [ "CM-3.e", "MP-7", "SI-12", "SI-12-IS.1" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.9" ], "usa-state-ca-ccpa-cpra-2026": [ "7122(g)", "7123(c)(16)", "7155(c)" ], "usa-state-il-pipa-2006": [ "30" ], "usa-state-nv-regulation-5-2024": [ "5.260.5(b)", "5.260.5(c)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.6(b)", "500.13(b)" ], "usa-state-or-ors-646a-2025": [ "646A.586(6)" ], "usa-state-or-cpa-2023": [ "Section 8(6)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MP-07", "SI-12" ], "usa-state-tx-txramp-2-0-level-1": [ "MP-07", "SI-12" ], "usa-state-tx-txramp-2-0-level-2": [ "MP-07", "SI-12" ], "emea-eu-ai-act-2024": [ "Article 16(d)", "Article 18.1", "Article 18.1(a)", "Article 18.1(b)", "Article 18.1(c)", "Article 18.1(d)", "Article 18.1(e)", "Article 18.3" ], "emea-eu-cyber-resilience-act-2022": [ "Article 10.8", "Article 13.7" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 6 Module B.9", "Annex 6 Module C.3.2" ], "emea-eu-nis2-annex-2024": [ "1.1.1(h)", "4.2.2(f)" ], "emea-sau-cscc-1-2019": [ "2-6-1-4", "2-11-2" ], "emea-srb-act-9-2018": [ "5.5" ], "emea-zaf-popia-2013": [ "9" ], "emea-esp-ccn-stic-825-2023": [ "9" ], "emea-gbr-dpa-1998": [ "Chapter29-Schedule1-Part1-Principle 3 & 5" ], "apac-aus-ism-2024-june": [ "ISM-0859", "ISM-0991", "ISM-1510" ], "apac-chn-pipl-2021": [ "19" ], "apac-ind-dpdpa-2023": [ "8(7)(a)", "8(8)" ], "apac-ind-sebi-2024": [ "PR.AA.S13" ], "apac-jpn-ismap": [ "4.4.7.4", "4.6.3.4", "12.3.1.15", "12.3.1.19.P", "13.2.1.7", "18.1.3", "18.1.3.1", "18.1.3.2", "18.1.3.3", "18.1.3.4", "18.1.3.5", "18.1.3.6", "18.1.3.7", "18.1.3.8", "18.1.3.9", "18.1.3.10", "18.1.3.11", "18.1.3.12", "18.1.3.13.PB" ], "americas-can-itsp-10-171-2025": [ "03.01.20.C.02", "03.14.08" ] } }, { "control_id": "DCH-18.1", "title": "Minimize Sensitive / Regulated Data", "family": "DCH", "description": "Mechanisms exist to minimize sensitive/regulated data that is collected, received, processed, stored and/or transmitted throughout the information lifecycle to only those elements necessary to support necessary business processes.", "scf_question": "Does the organization minimize sensitive/regulated data that is collected, received, processed, stored and/or transmitted throughout the information lifecycle to only those elements necessary to support necessary business processes?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Data protection controls are primarily administrative in nature (e.g., policies & standards) to classify, protect and dispose of systems and data, including storage media.\n▪ Requirements exist for limiting the use of sensitive/regulated data in testing, training and research.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to minimize sensitive/regulated data that is collected, received, processed, stored and/or transmitted throughout the information lifecycle to only those elements necessary to support necessary business processes.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Product / project management\n∙ Data Protection Impact Assessment (DPIA)", "small": "∙ Data classification program\n∙ Product / project management\n∙ Data Protection Impact Assessment (DPIA)", "medium": "∙ Data classification program\n∙ Product / project management\n∙ Data Protection Impact Assessment (DPIA)", "large": "∙ Data classification program\n∙ Product / project management\n∙ Data Protection Impact Assessment (DPIA)\n∙ Data governance program", "enterprise": "∙ Data classification program\n∙ Product / project management\n∙ Data Protection Impact Assessment (DPIA)\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-iec-tr-60601-4-5-2021": [ "4.5" ], "general-iso-29100-2024": [ "6.5" ], "general-nist-privacy-framework-1-0": [ "CT.DM-P8" ], "general-nist-800-53-r5-2": [ "SI-12(01)" ], "general-nist-800-53-r5-2-privacy": [ "SI-12(01)" ], "general-nist-800-82-r3": [ "SI-12(01)" ], "general-scf-dpmp-2025": [ "3.3", "5.4" ], "general-shared-assessments-sig-2025": [ "P.6" ], "usa-federal-fbi-cjis-6-0": [ "SI-12(1)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-12(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-12(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-12(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-12(01)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.502(b)(1)" ], "emea-sau-pdpl-2023": [ "Article 11.3" ], "emea-zaf-popia-2013": [ "19" ], "emea-esp-boe-a-2022-7191": [ "Article 24.2" ], "emea-esp-decree-311-2022": [ "24.2" ] } }, { "control_id": "DCH-18.2", "title": "Limit Sensitive / Regulated Data In Testing, Training & Research", "family": "DCH", "description": "Mechanisms exist to minimize the use of sensitive/regulated data for research, testing, or training, in accordance with authorized, legitimate business practices.", "scf_question": "Does the organization minimize the use of Personal Data (PD) for research, testing, or training, in accordance with the Data Protection Impact Assessment (DPIA)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Limited media handling guidance exists for users.\n▪ Requirements exist for limiting the use of sensitive/regulated data in testing, training and research.\n▪ Requirements exist for minimizing data collection to what is necessary for business purposes.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ Business stakeholders and process owners adhere to applicable compliance requirements to limit the use of sensitive/regulated data in testing, training and research.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to minimize the use of sensitive/regulated data for research, testing, or training, in accordance with authorized, legitimate business practices.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "PM-25", "SA-08(33)", "SA-15(12)", "SI-12(02)" ], "general-nist-800-53-r5-2-privacy": [ "PM-25", "SA-08(33)", "SI-12(02)" ], "general-nist-800-82-r3": [ "PM-25", "SA-08(33)", "SA-15(12)", "SI-12(02)" ], "general-nist-800-82-r3-low": [ "PM-25" ], "general-nist-800-82-r3-mod": [ "PM-25" ], "general-nist-800-82-r3-high": [ "PM-25" ], "general-nist-800-161-r1": [ "PM-25" ], "general-nist-800-161-r1-level-2": [ "PM-25" ], "general-scf-dpmp-2025": [ "3.2" ], "usa-federal-fbi-cjis-6-0": [ "SI-12(2)" ], "usa-federal-gsa-fedramp-5-low": [ "PM-25", "SA-08(33)", "SI-12(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-25", "SA-08(33)", "SI-12(02)" ], "usa-federal-gsa-fedramp-5-high": [ "PM-25", "SA-08(33)", "SI-12(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-25", "SA-08(33)", "SI-12(02)" ], "usa-federal-irs-1075-2021": [ "SI-12(CE-2)" ], "emea-eu-ai-act-2024": [ "Article 10.2", "Article 10.2(a)", "Article 10.2(b)", "Article 10.2(c)", "Article 10.2(d)", "Article 10.2(e)", "Article 10.3", "Article 10.6" ], "emea-eu-nis2-annex-2024": [ "6.2.2(f)" ], "emea-srb-act-9-2018": [ "5.1" ], "emea-zaf-popia-2013": [ "19" ], "apac-chn-pipl-2021": [ "6" ] } }, { "control_id": "DCH-18.3", "title": "Temporary Files Containing Personal Data (PD)", "family": "DCH", "description": "Mechanisms exist to perform periodic checks of temporary files for the existence of Personal Data (PD).", "scf_question": "Does the organization perform periodic checks of temporary files for the existence of Personal Data (PD)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform periodic checks of temporary files for the existence of Personal Data (PD).", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification policy (public/internal/confidential)", "small": "∙ Data classification policy\n∙ Data handling procedures", "medium": "∙ Data classification program\n∙ DLP tools\n∙ Data handling standards", "large": "∙ Enterprise DLP solution (e.g., Microsoft Purview, Symantec DLP)\n∙ Data classification tool", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra)\n∙ DLP with automated classification\n∙ Data lifecycle management" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": {} }, { "control_id": "DCH-19", "title": "Geographic Location of Data", "family": "DCH", "description": "Mechanisms exist to inventory, document and maintain data flows for data that is resident (permanently or temporarily) within a service's geographically distributed applications (physical and virtual), infrastructure, systems components and/or shared with other third-parties.", "scf_question": "Does the organization inventory, document and maintain data flows for data that is resident (permanently or temporarily) within a service's geographically distributed applications (physical and virtual), infrastructure, systems components and/or shared with other third-parties?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-23" ], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to document where sensitive/regulated data is stored, transmitted and/or processed.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to inventory, document and maintain data flows for data that is resident (permanently or temporarily) within a service's geographically distributed applications (physical and virtual), infrastructure, systems components and/or shared with other third-parties.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "small": "∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "medium": "∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "large": "∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management\n∙ Data governance program", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF9" ], "general-csa-cmm-4-1-0": [ "DSP-19" ], "general-csa-iot-2": [ "DAT-04", "LGL-08" ], "general-govramp": [ "SA-09(05)" ], "general-govramp-high": [ "SA-09(05)" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P7", "ID.IM-P8" ], "general-nist-800-53-r4": [ "SA-9(5)" ], "general-nist-800-53-r5-2": [ "SA-09(05)", "SA-09(08)" ], "general-nist-800-53-r5-2-privacy": [ "SA-09(05)", "SA-09(08)" ], "general-nist-800-82-r3": [ "SA-09(05)", "SA-09(08)" ], "general-nist-800-161-r1": [ "SA-9(5)" ], "general-nist-800-161-r1-level-3": [ "SA-9(5)" ], "general-nist-800-171-r3": [ "03.04.11.a", "03.04.11.b" ], "general-nist-csf-2-0": [ "ID.AM-03" ], "usa-federal-gsa-fedramp-5-low": [ "SA-09(05)", "SA-09(08)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-09(05)", "SA-09(08)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-09(05)", "SA-09(08)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-09(05)", "SA-09(08)" ], "usa-federal-irs-1075-2021": [ "SA-9(CE-5)", "SA-9(CE-8)" ], "usa-federal-cms-marse-2-0": [ "SA-9(5)" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-09 (05)" ], "emea-isr-cmo-1-0": [ "11.6" ], "emea-ken-pda-2019": [ "25(h)" ], "emea-qat-pdppl-2020": [ "15" ], "emea-sau-sacs-002-2022": [ "TPC-30" ], "emea-gbr-caf-4-0": [ "B3.a" ], "apac-aus-privacy-principles-2026": [ "APP 8" ], "apac-chn-pipl-2021": [ "38", "39", "40" ], "apac-jpn-ppi-2020": [ "24(1)" ], "americas-can-osfi-b13-2022": [ "2.9.2", "3.1.4" ], "americas-can-itsp-10-171-2025": [ "03.04.11.A", "03.04.11.B" ] } }, { "control_id": "DCH-20", "title": "Archived Data Sets", "family": "DCH", "description": "Mechanisms exist to protect archived data in accordance with applicable statutory, regulatory and contractual obligations.", "scf_question": "Does the organization protect archived data in accordance with applicable statutory, regulatory and contractual obligations?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect archived data in accordance with applicable statutory, regulatory and contractual obligations.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Sensitive data inventories", "small": "∙ Sensitive data inventories", "medium": "∙ Sensitive data inventories", "large": "∙ Sensitive data inventories", "enterprise": "∙ Sensitive data inventories" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": {} }, { "control_id": "DCH-21", "title": "Information Disposal", "family": "DCH", "description": "Mechanisms exist to securely dispose of, destroy or erase information.", "scf_question": "Does the organization securely dispose of, destroy or erase information?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to dispose of, destroy, erase, and/or anonymize sensitive/regulated data.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to securely dispose of, destroy or erase information.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "small": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "medium": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "large": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers", "enterprise": "∙ Shred-it (https://shredit.com)\n∙ IronMountain (https://ironmountain.com)\n∙ BitRaser (https://bitraser.com)\n∙ DBAN (https://dban.org)\n∙ DoD-strength data erasers" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "C1.2", "C1.2-POF1", "C1.2-POF2", "CC6.5", "CC6.5-POF2", "P4.3", "P4.3-POF2", "P4.3-POF3" ], "general-cis-csc-8-1": [ "3.5" ], "general-cis-csc-8-1-ig1": [ "3.5" ], "general-cis-csc-8-1-ig2": [ "3.5" ], "general-cis-csc-8-1-ig3": [ "3.5" ], "general-csa-iot-2": [ "POL-04" ], "general-iso-27002-2022": [ "8.1" ], "general-iso-27018-2025": [ "8.10" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(k)" ], "general-nist-800-53-r4": [ "DM-2" ], "general-nist-800-53-r5-2": [ "SI-12(03)" ], "general-nist-800-53-r5-2-privacy": [ "SI-12(03)" ], "general-nist-800-82-r3": [ "SI-12(03)" ], "general-nist-800-171-r3": [ "03.08.03" ], "general-scf-dpmp-2025": [ "5.5" ], "usa-federal-fbi-cjis-6-0": [ "SI-12(3)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-12(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-12(03)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-12(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-12(03)" ], "usa-federal-sro-finra": [ "248.30(b)(1)", "248.30(b)(2)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(6)(i)" ], "usa-federal-irs-1075-2021": [ "2.D.7" ], "usa-federal-cms-marse-2-0": [ "DM-2", "DM-2.b", "DM-2.c" ], "usa-federal-nispom-2020": [ "§117.15(g)", "§117.15(g)(1)", "§117.15(g)(2)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "6-1.a", "6-1.b", "6-1.c", "6-3.b" ], "usa-state-il-pipa-2006": [ "40(b)", "40(b)(1)", "40(c)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(C)(1)" ], "emea-us-psd2-2015": [ "24" ], "emea-deu-c5-2020": [ "PI-03" ], "emea-isr-cmo-1-0": [ "11.12", "15.4" ], "emea-sau-sama-csf-1-2017": [ "3.3.11" ], "apac-aus-ism-2024-june": [ "ISM-0311" ], "apac-ind-sebi-2024": [ "PR.AA.S13" ], "apac-sgp-mas-trm-2021": [ "11.1.7" ], "americas-can-itsp-10-171-2025": [ "03.08.03" ] } }, { "control_id": "DCH-22", "title": "Data Quality Operations", "family": "DCH", "description": "Mechanisms exist to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.", "scf_question": "Does the organization check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Product / project management", "small": "∙ Product / project management", "medium": "∙ Product / project management", "large": "∙ Product / project management\n∙ Data governance program", "enterprise": "∙ Product / project management\n∙ Data governance program" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF7" ], "general-aicpa-tsc-2017": [ "CC2.1", "CC2.1-POF4", "CC2.1-POF8" ], "general-cobit-2019": [ "APO11.01", "APO11.02", "APO11.03", "APO11.04", "APO11.05", "APO14.06", "APO14.07", "BAI08.04" ], "general-coso-2013": [ "13" ], "general-iso-42001-2023": [ "A.7", "A.7.2", "A.7.3", "A.7.4", "A.7.5", "A.7.6" ], "general-nist-800-37-r2": [ "TASK P-13" ], "general-nist-800-53-r4": [ "DI-1" ], "general-nist-800-53-r5-2": [ "PM-22", "SI-18", "SI-18(01)" ], "general-nist-800-53-r5-2-privacy": [ "PM-22", "SI-18" ], "general-nist-800-82-r3": [ "PM-22", "SI-18", "SI-18(01)" ], "general-nist-800-82-r3-low": [ "PM-22" ], "general-nist-800-82-r3-mod": [ "PM-22" ], "general-nist-800-82-r3-high": [ "PM-22" ], "general-nist-800-161-r1": [ "PM-22" ], "general-nist-800-161-r1-level-1": [ "PM-22" ], "general-nist-800-161-r1-level-2": [ "PM-22" ], "usa-federal-gsa-fedramp-5-low": [ "PM-22" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-22" ], "usa-federal-gsa-fedramp-5-high": [ "PM-22" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-22" ], "usa-federal-cms-marse-2-0": [ "DI-1", "DI-1.a", "DI-1.b", "DI-1.c", "DI-1.d" ], "usa-state-ca-ccpa-cpra-2026": [ "7023(c)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-22" ], "emea-eu-ai-act-2024": [ "Article 10.3", "Article 17.1(f)" ], "emea-gbr-dpa-1998": [ "Chapter29-Schedule1-Part1-Principle 1" ], "apac-chn-pipl-2021": [ "8" ], "apac-sgp-mas-trm-2021": [ "5.8.1", "5.8.2" ] } }, { "control_id": "DCH-22.1", "title": "Updating & Correcting Personal Data (PD)", "family": "DCH", "description": "Mechanisms exist to utilize technical controls to correct Personal Data (PD) that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified.", "scf_question": "Does the organization utilize technical controls to correct Personal Data (PD) that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize technical controls to correct Personal Data (PD) that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Product / project management", "small": "∙ Product / project management", "medium": "∙ Product / project management", "large": "∙ Product / project management\n∙ Data governance program", "enterprise": "∙ Product / project management\n∙ Data governance program" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "P5.1", "P5.2" ], "general-cobit-2019": [ "APO14.07" ], "general-nist-800-53-r4": [ "IP-3" ], "general-nist-800-53-r5-2": [ "SI-18(04)", "SI-18(05)" ], "general-nist-800-53-r5-2-privacy": [ "SI-18(04)", "SI-18(05)" ], "general-nist-800-82-r3": [ "SI-18(04)", "SI-18(05)" ], "general-scf-dpmp-2025": [ "5.15", "6.1", "6.2" ], "usa-federal-gsa-fedramp-5-low": [ "SI-18(04)", "SI-18(05)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-18(04)", "SI-18(05)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-18(04)", "SI-18(05)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-18(04)", "SI-18(05)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)(vi)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.526(a)(1)", "164.526(b)(1)" ], "usa-federal-cms-marse-2-0": [ "IP-3" ], "usa-state-ca-ccpa-cpra-2026": [ "7023(c)" ], "usa-state-va-cdpa-2023": [ "59.1-577.A.2" ], "emea-aut-fappd-2000": [ "Sec 27" ], "emea-bel-act-8-1992": [ "10", "12" ], "emea-deu-fdpa-2017": [ "Sec 20" ], "emea-grc-pirppd-1997": [ "13" ], "emea-hun-isdfi-2011": [ "14", "15", "17" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-ppl-5741-1981": [ "14" ], "emea-ita-pdpc-2003": [ "7" ], "emea-nor-pda-2018": [ "27" ], "emea-pol-act-29-1997": [ "32" ], "emea-rus-federal-law-27-2006": [ "17" ], "emea-sau-pdpl-2023": [ "Article 17.1" ], "emea-zaf-popia-2013": [ "24" ], "emea-esp-decree-1720-2007": [ "23", "24", "31", "32" ], "emea-che-fadp-2025": [ "5" ], "apac-aus-privacy-act-1998": [ "APP Part 13" ], "apac-aus-privacy-principles-2026": [ "APP 13" ], "apac-chn-csnip-2012": [ "8" ], "apac-chn-pipl-2021": [ "46", "49" ], "apac-hkg-pdo-2022": [ "Sec 22" ], "apac-jpn-ppi-2020": [ "26(1)", "26(1)(i)", "26(1)(ii)", "29(1)", "29(2)", "29(3)" ], "apac-mys-pdpa-2010": [ "34" ], "apac-nzl-privacy-act-2020": [ "P6-(2)", "Principle 7", "P7-(1)", "P7-(2)", "P7-(3)(a)", "P7-(3)(b)", "P7-(4)", "P7-(5)", "P7-(6)" ], "apac-phl-dpa-2012": [ "34" ], "apac-sgp-pdpa-2012": [ "22" ], "apac-kor-pipa-2011": [ "4", "36" ], "apac-twn-pdpa-2025": [ "3" ], "americas-arg-ppd-2018": [ "16.1", "16.3" ], "americas-bhs-dpa-2003": [ "10" ], "americas-bra-lgpd-2018": [ "18.3" ], "americas-can-pipeda-2000": [ "Principle 10" ], "americas-chl-act-19628-1999": [ "13" ], "americas-col-law-1581-2012": [ "8", "11" ], "americas-mex-fdpa-2010": [ "24", "28", "29" ] } }, { "control_id": "DCH-22.2", "title": "Data Tags", "family": "DCH", "description": "Mechanisms exist to utilize data tags to automate tracking of sensitive/regulated data across the information lifecycle.", "scf_question": "Does the organization utilize data tags to automate tracking of sensitive/regulated data across the information lifecycle?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize data tags to automate tracking of sensitive/regulated data across the information lifecycle.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Metadata tagging", "small": "∙ Data classification program\n∙ Metadata tagging", "medium": "∙ Data classification program\n∙ Metadata tagging", "large": "∙ Data classification program\n∙ Metadata tagging", "enterprise": "∙ Data classification program\n∙ Metadata tagging" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "PT-02(01)", "PT-03(01)", "SI-18(02)" ], "general-nist-800-53-r5-2-privacy": [ "PT-03(01)" ], "general-nist-800-82-r3": [ "PT-02(01)", "PT-03(01)", "SI-18(02)" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DA.DLABE" ], "usa-federal-gsa-fedramp-5-low": [ "PT-03(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "PT-03(01)" ], "usa-federal-gsa-fedramp-5-high": [ "PT-03(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PT-03(01)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(A)" ] } }, { "control_id": "DCH-22.3", "title": "Primary Source Personal Data (PD) Collection", "family": "DCH", "description": "Mechanisms exist to collect Personal Data (PD) directly from the individual.", "scf_question": "Does the organization collect Personal Data (PD) directly from the individual?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to collect Personal Data (PD) directly from the individual.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management\n∙ Data governance program", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management\n∙ Data governance program" }, "risks": [ "R-AM-3", "R-BC-3", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-iso-29100-2024": [ "6.7" ], "general-nist-800-53-r5-2": [ "SI-18(03)", "SI-19(01)" ], "general-nist-800-53-r5-2-privacy": [ "SI-19(01)" ], "general-nist-800-82-r3": [ "SI-18(03)", "SI-19(01)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-19(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-19(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-19(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-19(01)" ], "emea-sau-pdpl-2023": [ "Article 10" ], "apac-jpn-ppi-2020": [ "17(1)" ] } }, { "control_id": "DCH-23", "title": "De-Identification (Anonymization)", "family": "DCH", "description": "Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.", "scf_question": "Does the organization anonymize data by removing Personal Data (PD) from datasets?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to anonymize data by removing Personal Data (PD) from datasets.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-csa-iot-2": [ "GVN-05" ], "general-iec-tr-60601-4-5-2021": [ "5.2 - CR 4.1" ], "general-iso-27002-2022": [ "8.33" ], "general-iso-27018-2025": [ "8.33" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.2-002", "MS-2.2-004" ], "general-nist-privacy-framework-1-0": [ "CT.DP-P2", "CT.DP-P3" ], "general-nist-800-53-r4": [ "DM-1(1)", "DM-3(1)" ], "general-nist-800-53-r5-2": [ "SI-19" ], "general-nist-800-53-r5-2-privacy": [ "SI-19" ], "general-nist-800-82-r3": [ "SI-19" ], "general-scf-dpmp-2025": [ "5.1" ], "usa-federal-doc-data-privacy-framework-2023": [ "III.14.a.i", "III.14.g.i" ], "usa-federal-cms-marse-2-0": [ "DM-1(1)" ], "usa-state-or-ors-646a-2025": [ "646A.583(1)(a)(A)" ], "usa-state-or-cpa-2023": [ "Section 7(1)(a)(A)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(a)(2)(C)" ], "usa-state-tx-cdpa-2025": [ "541.106(a)(1)" ], "usa-state-va-cdpa-2023": [ "59.1-581.A.1" ], "emea-eu-ai-act-2024": [ "Article 10.5(b)" ], "emea-ken-pda-2019": [ "39(2)" ], "emea-srb-act-9-2018": [ "50.1" ], "apac-jpn-ppi-2020": [ "35-2(1)", "35-2(2)", "35-2(3)", "35-2(4)", "35-2(5)", "35-2(6)", "35-2(7)", "35-2(8)", "35-2(9)", "36(1)", "36(2)", "36(3)", "36(4)", "37", "38", "39" ], "americas-bra-lgpd-2018": [ "12" ] } }, { "control_id": "DCH-23.1", "title": "De-Identify Dataset Upon Collection", "family": "DCH", "description": "Mechanisms exist to de-identify the dataset upon collection by not collecting Personal Data (PD).", "scf_question": "Does the organization de-identify the dataset upon collection by not collecting Personal Data (PD)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to de-identify the dataset upon collection by not collecting Personal Data (PD).", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "SI-19(01)" ], "general-nist-800-53-r5-2-privacy": [ "SI-19(01)" ], "general-nist-800-82-r3": [ "SI-19(01)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-19(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-19(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-19(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-19(01)" ] } }, { "control_id": "DCH-23.2", "title": "Archiving", "family": "DCH", "description": "Mechanisms exist to refrain from archiving Personal Data (PD) elements if those elements in a dataset will not be needed after the dataset is archived.", "scf_question": "Does the organization refrain from archiving Personal Data (PD) elements if those elements in a dataset will not be needed after the dataset is archived?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to refrain from archiving Personal Data (PD) elements if those elements in a dataset will not be needed after the dataset is archived.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "SI-19(02)" ], "general-nist-800-82-r3": [ "SI-19(02)" ] } }, { "control_id": "DCH-23.3", "title": "Release", "family": "DCH", "description": "Mechanisms exist to remove Personal Data (PD) elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.", "scf_question": "Does the organization remove Personal Data (PD) elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to remove Personal Data (PD) elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "SI-19(03)" ], "general-nist-800-82-r3": [ "SI-19(03)" ] } }, { "control_id": "DCH-23.4", "title": "Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers", "family": "DCH", "description": "Mechanisms exist to remove, mask, encrypt, hash or replace direct identifiers in a dataset.", "scf_question": "Does the organization remove, mask, encrypt, hash or replace direct identifiers in a dataset?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to remove, mask, encrypt, hash or replace direct identifiers in a dataset.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-3", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-iso-27002-2022": [ "8.11" ], "general-iso-27018-2025": [ "8.11" ], "general-nist-800-53-r5-2": [ "SI-19(04)" ], "general-nist-800-53-r5-2-privacy": [ "SI-19(04)" ], "general-nist-800-82-r3": [ "SI-19(04)" ], "general-nist-800-160-vol-2-r1": [ "SI-19(04)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-19(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-19(04)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-19(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-19(04)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(C)" ] } }, { "control_id": "DCH-23.5", "title": "Statistical Disclosure Control", "family": "DCH", "description": "Mechanisms exist to manipulate numerical data, contingency tables and statistical findings so that no person or organization is identifiable in the results of the analysis.", "scf_question": "Does the organization manipulate numerical data, contingency tables and statistical findings so that no person or organization is identifiable in the results of the analysis?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to manipulate numerical data, contingency tables and statistical findings so that no person or organization is identifiable in the results of the analysis.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "SI-19(05)" ], "general-nist-800-82-r3": [ "SI-19(05)" ] } }, { "control_id": "DCH-23.6", "title": "Differential Data Privacy", "family": "DCH", "description": "Mechanisms exist to prevent disclosure of Personal Data (PD) by adding non-deterministic noise to the results of mathematical operations before the results are reported.", "scf_question": "Does the organization prevent disclosure of Personal Data (PD) by adding non-deterministic noise to the results of mathematical operations before the results are reported?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent disclosure of Personal Data (PD) by adding non-deterministic noise to the results of mathematical operations before the results are reported.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "SI-19(06)" ], "general-nist-800-82-r3": [ "SI-19(06)" ], "general-nist-800-160-vol-2-r1": [ "SI-19(06)" ] } }, { "control_id": "DCH-23.7", "title": "Automated De-Identification of Sensitive Data", "family": "DCH", "description": "Mechanisms exist to perform de-identification of sensitive/regulated data, using validated algorithms and software to implement the algorithms.", "scf_question": "Does the organization perform de-identification of sensitive/regulated data, using validated algorithms and software to implement the algorithms?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform de-identification of sensitive/regulated data, using validated algorithms and software to implement the algorithms.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "SI-19(07)" ], "general-nist-800-82-r3": [ "SI-19(07)" ] } }, { "control_id": "DCH-23.8", "title": "Motivated Intruder", "family": "DCH", "description": "Mechanisms exist to perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.", "scf_question": "Does the organization perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Product / project management", "small": "∙ Data classification program\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Product / project management", "large": "∙ Data classification program\n∙ Product / project management\n∙ Data governance program", "enterprise": "∙ Data classification program\n∙ Product / project management\n∙ Data governance program" }, "risks": [ "R-AM-3", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "SI-19(08)" ], "general-nist-800-82-r3": [ "SI-19(08)" ], "general-nist-800-160-vol-2-r1": [ "SI-19(08)" ] } }, { "control_id": "DCH-23.9", "title": "Code Names", "family": "DCH", "description": "Mechanisms exist to use aliases to name assets, which are mission-critical and/or contain highly-sensitive/regulated data, are unique and not readily associated with a product, project or type of data.", "scf_question": "Does the organization use aliases to name assets, which are mission-critical and/or contain highly-sensitive/regulated data, are unique and not readily associated with a product, project or type of data?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to use aliases to name assets, which are mission-critical and/or contain highly-sensitive/regulated data, are unique and not readily associated with a product, project or type of data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Product / project management", "small": "∙ Data classification program\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Product / project management", "large": "∙ Data classification program\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-mpa-csbp-5-3-1": [ "OP-3.1" ] } }, { "control_id": "DCH-24", "title": "Information Location", "family": "DCH", "description": "Mechanisms exist to identify and document the location of information and the specific system components on which the information resides.", "scf_question": "Does the organization identify and document the location of information and the specific system components on which the information resides?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-23" ], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to document where sensitive/regulated data is stored, transmitted and/or processed.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and document the location of information and the specific system components on which the information resides.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "small": "∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "medium": "∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "large": "∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management\n∙ Data governance program", "enterprise": "∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF9" ], "general-mitre-att&ck-16-1": [ "T1005", "T1025" ], "general-nist-800-53-r5-2": [ "CM-12" ], "general-nist-800-53-r5-2-mod": [ "CM-12" ], "general-nist-800-82-r3": [ "CM-12" ], "general-nist-800-82-r3-mod": [ "CM-12" ], "general-nist-800-82-r3-high": [ "CM-12" ], "general-nist-800-161-r1": [ "CM-12" ], "general-nist-800-161-r1-level-2": [ "CM-12" ], "general-nist-800-161-r1-level-3": [ "CM-12" ], "general-nist-800-171a-r3": [ "A.03.04.11.a[01]" ], "general-nist-800-207": [ "NIST Tenet 1" ], "general-scf-dpmp-2025": [ "5.6" ], "usa-federal-fbi-cjis-6-0": [ "CM-12" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-12" ], "usa-federal-gsa-fedramp-5-high": [ "CM-12" ], "usa-federal-irs-1075-2021": [ "CM-12", "CM-12(CE-1)" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-12" ], "emea-aut-fappd-2000": [ "Sec 10" ], "emea-bel-act-8-1992": [ "Chapter 4 - 16" ], "emea-hun-isdfi-2011": [ "7" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "31" ], "emea-nor-pda-2018": [ "13", "14" ], "emea-pol-act-29-1997": [ "1", "36" ], "emea-rus-federal-law-27-2006": [ "7" ], "emea-sau-ecc-1-2018": [ "4-2-3-1" ], "emea-zaf-popia-2013": [ "19", "21" ], "apac-jpn-ppi-2020": [ "20" ], "apac-mys-pdpa-2010": [ "9" ], "apac-phl-dpa-2012": [ "25" ], "apac-sgp-pdpa-2012": [ "24", "26" ], "apac-kor-pipa-2011": [ "17", "27" ], "americas-can-pipeda-2000": [ "Sec 20" ], "americas-chl-act-19628-1999": [ "7" ], "americas-col-law-1581-2012": [ "26" ] } }, { "control_id": "DCH-24.1", "title": "Automated Tools to Support Information Location", "family": "DCH", "description": "Automated mechanisms exist to identify by data classification type to ensure adequate security, compliance and resilience controls are in place to protect organizational information and individual data protection.", "scf_question": "Does the organization identify by data classification type to ensure adequate security, compliance and resilience controls are in place to protect organizational information and individual data protection?", "relative_weight": 6, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically identify by data classification type to ensure adequate security, compliance and resilience controls are in place to protect organizational information and individual data protection.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data Rights Management (DRM) solution", "small": "∙ Data Rights Management (DRM) solution", "medium": "∙ Data Rights Management (DRM) solution", "large": "∙ Data Rights Management (DRM) solution", "enterprise": "∙ Data Rights Management (DRM) solution" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-53-r5-2": [ "CM-12(01)" ], "general-nist-800-53-r5-2-mod": [ "CM-12(01)" ], "general-nist-800-82-r3": [ "CM-12(01)" ], "general-nist-800-82-r3-mod": [ "CM-12(01)" ], "general-nist-800-82-r3-high": [ "CM-12(01)" ], "general-nist-800-161-r1": [ "CM-12(1)" ], "general-nist-800-161-r1-level-2": [ "CM-12(1)" ], "general-nist-800-161-r1-level-3": [ "CM-12(1)" ], "general-nist-800-207": [ "NIST Tenet 4", "NIST Tenet 7" ], "usa-federal-fbi-cjis-6-0": [ "CM-12(1)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-12(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-12(01)" ], "emea-aut-fappd-2000": [ "Sec 10" ], "emea-bel-act-8-1992": [ "Chapter 4 - 16" ], "emea-hun-isdfi-2011": [ "7" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "31" ], "emea-nor-pda-2018": [ "13", "14" ], "emea-pol-act-29-1997": [ "1", "36" ], "emea-rus-federal-law-27-2006": [ "7" ], "emea-zaf-popia-2013": [ "19", "21" ], "apac-mys-pdpa-2010": [ "9" ], "apac-phl-dpa-2012": [ "25" ], "apac-sgp-pdpa-2012": [ "24", "26" ], "apac-kor-pipa-2011": [ "17", "27" ], "americas-can-pipeda-2000": [ "Sec 20" ], "americas-chl-act-19628-1999": [ "7" ], "americas-col-law-1581-2012": [ "26" ] } }, { "control_id": "DCH-25", "title": "Transfer of Sensitive and/or Regulated Data", "family": "DCH", "description": "Mechanisms exist to restrict and govern the transfer of sensitive and/or regulated data to third-countries or international organizations.", "scf_question": "Does the organization restrict and govern the transfer of sensitive and/or regulated data to third-countries or international organizations?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict and govern the transfer of sensitive and/or regulated data to third-countries or international organizations.", "4": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Data Classification & Handling (DCH) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Model contracts\n∙ Binding Corporate Rules (BCR)", "small": "∙ Model contracts\n∙ Binding Corporate Rules (BCR)", "medium": "∙ Model contracts\n∙ Binding Corporate Rules (BCR)", "large": "∙ Model contracts\n∙ Binding Corporate Rules (BCR)", "enterprise": "∙ Model contracts\n∙ Binding Corporate Rules (BCR)" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-aicpa-pmf-2020": [ "D6.1", "S7.3" ], "general-csa-cmm-4-1-0": [ "DCS-03" ], "general-csa-iot-2": [ "LGL-08" ], "general-nist-800-207": [ "NIST Tenet 4" ], "general-scf-dpmp-2025": [ "5.6" ], "general-swift-cscf-2025": [ "2.4", "2.5A", "2.9" ], "emea-eu-gdpr-2016": [ "Article 44", "Article 45.1", "Article 46.1", "Article 46.2", "Article 46.2(a)", "Article 49.1", "Article 49.1(a)", "Article 49.1(b)", "Article 49.1(c)", "Article 49.1(d)", "Article 49.1(e)", "Article 49.1(f)", "Article 49.1(g)", "Article 49.2", "Article 49.3", "Article 49.4", "Article 49.6" ], "emea-aut-fappd-2000": [ "Sec 10" ], "emea-isr-cmo-1-0": [ "10.5" ], "emea-ken-pda-2019": [ "25(h)", "48(a)", "48(b)", "48(c)(i)", "48(c)(ii)", "48(c)(iii)", "48(c)(iv)", "48(c)(v)", "48(c)(vi)", "49(1)", "49(2)", "49(3)", "50" ], "emea-nga-dpr-2019": [ "2.11", "2.11(a)", "2.11(b)", "2.11(c)", "2.11(d)", "2.11(e)", "2.12", "2.12(a)", "2.12(b)", "2.12(c)", "2.12(d)", "2.12(e)", "2.12(f)" ], "emea-qat-pdppl-2020": [ "15" ], "emea-sau-cscc-1-2019": [ "2-6-1-5" ], "emea-sau-pdpl-2023": [ "Article 29.1" ], "emea-sau-sacs-002-2022": [ "TPC-30" ], "emea-srb-act-9-2018": [ "23", "63", "63.1", "63.2", "63.3", "63.4", "65", "68", "69", "69.x", "70", "70.1", "70.2", "70.3", "70.4", "70.5", "71", "71.1", "71.2", "71.3", "71.4", "71.5" ], "emea-zaf-popia-2013": [ "72" ], "apac-jpn-ppi-2020": [ "24(1)" ], "apac-mys-pdpa-2010": [ "9" ], "apac-nzl-privacy-act-2020": [ "Principle 12", "P12-(1)", "P12-(1)(a)", "P12-(1)(b)", "P12-(1)(c)", "P12-(1)(d)", "P12-(1)(e)", "P12-(1)(f)", "P12-(2)", "P12-(3)" ], "apac-sgp-pdpa-2012": [ "24", "26" ], "apac-kor-pipa-2011": [ "17", "26", "27" ], "americas-can-pipeda-2000": [ "Sec 20" ], "americas-col-law-1581-2012": [ "26" ] } }, { "control_id": "DCH-25.1", "title": "Transfer Activity Limits", "family": "DCH", "description": "Mechanisms exist to establish organization-defined \"normal business activities\" to identify anomalous transaction activities that can reduce the opportunity for sending (outbound) and/or receiving (inbound) fraudulent actions.", "scf_question": "Does the organization establish organization-defined \"normal business activities\" to identify anomalous transaction activities that can reduce the opportunity for sending (outbound) and/or receiving (inbound) fraudulent actions?", "relative_weight": 7, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Data Classification & Handling (DCH) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data classification and handling-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data classification and handling management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A formalized data classification scheme exists to identify categories of data, based on protection requirements from applicable laws, regulations and/or contractual obligations.", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish organization-defined \"normal business activities\" to identify anomalous transaction activities that can reduce the opportunity for sending (outbound) and/or receiving (inbound) fraudulent actions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Indicators of Fraud (IoF) (e.g., fraud \"red flags\")", "small": "∙ Indicators of Fraud (IoF) (e.g., fraud \"red flags\")", "medium": "∙ Indicators of Fraud (IoF) (e.g., fraud \"red flags\")", "large": "∙ Indicators of Fraud (IoF) (e.g., fraud \"red flags\")", "enterprise": "∙ Indicators of Fraud (IoF) (e.g., fraud \"red flags\")" }, "risks": [ "R-AM-3", "R-EX-1", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "general-nist-800-207": [ "NIST Tenet 4" ], "general-shared-assessments-sig-2025": [ "L.6" ], "general-swift-cscf-2025": [ "2.9" ] } }, { "control_id": "DCH-26", "title": "Data Localization", "family": "DCH", "description": "Mechanisms exist to constrain the impact of \"digital sovereignty laws,\" that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations.", "scf_question": "Does the organization constrain the impact of \"digital sovereignty laws,\" that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to constrain the impact of \"digital sovereignty laws,\" that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Governance, Risk & Compliance (GRC) program\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "small": "∙ Governance, Risk & Compliance (GRC) program\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "medium": "∙ Governance, Risk & Compliance (GRC) program\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "large": "∙ Governance, Risk & Compliance (GRC) program\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management\n∙ Data governance program", "enterprise": "∙ Governance, Risk & Compliance (GRC) program\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management\n∙ Data governance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "emea-ken-pda-2019": [ "50" ], "apac-chn-cybersecurity-law-2017": [ "Article 37" ], "apac-chn-data-security-law-2021": [ "36" ], "apac-chn-pipl-2021": [ "36", "38", "40" ], "apac-ind-sebi-2024": [ "PR.DS.S2" ] } }, { "control_id": "DCH-27", "title": "Data Rights Management (DRM)", "family": "DCH", "description": "Mechanisms exist to utilize Data Rights Management (DRM), or similar technologies, to protect Intellectual Property (IP) rights by preventing the unauthorized distribution and/or modification of sensitive IP.", "scf_question": "Does the organization utilize Data Rights Management (DRM), or similar technologies, to protect Intellectual Property (IP) rights by preventing the unauthorized distribution and/or modification of sensitive IP?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Data Classification & Handling (DCH) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with DCH domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Data Classification & Handling (DCH) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with DCH domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are well-documented and kept current by process owners.\n▪ A Governance, Risk & Compliance (GRC) team, or similar function, is appropriately staffed and supported to implement and maintain DCH domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data classification and handling operations (e.g., GRC platform).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with DCH domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize Data Rights Management (DRM), or similar technologies, to protect Intellectual Property (IP) rights by preventing the unauthorized distribution and/or modification of sensitive IP.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data Rights Management (DRM) solution", "small": "∙ Data Rights Management (DRM) solution", "medium": "∙ Data Rights Management (DRM) solution", "large": "∙ Data Rights Management (DRM) solution", "enterprise": "∙ Data Rights Management (DRM) solution" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Classification & Handling", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "4.3.4", "4.4.2", "4.5", "4.5.1", "4.5.2", "4.5.3", "4.5.4", "4.5.5", "4.7", "4.7.4", "4.7.6", "4.7.7" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "5.3" ] } }, { "control_id": "EMB-01", "title": "Embedded Technology Security Program", "family": "EMB", "description": "Mechanisms exist to facilitate the implementation of embedded technology controls.", "scf_question": "Does the organization facilitate the implementation of embedded technology controls?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-07" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Embedded Technology (EMB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with EMB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Embedded technology management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Embedded technologies (e.g., Operational Technology (OT) and Internet of Things (IoT) are managed in the same manner as any other technology asset.", "2": "Embedded Technology (EMB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Embedded technology-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Embedded technology management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Embedded technologies (e.g., IoT and OT) are governed according to the same processes used for generic Technology Assets, Applications and/or Services (TAAS), where no formal, dedicated embedded technology governance process exists.\n▪ Business stakeholders and process owners are expected to take the initiative to work with IT and/or cybersecurity personnel to ensure applicable statutory, regulatory and/or contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.\n▪ Secure Baseline Configurations (SBCs) protect embedded technologies commensurate with the criticality of the device and/or sensitivity of the data, in accordance with applicable laws, regulations and frameworks.", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of embedded technology controls.", "4": "Embedded Technology (EMB) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT Asset Management (ITAM) program", "small": "∙ IT Asset Management (ITAM) program", "medium": "∙ IT Asset Management (ITAM) program", "large": "∙ IT Asset Management (ITAM) program", "enterprise": "∙ IT Asset Management (ITAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "GVN-01", "GVN-02", "POL-03", "VLN-04" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.3" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A05:2025", "A09:2025", "A10:2025" ], "general-scf-dpmp-2025": [ "7.4" ], "general-shared-assessments-sig-2025": [ "M.1.1" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.D" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-2j" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.4.2" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-isr-cmo-1-0": [ "12.1", "12.2", "12.3" ], "emea-sau-cgiot-2024": [ "1-1-1", "1-1-2", "2-4-6", "2-5-1" ], "emea-sau-ecc-1-2018": [ "5-1-1", "5-1-2", "5-1-3", "5-1-4" ], "emea-sau-otcc-1-2022": [ "1-1-2", "1-6", "2-1-2", "2-3-2" ], "emea-zaf-popia-2013": [ "19" ], "apac-sgp-mas-trm-2021": [ "11.5.1", "11.5.2", "11.5.3", "11.5.4", "11.5.5" ] } }, { "control_id": "EMB-02", "title": "Internet of Things (IOT)", "family": "EMB", "description": "Mechanisms exist to proactively manage the security, compliance and resilience risks associated with Internet of Things (IoT).", "scf_question": "Does the organization proactively manage the security, compliance and resilience risks associated with Internet of Things (IoT)?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Embedded Technology (EMB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with EMB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Embedded technology management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Embedded technologies (e.g., Operational Technology (OT) and Internet of Things (IoT) are managed in the same manner as any other technology asset.", "2": "Embedded Technology (EMB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Embedded technology-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Embedded technology management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Embedded technologies (e.g., IoT and OT) are governed according to the same processes used for generic Technology Assets, Applications and/or Services (TAAS), where no formal, dedicated embedded technology governance process exists.\n▪ Business stakeholders and process owners are expected to take the initiative to work with IT and/or cybersecurity personnel to ensure applicable statutory, regulatory and/or contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.\n▪ Secure Baseline Configurations (SBCs) protect embedded technologies commensurate with the criticality of the device and/or sensitivity of the data, in accordance with applicable laws, regulations and frameworks.\n▪ Special baselines for embedded technologies configurations are created for higher-risk environments.\n▪ Unauthorized configuration changes to embedded technologies are responded to in accordance with an Incident Response Plan (IRP) to determine if the unauthorized configuration is malicious in nature.", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to proactively manage the security, compliance and resilience risks associated with Internet of Things (IoT).", "4": "Embedded Technology (EMB) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "large": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Embedded Technology", "crosswalks": { "emea-sau-cgiot-2024": [ "2-5-1" ], "emea-zaf-popia-2013": [ "19" ], "apac-aus-cop-sitc-2020": [ "Principle 11", "Principle 13" ], "apac-chn-pipl-2021": [ "26" ], "apac-sgp-mas-trm-2021": [ "11.5.1", "11.5.2", "11.5.3", "11.5.4", "11.5.5" ] } }, { "control_id": "EMB-03", "title": "Operational Technology (OT)", "family": "EMB", "description": "Mechanisms exist to proactively manage the security, compliance and resilience risks associated with Operational Technology (OT).", "scf_question": "Does the organization proactively manage the security, compliance and resilience risks associated with Operational Technology (OT)?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Embedded Technology (EMB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with EMB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Embedded technology management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Embedded technologies (e.g., Operational Technology (OT) and Internet of Things (IoT) are managed in the same manner as any other technology asset.", "2": "Embedded Technology (EMB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Embedded technology-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Embedded technology management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Embedded technologies (e.g., IoT and OT) are governed according to the same processes used for generic Technology Assets, Applications and/or Services (TAAS), where no formal, dedicated embedded technology governance process exists.\n▪ Business stakeholders and process owners are expected to take the initiative to work with IT and/or cybersecurity personnel to ensure applicable statutory, regulatory and/or contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.\n▪ Secure Baseline Configurations (SBCs) protect embedded technologies commensurate with the criticality of the device and/or sensitivity of the data, in accordance with applicable laws, regulations and frameworks.\n▪ Special baselines for embedded technologies configurations are created for higher-risk environments.\n▪ Unauthorized configuration changes to embedded technologies are responded to in accordance with an Incident Response Plan (IRP) to determine if the unauthorized configuration is malicious in nature.", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to proactively manage the security, compliance and resilience risks associated with Operational Technology (OT).", "4": "Embedded Technology (EMB) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "large": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Data classification program\n∙ Sensitive data inventories\n∙ Data Flow Diagram (DFD)\n∙ System Security & Privacy Plan (SSPP)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Embedded Technology", "crosswalks": { "emea-zaf-popia-2013": [ "19" ] } }, { "control_id": "EMB-04", "title": "Interface Security", "family": "EMB", "description": "Mechanisms exist to protect embedded devices against unauthorized use of the physical factory diagnostic and test interface(s).", "scf_question": "Does the organization protect embedded devices against unauthorized use of the physical factory diagnostic and test interface(s)?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Embedded Technology (EMB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Embedded technology-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Embedded technology management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Embedded technologies (e.g., IoT and OT) are governed according to the same processes used for generic Technology Assets, Applications and/or Services (TAAS), where no formal, dedicated embedded technology governance process exists.\n▪ Business stakeholders and process owners are expected to take the initiative to work with IT and/or cybersecurity personnel to ensure applicable statutory, regulatory and/or contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.\n▪ Secure Baseline Configurations (SBCs) protect embedded technologies commensurate with the criticality of the device and/or sensitivity of the data, in accordance with applicable laws, regulations and frameworks.\n▪ Special baselines for embedded technologies configurations are created for higher-risk environments.", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect embedded devices against unauthorized use of the physical factory diagnostic and test interface(s).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "IOT-05", "PHY-01" ], "general-sparta": [ "CM0037" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.V" ], "emea-sau-cgiot-2024": [ "2-14-1" ], "apac-aus-cop-sitc-2020": [ "Principle 6", "Principle 13" ] } }, { "control_id": "EMB-05", "title": "Embedded Technology Configuration Monitoring", "family": "EMB", "description": "Mechanisms exist to generate log entries on embedded devices when configuration changes or attempts to access interfaces are detected.", "scf_question": "Does the organization generate log entries on embedded devices when configuration changes or attempts to access interfaces are detected?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Embedded Technology (EMB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Embedded technology-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Embedded technology management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Embedded technologies (e.g., IoT and OT) are governed according to the same processes used for generic Technology Assets, Applications and/or Services (TAAS), where no formal, dedicated embedded technology governance process exists.\n▪ Business stakeholders and process owners are expected to take the initiative to work with IT and/or cybersecurity personnel to ensure applicable statutory, regulatory and/or contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.\n▪ Secure Baseline Configurations (SBCs) protect embedded technologies commensurate with the criticality of the device and/or sensitivity of the data, in accordance with applicable laws, regulations and frameworks.\n▪ Unauthorized configuration changes to embedded technologies are responded to in accordance with an Incident Response Plan (IRP) to determine if the unauthorized configuration is malicious in nature.", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to generate log entries on embedded devices when configuration changes or attempts to access interfaces are detected.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Inventory embedded devices and document security settings", "small": "∙ Embedded device inventory\n∙ Default credential change policy", "medium": "∙ Embedded/IoT device security program\n∙ Network segmentation for IoT", "large": "∙ IoT/OT security program\n∙ Network segmentation\n∙ IoT security platform (e.g., Claroty, Armis)", "enterprise": "∙ Enterprise IoT/OT security platform (e.g., Claroty, Armis, Dragos)\n∙ Zero-trust IoT architecture" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "CCM-03", "GVN-05", "PHY-01", "SNT-03" ], "general-iec-62443-4-2-2019": [ "EDR 3.11(1)" ], "general-owasp-top-10-2025": [ "A05:2025" ], "emea-sau-cgiot-2024": [ "2-11-2" ], "emea-sau-otcc-1-2022": [ "1-5-4" ], "apac-aus-cop-sitc-2020": [ "Principle 8", "Principle 10" ], "apac-sgp-mas-trm-2021": [ "11.5.5" ] } }, { "control_id": "EMB-06", "title": "Prevent Alterations", "family": "EMB", "description": "Mechanisms exist to protect embedded devices by preventing the unauthorized installation and execution of software.", "scf_question": "Does the organization protect embedded devices by preventing the unauthorized installation and execution of software?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Embedded Technology (EMB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Embedded technology-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Embedded technology management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Embedded technologies (e.g., IoT and OT) are governed according to the same processes used for generic Technology Assets, Applications and/or Services (TAAS), where no formal, dedicated embedded technology governance process exists.\n▪ Business stakeholders and process owners are expected to take the initiative to work with IT and/or cybersecurity personnel to ensure applicable statutory, regulatory and/or contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.\n▪ Secure Baseline Configurations (SBCs) protect embedded technologies commensurate with the criticality of the device and/or sensitivity of the data, in accordance with applicable laws, regulations and frameworks.\n▪ Unauthorized configuration changes to embedded technologies are responded to in accordance with an Incident Response Plan (IRP) to determine if the unauthorized configuration is malicious in nature.", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect embedded devices by preventing the unauthorized installation and execution of software.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "IOT-05" ], "general-iec-62443-4-2-2019": [ "EDR 3.2" ], "general-owasp-top-10-2025": [ "A05:2025" ], "general-sparta": [ "CM0037" ], "emea-sau-cgiot-2024": [ "2-6-2" ], "emea-sau-otcc-1-2022": [ "1-5-2", "1-5-3", "1-5-4", "2-3-1-5", "2-3-1-6" ], "apac-aus-cop-sitc-2020": [ "Principle 6" ] } }, { "control_id": "EMB-07", "title": "Embedded Technology Maintenance", "family": "EMB", "description": "Mechanisms exist to securely update software and upgrade functionality on embedded devices.", "scf_question": "Does the organization securely update software and upgrade functionality on embedded devices?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Embedded Technology (EMB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Embedded technology-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Embedded technology management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Embedded technologies (e.g., IoT and OT) are governed according to the same processes used for generic Technology Assets, Applications and/or Services (TAAS), where no formal, dedicated embedded technology governance process exists.\n▪ Business stakeholders and process owners are expected to take the initiative to work with IT and/or cybersecurity personnel to ensure applicable statutory, regulatory and/or contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.\n▪ Secure Baseline Configurations (SBCs) protect embedded technologies commensurate with the criticality of the device and/or sensitivity of the data, in accordance with applicable laws, regulations and frameworks.\n▪ Unauthorized configuration changes to embedded technologies are responded to in accordance with an Incident Response Plan (IRP) to determine if the unauthorized configuration is malicious in nature.", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to securely update software and upgrade functionality on embedded devices.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS" ], "possible_solutions": { "micro_small": "∙ Technology maintenance program\n∙ Vulnerability & Patch Management Program (VPMP)", "small": "∙ Technology maintenance program\n∙ Vulnerability & Patch Management Program (VPMP)", "medium": "∙ Technology maintenance program\n∙ Vulnerability & Patch Management Program (VPMP)", "large": "∙ Technology maintenance program\n∙ Vulnerability & Patch Management Program (VPMP)", "enterprise": "∙ Technology maintenance program\n∙ Vulnerability & Patch Management Program (VPMP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "emea-sau-cgiot-2024": [ "2-4-6" ], "emea-sau-otcc-1-2022": [ "1-5-4", "2-2-1-4" ], "apac-aus-cop-sitc-2020": [ "Principle 3", "Principle 12" ] } }, { "control_id": "EMB-08", "title": "Resilience To Outages", "family": "EMB", "description": "Mechanisms exist to configure embedded technology to be resilient to data network and power outages.", "scf_question": "Does the organization configure embedded technology to be resilient to data network and power outages?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Embedded Technology (EMB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Embedded technology-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Embedded technology management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Embedded technologies (e.g., IoT and OT) are governed according to the same processes used for generic Technology Assets, Applications and/or Services (TAAS), where no formal, dedicated embedded technology governance process exists.\n▪ Business stakeholders and process owners are expected to take the initiative to work with IT and/or cybersecurity personnel to ensure applicable statutory, regulatory and/or contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.\n▪ Secure Baseline Configurations (SBCs) protect embedded technologies commensurate with the criticality of the device and/or sensitivity of the data, in accordance with applicable laws, regulations and frameworks.", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to configure embedded technology to be resilient to data network and power outages.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Inventory embedded devices and document security settings", "small": "∙ Embedded device inventory\n∙ Default credential change policy", "medium": "∙ Embedded/IoT device security program\n∙ Network segmentation for IoT", "large": "∙ IoT/OT security program\n∙ Network segmentation\n∙ IoT security platform (e.g., Claroty, Armis)", "enterprise": "∙ Enterprise IoT/OT security platform (e.g., Claroty, Armis, Dragos)\n∙ Zero-trust IoT architecture" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "SAP-03" ], "emea-sau-cgiot-2024": [ "3-1-1", "3-1-2" ], "apac-aus-cop-sitc-2020": [ "Principle 9" ] } }, { "control_id": "EMB-09", "title": "Power Level Monitoring", "family": "EMB", "description": "Automated mechanisms exist to monitor the power levels of embedded technologies for decreased or excessive power usage, including battery drainage, to investigate for device tampering.", "scf_question": "Does the organization use automated mechanisms to monitor the power levels of embedded technologies for decreased or excessive power usage, including battery drainage, to investigate for device tampering?", "relative_weight": 4, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically monitor the power levels of embedded technologies for decreased or excessive power usage, including battery drainage, to investigate for device tampering.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Inventory embedded devices and document security settings", "small": "∙ Embedded device inventory\n∙ Default credential change policy", "medium": "∙ Embedded/IoT device security program\n∙ Network segmentation for IoT", "large": "∙ IoT/OT security program\n∙ Network segmentation\n∙ IoT security platform (e.g., Claroty, Armis)", "enterprise": "∙ Enterprise IoT/OT security platform (e.g., Claroty, Armis, Dragos)\n∙ Zero-trust IoT architecture" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-6", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-11", "NT-12", "NT-13", "MT-1", "MT-2", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "ASM-03" ], "emea-sau-cgiot-2024": [ "2-11-2" ] } }, { "control_id": "EMB-10", "title": "Embedded Technology Reviews", "family": "EMB", "description": "Mechanisms exist to perform evaluations of deployed embedded technologies as needed, or at least on an annual basis, to ensure that necessary updates to mitigate the risks associated with legacy embedded technologies are identified and implemented.", "scf_question": "Does the organization perform evaluations of deployed embedded technologies as needed, or at least on an annual basis, to ensure that necessary updates to mitigate the risks associated with legacy embedded technologies are identified and implemented?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform evaluations of deployed embedded technologies as needed, or at least on an annual basis, to ensure that necessary updates to mitigate the risks associated with legacy embedded technologies are identified and implemented.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Configuration Management (CM) program\n∙ Technology maintenance program\n∙ Technology maintenance program\n∙ Vulnerability & Patch Management Program (VPMP)\n∙ Configuration Management Database (CMDB)", "small": "∙ Configuration Management (CM) program\n∙ Technology maintenance program\n∙ Technology maintenance program\n∙ Vulnerability & Patch Management Program (VPMP)\n∙ Configuration Management Database (CMDB)", "medium": "∙ Configuration Management (CM) program\n∙ Technology maintenance program\n∙ Technology maintenance program\n∙ Vulnerability & Patch Management Program (VPMP)\n∙ Configuration Management Database (CMDB)", "large": "∙ Configuration Management (CM) program\n∙ Technology maintenance program\n∙ Technology maintenance program\n∙ Vulnerability & Patch Management Program (VPMP)\n∙ Configuration Management Database (CMDB)", "enterprise": "∙ Configuration Management (CM) program\n∙ Technology maintenance program\n∙ Technology maintenance program\n∙ Vulnerability & Patch Management Program (VPMP)\n∙ Configuration Management Database (CMDB)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-6", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "CCM-01", "IOT-08" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.C.5" ], "emea-sau-otcc-1-2022": [ "1-6", "1-6-1", "1-6-2", "2-1-2", "2-3-2", "2-7-2", "2-9-2" ] } }, { "control_id": "EMB-11", "title": "Message Queuing Telemetry Transport (MQTT) Security", "family": "EMB", "description": "Mechanisms exist to enforce the security of Message Queuing Telemetry Transport (MQTT) traffic.", "scf_question": "Does the organization enforce the security of Message Queuing Telemetry Transport (MQTT) traffic?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce the security of Message Queuing Telemetry Transport (MQTT) traffic.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "COM-01", "COM-07" ], "general-shared-assessments-sig-2025": [ "N.2" ] } }, { "control_id": "EMB-12", "title": "Restrict Communications", "family": "EMB", "description": "Mechanisms exist to require embedded technologies to initiate all communications and drop new, incoming communications.", "scf_question": "Does the organization require embedded technologies to initiate all communications and drop new, incoming communications?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require embedded technologies to initiate all communications and drop new, incoming communications.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)\n∙ Access Control Lists (ACL)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)\n∙ Access Control Lists (ACL)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)\n∙ Access Control Lists (ACL)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)\n∙ Access Control Lists (ACL)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)\n∙ Access Control Lists (ACL)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "CLS-08", "COM-10" ] } }, { "control_id": "EMB-13", "title": "Authorized Communications", "family": "EMB", "description": "Mechanisms exist to restrict embedded technologies to communicate only with authorized peers and service endpoints.", "scf_question": "Does the organization restrict embedded technologies to communicate only with authorized peers and service endpoints?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict embedded technologies to communicate only with authorized peers and service endpoints.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)\n∙ Access Control Lists (ACL)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)\n∙ Access Control Lists (ACL)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)\n∙ Access Control Lists (ACL)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)\n∙ Access Control Lists (ACL)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Network segmentation (logical and/or physical)\n∙ Access Control Lists (ACL)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "CLS-08", "COM-11", "SNT-04" ], "general-shared-assessments-sig-2025": [ "M.1.1" ], "emea-sau-otcc-1-2022": [ "2-2-1-4", "2-2-1-7", "2-4-1", "2-4-1-1", "2-4-1-2", "2-4-1-3", "2-4-1-4", "2-4-1-5", "2-4-1-6", "2-4-1-7", "2-4-1-8", "2-4-1-9", "2-4-1-10", "2-4-1-11", "2-4-1-12", "2-4-1-13", "2-4-1-14", "2-4-1-15", "2-4-1-16" ] } }, { "control_id": "EMB-14", "title": "Operating Environment Certification", "family": "EMB", "description": "Mechanisms exist to determine if embedded technologies are certified for secure use in the proposed operating environment.", "scf_question": "Does the organization determine if embedded technologies are certified for secure use in the proposed operating environment?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to determine if embedded technologies are certified for secure use in the proposed operating environment.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Inventory embedded devices and document security settings", "small": "∙ Embedded device inventory\n∙ Default credential change policy", "medium": "∙ Embedded/IoT device security program\n∙ Network segmentation for IoT", "large": "∙ IoT/OT security program\n∙ Network segmentation\n∙ IoT security platform (e.g., Claroty, Armis)", "enterprise": "∙ Enterprise IoT/OT security platform (e.g., Claroty, Armis, Dragos)\n∙ Zero-trust IoT architecture" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-11", "NT-12", "NT-13", "MT-1", "MT-2", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "GVN-09", "IOT-07", "IOT-08", "LGL-01", "RSM-03" ], "general-ul-2900-2-2-2016": [ "8.3", "9.2" ], "emea-sau-otcc-1-2022": [ "1-5-3-3", "2-4-1-15" ] } }, { "control_id": "EMB-15", "title": "Safety Assessment", "family": "EMB", "description": "Mechanisms exist to evaluate the safety aspects of embedded technologies via a fault tree analysis, or similar method, to determine possible consequences of misuse, misconfiguration and/or failure.", "scf_question": "Does the organization evaluate the safety aspects of embedded technologies via a fault tree analysis, or similar method, to determine possible consequences of misuse, misconfiguration and/or failure?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to evaluate the safety aspects of embedded technologies via a fault tree analysis, or similar method, to determine possible consequences of misuse, misconfiguration and/or failure.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ IoT / OT safety assessment\n∙ Data Protection Impact Assessment (DPIA)", "small": "∙ IoT / OT safety assessment\n∙ Data Protection Impact Assessment (DPIA)", "medium": "∙ IoT / OT safety assessment\n∙ Data Protection Impact Assessment (DPIA)", "large": "∙ IoT / OT safety assessment\n∙ Data Protection Impact Assessment (DPIA)", "enterprise": "∙ IoT / OT safety assessment\n∙ Data Protection Impact Assessment (DPIA)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "GVN-09", "GVN-10", "LGL-01" ], "general-iec-62443-2-1-2024": [ "DATA 1.3" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.12-001" ], "general-ul-2900-2-2-2016": [ "8.3", "9.2" ] } }, { "control_id": "EMB-16", "title": "Certificate-Based Authentication", "family": "EMB", "description": "Mechanisms exist to enforce certificate-based authentication for embedded technologies (e.g., IoT, OT, etc.) and their supporting services.", "scf_question": "Does the organization enforce certificate-based authentication for embedded technologies (e.g., IoT, OT, etc.) and their supporting services?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce certificate-based authentication for embedded technologies (e.g., IoT, OT, etc.) and their supporting services.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Inventory embedded devices and document security settings", "small": "∙ Embedded device inventory\n∙ Default credential change policy", "medium": "∙ Embedded/IoT device security program\n∙ Network segmentation for IoT", "large": "∙ IoT/OT security program\n∙ Network segmentation\n∙ IoT security platform (e.g., Claroty, Armis)", "enterprise": "∙ Enterprise IoT/OT security platform (e.g., Claroty, Armis, Dragos)\n∙ Zero-trust IoT architecture" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "CLS-08", "IAM-03" ], "general-iec-62443-4-2-2019": [ "EDR 3.10(1)", "HDR 2.4(1)" ] } }, { "control_id": "EMB-17", "title": "Chip-To-Cloud Security", "family": "EMB", "description": "Mechanisms exist to implement embedded technologies that utilize pre-provisioned cloud trust anchors to support secure bootstrap and Zero Touch Provisioning (ZTP).", "scf_question": "Does the organization implement embedded technologies that utilize pre-provisioned cloud trust anchors to support secure bootstrap and Zero Touch Provisioning (ZTP)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement embedded technologies that utilize pre-provisioned cloud trust anchors to support secure bootstrap and Zero Touch Provisioning (ZTP).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management", "small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management", "large": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "CLS-08", "IOT-04" ] } }, { "control_id": "EMB-18", "title": "Real-Time Operating System (RTOS) Security", "family": "EMB", "description": "Mechanisms exist to ensure embedded technologies utilize a securely configured Real-Time Operating System (RTOS).", "scf_question": "Does the organization ensure embedded technologies utilize a securely configured Real-Time Operating System (RTOS)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure embedded technologies utilize a securely configured Real-Time Operating System (RTOS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management", "small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management", "large": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "IOT-06", "IOT-07", "IOT-09" ] } }, { "control_id": "EMB-19", "title": "Safe Operations", "family": "EMB", "description": "Mechanisms exist to continuously validate autonomous systems that trigger an automatic state change when safe operation is no longer assured.", "scf_question": "Does the organization continuously validate autonomous systems that trigger an automatic state change when safe operation is no longer assured?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Embedded Technology (EMB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with EMB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with EMB domain capabilities are well-documented and kept current by process owners.\n▪ An embedded systems team, or similar function, is appropriately staffed and supported to implement and maintain EMB domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of embedded technology operations (e.g., Configuration Management Database (CMBD) Asset Management solution).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with EMB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to continuously validate autonomous systems that trigger an automatic state change when safe operation is no longer assured.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management", "small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management", "large": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-11", "NT-12", "NT-13", "MT-1", "MT-2", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Embedded Technology", "crosswalks": { "general-csa-iot-2": [ "SAP-02", "SAP-09" ], "emea-sau-otcc-1-2022": [ "3-1-1-5" ] } }, { "control_id": "END-01", "title": "Endpoint Device Management (EDM)", "family": "END", "description": "Mechanisms exist to facilitate the implementation of Endpoint Device Management (EDM) controls.", "scf_question": "Does the organization facilitate the implementation of Endpoint Device Management (EDM) controls?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-01", "E-END-01" ], "pptdf": "Technology", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Anti-malware technologies are centralized, deployed on all technology assets that can run anti-malware software.\n▪ Anti-spam/phishing technologies are centralized and built into existing email capabilities.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of Endpoint Device Management (EDM) controls.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Change control program", "small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Change control program", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Change control program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Change control program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Change control program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.3-POF3" ], "general-aicpa-tsc-2017": [ "CC6.7-POF4" ], "general-cis-csc-8-1": [ "10.0" ], "general-cobit-2019": [ "DSS05.03", "DSS05.07" ], "general-csa-cmm-4-1-0": [ "TVM-02", "UEM-01", "UEM-05" ], "general-govramp": [ "MP-02" ], "general-govramp-low": [ "MP-02" ], "general-govramp-low-plus": [ "MP-02" ], "general-govramp-mod": [ "MP-02" ], "general-govramp-high": [ "MP-02" ], "general-iec-tr-60601-4-5-2021": [ "4.2" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.4" ], "general-iso-27002-2022": [ "7.7", "8.1", "8.5" ], "general-iso-27017-2015": [ "9.4.2", "11.2.9" ], "general-iso-27018-2025": [ "7.7", "8.1", "8.5" ], "general-mpa-csbp-5-3-1": [ "TS-1.0", "TS-1.3" ], "general-nist-800-53-r4": [ "MP-2" ], "general-nist-800-53-r5-2": [ "MP-02" ], "general-nist-800-53-r5-2-privacy": [ "MP-02" ], "general-nist-800-53-r5-2-low": [ "MP-02" ], "general-nist-800-66-r2": [ "164.310(b)" ], "general-nist-800-82-r3": [ "MP-02" ], "general-nist-800-82-r3-low": [ "MP-02" ], "general-nist-800-82-r3-mod": [ "MP-02" ], "general-nist-800-82-r3-high": [ "MP-02" ], "general-nist-800-171-r2": [ "3.14.2" ], "general-nist-800-171-r3": [ "03.14.02.a" ], "general-nist-800-171a": [ "3.4.1[a]", "3.4.1[b]", "3.4.1[c]", "3.4.2[a]", "3.4.2[b]" ], "general-nist-800-171a-r3": [ "A.03.01.03[01]" ], "general-nist-800-207": [ "NIST Tenet 4" ], "general-nist-csf-2-0": [ "DE.CM-09" ], "general-pci-dss-4-0-1": [ "1.5", "1.5.1", "5.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.5.1" ], "general-shared-assessments-sig-2025": [ "M.1.1" ], "general-swift-cscf-2025": [ "6.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.IDMRP" ], "usa-federal-fbi-cjis-6-0": [ "MP-2" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-3b" ], "usa-federal-dow-cmmc-2-level-1": [ "SI.L1-B.1.XIII" ], "usa-federal-dow-cmmc-2-level-2": [ "SIL2.-3.14.2" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.4.2", "2.4.3", "2.4.4" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(xiii)" ], "usa-federal-gsa-fedramp-5-low": [ "MP-02" ], "usa-federal-gsa-fedramp-5-mod": [ "MP-02" ], "usa-federal-gsa-fedramp-5-high": [ "MP-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MP-02" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(b)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(b)" ], "usa-federal-irs-1075-2021": [ "MP-2" ], "usa-federal-cms-marse-2-0": [ "MP-2" ], "usa-federal-nerc-cip-2024": [ "CIP-011-3 1.2" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MP-02" ], "usa-state-tx-txramp-2-0-level-1": [ "MP-02" ], "usa-state-tx-txramp-2-0-level-2": [ "MP-02" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(36)(d)" ], "emea-eu-nis2-annex-2024": [ "6.9.1" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-isr-cmo-1-0": [ "7.1", "7.3", "15.5" ], "emea-sau-cscc-1-2019": [ "2-3-1-2", "2-5" ], "emea-sau-ecc-1-2018": [ "2-3-4", "2-4-4" ], "emea-sau-otcc-1-2022": [ "2-5", "2-5-1", "2-5-1-1", "2-5-1-2", "2-5-1-3", "2-5-1-4", "2-5-1-5", "2-5-2" ], "emea-sau-sacs-002-2022": [ "TPC-12", "TPC-22" ], "emea-zaf-popia-2013": [ "19" ], "emea-esp-ccn-stic-825-2023": [ "8.3.1 [MP.EQ.1]" ], "emea-gbr-caf-4-0": [ "B3.d" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "4" ], "emea-gbr-def-stan-05-138-2024": [ "2317", "2411" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2317", "2411" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2317", "2411" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2317", "2411" ], "apac-jpn-ismap": [ "5.1.1.15", "12.2.1.2" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP34" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP30" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.5" ], "apac-sgp-mas-trm-2021": [ "11.3.1", "11.3.2", "11.3.3", "11.3.4", "11.3.5", "11.4.1", "11.4.2", "11.4.3" ], "americas-bmu-mba-coc-2020": [ "5.12" ], "amaericas-can-osfi-self-assessment": [ "4.3", "4.4" ], "americas-can-itsp-10-171-2025": [ "03.14.02.A" ] } }, { "control_id": "END-01.1", "title": "Unified Endpoint Device Management (UEDM)", "family": "END", "description": "Mechanisms exist to utilize a centralized Unified Endpoint Device Management (UEDM) solution that provides agent and/or agentless management of endpoint devices regardless of device location.", "scf_question": "Does the organization utilize a centralized Unified Endpoint Device Management (UEDM) solution that provides agent and/or agentless management of endpoint devices regardless of device location?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Anti-spam/phishing technologies are centralized and built into existing email capabilities.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize a centralized Unified Endpoint Device Management (UEDM) solution that provides agent and/or agentless management of endpoint devices regardless of device location.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Antivirus/antimalware software\n∙ Keep OS updated", "small": "∙ Endpoint protection platform (e.g., Windows Defender)\n∙ Patch management", "medium": "∙ EDR solution (e.g., CrowdStrike Falcon Go)\n∙ Centralized endpoint management", "large": "∙ Enterprise EDR/EPP (e.g., CrowdStrike, SentinelOne)\n∙ MDM/UEM (e.g., Microsoft Intune)", "enterprise": "∙ Enterprise EDR/XDR platform (e.g., CrowdStrike, SentinelOne)\n∙ UEM (e.g., Microsoft Intune, JAMF)\n∙ Zero-trust endpoint controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.3-POF3" ], "general-csa-cmm-4-1-0": [ "UEM-05" ], "general-mpa-csbp-5-3-1": [ "TS-1.0", "TS-1.3", "TS-1.4" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.6", "2.6.1", "2.6.2", "2.6.3", "2.7", "2.7.2" ] } }, { "control_id": "END-02", "title": "Endpoint Protection Measures", "family": "END", "description": "Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.", "scf_question": "Does the organization protect the confidentiality, integrity, availability and safety of endpoint devices?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Endpoint devices containing sensitive/regulated data use a cryptographic mechanism to prevent the unauthorized disclosure of information at rest (e.g., full drive encryption).", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect the confidentiality, integrity, availability and safety of endpoint devices.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Change control program", "small": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Change control program", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Change control program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Change control program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ IT Asset Management (ITAM) program\n∙ Configuration Management (CM) program\n∙ Change control program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-cis-csc-8-1": [ "10.0", "10.3", "10.4", "10.5", "11.0" ], "general-cis-csc-8-1-ig1": [ "10.3" ], "general-cis-csc-8-1-ig2": [ "10.3", "10.4", "10.5" ], "general-cis-csc-8-1-ig3": [ "10.3", "10.4", "10.5" ], "general-cobit-2019": [ "DSS05.03" ], "general-govramp": [ "SC-28" ], "general-govramp-core": [ "SC-28" ], "general-govramp-low-plus": [ "SC-28" ], "general-govramp-mod": [ "SC-28" ], "general-govramp-high": [ "SC-28" ], "general-iso-27002-2022": [ "8.1", "8.5" ], "general-iso-27017-2015": [ "9.4.2" ], "general-iso-27018-2025": [ "8.1", "8.5" ], "general-mpa-csbp-5-3-1": [ "TS-1.0", "TS-1.3" ], "general-nist-800-53-r4": [ "SC-28" ], "general-nist-800-53-r5-2": [ "SC-28" ], "general-nist-800-53-r5-2-privacy": [ "SC-28" ], "general-nist-800-53-r5-2-mod": [ "SC-28" ], "general-nist-800-66-r2": [ "164.310(c)" ], "general-nist-800-82-r3": [ "SC-28" ], "general-nist-800-82-r3-mod": [ "SC-28" ], "general-nist-800-82-r3-high": [ "SC-28" ], "general-nist-800-161-r1": [ "SC-28" ], "general-nist-800-161-r1-flowdown": [ "SC-28" ], "general-nist-800-161-r1-level-2": [ "SC-28" ], "general-nist-800-161-r1-level-3": [ "SC-28" ], "general-nist-800-171-r2": [ "3.13.16" ], "general-nist-800-171a": [ "3.13.16" ], "general-pci-dss-4-0-1": [ "1.5", "1.5.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.5.1" ], "general-tisax-6-0-3": [ "5.2.3" ], "usa-federal-fbi-cjis-6-0": [ "5.20.4.3", "SC-28" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-3f", "ARCHITECTURE-3h" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.16" ], "usa-federal-gsa-fedramp-5-low": [ "SC-28" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-28" ], "usa-federal-gsa-fedramp-5-high": [ "SC-28" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-28" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(c)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(c)" ], "usa-federal-irs-1075-2021": [ "SC-28" ], "usa-federal-cms-marse-2-0": [ "SC-28" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(6)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.14(a)(2)", "500.14(b)(1)" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-28" ], "usa-state-vt-act-171-2018": [ "2447(c)(6)" ], "emea-isr-cmo-1-0": [ "7.1", "7.3", "15.5" ], "emea-sau-cscc-1-2019": [ "2-3-1-2" ], "emea-sau-sacs-002-2022": [ "TPC-22" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "4" ], "emea-gbr-def-stan-05-138-2024": [ "2411" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2411" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2411" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2411" ], "apac-jpn-ismap": [ "6.2.1", "6.2.1.1", "6.2.1.2", "6.2.1.3", "6.2.1.4", "6.2.1.5", "6.2.1.6", "6.2.1.7", "6.2.1.8", "6.2.1.9", "6.2.1.10", "6.2.1.11", "6.2.1.12", "6.2.1.13", "6.2.1.14", "6.2.1.15", "6.2.1.16", "6.2.1.17", "6.2.1.21", "6.2.1.22" ], "apac-nzl-hisf-microsmall-2023": [ "HMS09" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.5" ], "amaericas-can-osfi-self-assessment": [ "4.3", "4.4" ] } }, { "control_id": "END-03", "title": "Prohibit Installation Without Privileged Status", "family": "END", "description": "Automated mechanisms exist to prohibit software installations without explicitly assigned privileged status.", "scf_question": "Does the organization use automated mechanisms to prohibit software installations without explicitly assigned privileged status?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-IAM-02" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically prohibit software installations without explicitly assigned privileged status.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "small": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "medium": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "large": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.8-POF1" ], "general-govramp": [ "CM-11" ], "general-govramp-low": [ "CM-11" ], "general-govramp-low-plus": [ "CM-11" ], "general-govramp-mod": [ "CM-11" ], "general-govramp-high": [ "CM-11" ], "general-iso-27002-2022": [ "8.19" ], "general-iso-27017-2015": [ "12.5.1", "12.6.2" ], "general-iso-27018-2025": [ "8.19" ], "general-nist-800-53-r4": [ "CM-11", "CM-11(2)" ], "general-nist-800-53-r5-2": [ "CM-11", "CM-11(02)" ], "general-nist-800-53-r5-2-privacy": [ "CM-11", "CM-11(02)" ], "general-nist-800-53-r5-2-low": [ "CM-11" ], "general-nist-800-82-r3": [ "CM-11", "CM-11(02)" ], "general-nist-800-161-r1": [ "CM-11" ], "general-nist-800-161-r1-cscrm": [ "CM-11" ], "general-nist-800-161-r1-level-2": [ "CM-11" ], "general-nist-800-161-r1-level-3": [ "CM-11" ], "general-nist-800-171-r2": [ "3.4.9" ], "general-nist-csf-2-0": [ "PR.PS-05" ], "usa-federal-fbi-cjis-6-0": [ "CM-11" ], "usa-federal-dow-cmmc-2-level-2": [ "CML2.-3.4.9" ], "usa-federal-gsa-fedramp-5-low": [ "CM-11", "CM-11(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-11", "CM-11(02)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-11", "CM-11(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-11", "CM-11(02)" ], "usa-federal-irs-1075-2021": [ "CM-11" ], "usa-federal-cms-marse-2-0": [ "CM-11" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.1.d" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-11" ], "usa-state-tx-txramp-2-0-level-1": [ "CM-11" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-11" ], "emea-isr-cmo-1-0": [ "6.3" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "3" ] } }, { "control_id": "END-03.1", "title": "Software Installation Alerts", "family": "END", "description": "Mechanisms exist to generate an alert when new software is detected.", "scf_question": "Does the organization generate an alert when new software is detected?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to generate an alert when new software is detected.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ ManageEngine Endpoint Central (https://manageengine.com)", "small": "∙ ManageEngine Endpoint Central (https://manageengine.com)", "medium": "∙ ManageEngine Endpoint Central (https://manageengine.com)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "large": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "enterprise": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.8-POF2" ], "general-cis-csc-8-1": [ "2.3" ], "general-cis-csc-8-1-ig1": [ "2.3" ], "general-cis-csc-8-1-ig2": [ "2.3" ], "general-cis-csc-8-1-ig3": [ "2.3" ], "general-govramp": [ "CM-08(03)" ], "general-govramp-mod": [ "CM-08(03)" ], "general-govramp-high": [ "CM-08(03)" ], "general-nist-800-53-r4": [ "CM-11(1)" ], "general-nist-800-53-r5-2": [ "CM-08(03)", "CM-11(03)" ], "general-nist-800-53-r5-2-privacy": [ "CM-08(03)", "CM-11(03)" ], "general-nist-800-53-r5-2-mod": [ "CM-08(03)" ], "general-nist-800-82-r3": [ "CM-08(03)", "CM-11(03)" ], "general-nist-800-82-r3-mod": [ "CM-08(03)" ], "general-nist-800-82-r3-high": [ "CM-08(03)" ], "general-nist-800-160-vol-2-r1": [ "CM-08(03)" ], "usa-federal-fbi-cjis-6-0": [ "CM-8(3)" ], "usa-federal-gsa-fedramp-5-low": [ "CM-08(03)", "CM-11(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-08(03)", "CM-11(03)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-08(03)", "CM-11(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-08(03)", "CM-11(03)" ], "usa-federal-cms-marse-2-0": [ "CM-8(3)" ], "emea-isr-cmo-1-0": [ "6.3" ] } }, { "control_id": "END-03.2", "title": "Governing Access Restriction for Change", "family": "END", "description": "Mechanisms exist to define, document, approve and enforce access restrictions associated with changes to Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization define, document, approve and enforce access restrictions associated with changes to Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define, document, approve and enforce access restrictions associated with changes to Technology Assets, Applications and/or Services (TAAS).", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "small": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "medium": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "large": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-govramp": [ "CM-05" ], "general-govramp-core": [ "CM-05" ], "general-govramp-low-plus": [ "CM-05" ], "general-govramp-mod": [ "CM-05" ], "general-govramp-high": [ "CM-05" ], "general-iso-27002-2022": [ "8.19" ], "general-iso-27017-2015": [ "12.5.1" ], "general-iso-27018-2025": [ "8.19" ], "general-nist-800-53-r4": [ "CM-5" ], "general-nist-800-53-r5-2": [ "CM-05" ], "general-nist-800-53-r5-2-privacy": [ "CM-05" ], "general-nist-800-53-r5-2-low": [ "CM-05" ], "general-nist-800-82-r3": [ "CM-05" ], "general-nist-800-82-r3-low": [ "CM-05" ], "general-nist-800-82-r3-mod": [ "CM-05" ], "general-nist-800-82-r3-high": [ "CM-05" ], "general-nist-800-161-r1": [ "CM-5" ], "general-nist-800-161-r1-cscrm": [ "CM-5" ], "general-nist-800-161-r1-level-2": [ "CM-5" ], "general-nist-800-161-r1-level-3": [ "CM-5" ], "general-nist-800-171a": [ "3.4.5[a]", "3.4.5[b]", "3.4.5[c]", "3.4.5[d]", "3.4.5[e]", "3.4.5[f]", "3.4.5[g]", "3.4.5[h]" ], "usa-federal-fbi-cjis-6-0": [ "CM-5" ], "usa-federal-gsa-fedramp-5-low": [ "CM-05" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-05" ], "usa-federal-gsa-fedramp-5-high": [ "CM-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-05" ], "usa-federal-cms-marse-2-0": [ "CM-5" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CM-05" ], "usa-state-tx-txramp-2-0-level-1": [ "CM-05" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-05" ] } }, { "control_id": "END-04", "title": "Malicious Code Protection (Anti-Malware)", "family": "END", "description": "Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.", "scf_question": "Does the organization utilize antimalware technologies to detect and eradicate malicious code?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-END-01", "E-MON-02" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Anti-malware technologies are decentralized but are deployed on all technology assets that can run anti-malware software.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Anti-malware technologies are centralized, deployed on all technology assets that can run anti-malware software.\n▪ Anti-malware technologies are configured to generate event logs that can be centrally-reviewed (e.g., forwarded to a SIEM).\n▪ Anti-malware detection tools are configured to provide real-time protection (e.g., always on).\n▪ Anti-malware detection tools are configured to automatically update.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize antimalware technologies to detect and eradicate malicious code.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Antimalware software", "small": "∙ Antimalware software", "medium": "∙ Antimalware software", "large": "∙ Antimalware software", "enterprise": "∙ Antimalware software" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.1-POF11" ], "general-aicpa-tsc-2017": [ "CC6.8", "CC6.8-POF4" ], "general-cis-csc-8-1": [ "10.0", "10.1", "10.4" ], "general-cis-csc-8-1-ig1": [ "10.1" ], "general-cis-csc-8-1-ig2": [ "10.1", "10.4" ], "general-cis-csc-8-1-ig3": [ "10.1", "10.4" ], "general-cobit-2019": [ "DSS05.01" ], "general-csa-cmm-4-1-0": [ "UEM-09" ], "general-csa-iot-2": [ "CLS-14" ], "general-govramp": [ "SI-03" ], "general-govramp-core": [ "SI-03" ], "general-govramp-low": [ "SI-03" ], "general-govramp-low-plus": [ "SI-03" ], "general-govramp-mod": [ "SI-03" ], "general-govramp-high": [ "SI-03" ], "general-iec-62443-2-1-2024": [ "COMP 2.2" ], "general-iec-62443-3-3-2013": [ "SR 3.2", "SR 3.2 RE 1" ], "general-iec-62443-4-2-2019": [ "SAR 3.2", "HDR 3.2", "NDR 3.2" ], "general-iso-27002-2022": [ "8.7" ], "general-iso-27017-2015": [ "12.2.1" ], "general-iso-27018-2025": [ "8.7" ], "general-mitre-att&ck-16-1": [ "T1001", "T1001.001", "T1001.002", "T1001.003", "T1003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1005", "T1008", "T1011.001", "T1021.003", "T1021.005", "T1025", "T1027", "T1027.002", "T1027.007", "T1027.008", "T1027.009", "T1027.010", "T1027.012", "T1027.013", "T1027.014", "T1029", "T1030", "T1036", "T1036.003", "T1036.005", "T1036.008", "T1037", "T1037.002", "T1037.003", "T1037.004", "T1037.005", "T1041", "T1046", "T1047", "T1048", "T1048.001", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1055", "T1055.001", "T1055.002", "T1055.003", "T1055.004", "T1055.005", "T1055.008", "T1055.009", "T1055.011", "T1055.012", "T1055.013", "T1055.014", "T1055.015", "T1056.002", "T1059", "T1059.001", "T1059.002", "T1059.003", "T1059.004", "T1059.005", "T1059.006", "T1059.007", "T1059.008", "T1059.010", "T1059.011", "T1068", "T1070", "T1070.001", "T1070.002", "T1070.003", "T1070.007", "T1070.008", "T1070.009", "T1070.010", "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1072", "T1080", "T1090", "T1090.001", "T1090.002", "T1091", "T1092", "T1095", "T1098.004", "T1102", "T1102.001", "T1102.002", "T1102.003", "T1104", "T1105", "T1106", "T1111", "T1129", "T1132", "T1132.001", "T1132.002", "T1137", "T1137.001", "T1176", "T1185", "T1189", "T1190", "T1195", "T1201", "T1203", "T1204", "T1204.001", "T1204.002", "T1204.003", "T1210", "T1211", "T1212", "T1218", "T1218.001", "T1218.002", "T1218.003", "T1218.004", "T1218.005", "T1218.008", "T1218.009", "T1218.012", "T1218.013", "T1218.014", "T1218.015", "T1219", "T1221", "T1485", "T1486", "T1490", "T1491", "T1491.001", "T1491.002", "T1505.004", "T1525", "T1539", "T1543", "T1543.002", "T1546.002", "T1546.003", "T1546.004", "T1546.006", "T1546.013", "T1546.014", "T1546.016", "T1547.002", "T1547.005", "T1547.006", "T1547.007", "T1547.008", "T1547.009", "T1547.013", "T1548", "T1548.004", "T1548.006", "T1553.003", "T1554", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1558", "T1558.002", "T1558.003", "T1558.004", "T1559", "T1559.001", "T1559.002", "T1560", "T1560.001", "T1561", "T1561.001", "T1561.002", "T1562", "T1562.001", "T1562.002", "T1562.004", "T1562.006", "T1562.011", "T1564.004", "T1564.008", "T1564.009", "T1564.012", "T1566", "T1566.001", "T1566.002", "T1566.003", "T1567", "T1568", "T1568.002", "T1569", "T1569.002", "T1570", "T1571", "T1572", "T1573", "T1573.001", "T1573.002", "T1574", "T1574.001", "T1574.004", "T1574.007", "T1574.008", "T1574.009", "T1574.013", "T1574.014", "T1598", "T1598.001", "T1598.002", "T1598.003", "T1602", "T1602.001", "T1602.002", "T1611", "T1622" ], "general-mpa-csbp-5-3-1": [ "TS-1.0", "TS-1.3", "TS-1.4" ], "general-nist-800-53-r4": [ "SI-3" ], "general-nist-800-53-r5-2": [ "SI-03" ], "general-nist-800-53-r5-2-privacy": [ "SI-03" ], "general-nist-800-53-r5-2-low": [ "SI-03" ], "general-nist-800-82-r3": [ "SI-03" ], "general-nist-800-82-r3-low": [ "SI-03" ], "general-nist-800-82-r3-mod": [ "SI-03" ], "general-nist-800-82-r3-high": [ "SI-03" ], "general-nist-800-161-r1": [ "SI-3" ], "general-nist-800-161-r1-cscrm": [ "SI-3" ], "general-nist-800-161-r1-flowdown": [ "SI-3" ], "general-nist-800-161-r1-level-2": [ "SI-3" ], "general-nist-800-161-r1-level-3": [ "SI-3" ], "general-nist-800-171-r2": [ "3.14.2" ], "general-nist-800-171-r3": [ "03.14.02.c", "03.14.02.c.01", "03.14.02.c.02" ], "general-nist-800-171a": [ "3.14.2[a]", "3.14.2[b]", "3.14.5[a]", "3.14.5[b]", "3.14.5[c]" ], "general-nist-800-171a-r3": [ "A.03.14.02.ODP[01]", "A.03.14.02.a[01]", "A.03.14.02.a[02]", "A.03.14.02.c.02" ], "general-nist-csf-2-0": [ "DE.CM-09" ], "general-pci-dss-4-0-1": [ "5.2", "5.2.1", "5.2.2", "5.3", "5.3.1", "5.3.2", "5.3.2.1", "5.3.3", "5.3.4", "5.3.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "5.2.1", "5.2.2", "5.3.1", "5.3.2", "5.3.2.1", "5.3.3", "5.3.4", "5.3.5" ], "general-pci-dss-4-0-1-saq-c": [ "5.2.1", "5.2.2", "5.3.1", "5.3.2", "5.3.2.1", "5.3.3", "5.3.4", "5.3.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "5.2.1", "5.2.2", "5.3.1", "5.3.2", "5.3.3", "5.3.4", "5.3.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "5.2.1", "5.2.2", "5.3.1", "5.3.2", "5.3.2.1", "5.3.3", "5.3.4", "5.3.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "5.2.1", "5.2.2", "5.3.1", "5.3.2", "5.3.2.1", "5.3.3", "5.3.4", "5.3.5" ], "general-shared-assessments-sig-2025": [ "U.1.5.1" ], "general-swift-cscf-2025": [ "6.1" ], "general-tisax-6-0-3": [ "5.2.3" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.PDPRO", "3.PEP.FI.AMALW", "3.PEP.IN.EDRES" ], "usa-federal-fbi-cjis-6-0": [ "SI-3" ], "usa-federal-dow-cmmc-2-level-1": [ "SI.L1-B.1.XIII", "SI.L1-B.1.XV" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "SI.L1-B.1.XIII[a]", "SI.L1-B.1.XIII[b]", "SI.L1-B.1.XV[a]", "SI.L1-B.1.XV[b]" ], "usa-federal-dow-cmmc-2-level-2": [ "SIL2.-3.14.2" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(xiii)", "52.204-21(b)(1)(xv)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-03" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-03" ], "usa-federal-gsa-fedramp-5-high": [ "SI-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-03" ], "usa-federal-irs-1075-2021": [ "SI-3" ], "usa-federal-cms-marse-2-0": [ "SI-3", "SI-3.a", "SI-3.b", "SI-3.c", "SI-3.c.1", "SI-3.c.2", "SI-3.d" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 3.1", "CIP-007-6 3.2", "CIP-007-6 3.3", "CIP-007-6 4.2.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(9)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.14(a)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SI-03" ], "usa-state-tx-txramp-2-0-level-1": [ "SI-03" ], "usa-state-tx-txramp-2-0-level-2": [ "SI-03" ], "emea-eu-nis2-annex-2024": [ "6.9.1", "6.9.2" ], "emea-deu-c5-2020": [ "OPS-04", "OPS-05" ], "emea-isr-cmo-1-0": [ "7.1", "7.3", "12.20", "15.5" ], "emea-sau-ecc-1-2018": [ "2-3-3-1", "2-4-3-4", "5-1-3-10" ], "emea-sau-otcc-1-2022": [ "2-3-1-8" ], "emea-sau-sacs-002-2022": [ "TPC-12" ], "emea-esp-ccn-stic-825-2023": [ "7.3.6 [OP.EXP.6]" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "4" ], "emea-gbr-def-stan-05-138-2024": [ "2411", "2426" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2411", "2426" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2411", "2426" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2411", "2426" ], "apac-aus-ism-2024-june": [ "ISM-1284", "ISM-1286", "ISM-1288", "ISM-1289", "ISM-1290", "ISM-1293", "ISM-1417", "ISM-1608" ], "apac-ind-sebi-2024": [ "PR.IP.S4" ], "apac-jpn-ismap": [ "12.2", "12.2.1", "12.2.1.1", "12.2.1.3", "12.2.1.4", "12.2.1.5", "12.2.1.6", "12.2.1.7", "12.2.1.8", "12.2.1.9", "12.2.1.15" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP62", "HML62" ], "apac-nzl-hisf-microsmall-2023": [ "HMS10" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP54" ], "apac-nzl-ism-3-9": [ "14.1.9.C.02" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.5" ], "apac-sgp-mas-trm-2021": [ "11.3.3" ], "americas-bmu-mba-coc-2020": [ "6.12" ], "amaericas-can-osfi-self-assessment": [ "4.3", "4.4" ], "americas-can-itsp-10-171-2025": [ "03.14.02.C", "03.14.02.C.01", "03.14.02.C.02" ] } }, { "control_id": "END-04.1", "title": "Automatic Antimalware Signature Updates", "family": "END", "description": "Automated mechanisms exist to update antimalware technologies, including signature definitions.", "scf_question": "Does the organization automatically update antimalware technologies, including signature definitions?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-END-02" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Anti-malware detection tools are configured to automatically update.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically update antimalware technologies, including signature definitions.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.1-POF11" ], "general-cis-csc-8-1": [ "10.2" ], "general-cis-csc-8-1-ig1": [ "10.2" ], "general-cis-csc-8-1-ig2": [ "10.2" ], "general-cis-csc-8-1-ig3": [ "10.2" ], "general-cobit-2019": [ "DSS05.01" ], "general-govramp": [ "SI-02", "SI-03" ], "general-govramp-core": [ "SI-02", "SI-03" ], "general-govramp-low": [ "SI-02", "SI-03" ], "general-govramp-low-plus": [ "SI-02", "SI-03" ], "general-govramp-mod": [ "SI-02", "SI-03" ], "general-govramp-high": [ "SI-02", "SI-03" ], "general-iec-62443-2-1-2024": [ "COMP 2.3" ], "general-iso-27002-2022": [ "8.7" ], "general-iso-27017-2015": [ "12.2.1" ], "general-iso-27018-2025": [ "8.7" ], "general-mpa-csbp-5-3-1": [ "TS-1.3" ], "general-nist-800-53-r4": [ "SI-3(2)" ], "general-nist-800-53-r5-2": [ "SI-02", "SI-03" ], "general-nist-800-53-r5-2-privacy": [ "SI-02", "SI-03" ], "general-nist-800-53-r5-2-low": [ "SI-02", "SI-03" ], "general-nist-800-82-r3": [ "SI-02", "SI-03" ], "general-nist-800-82-r3-low": [ "SI-02", "SI-03" ], "general-nist-800-82-r3-mod": [ "SI-02", "SI-03" ], "general-nist-800-82-r3-high": [ "SI-02", "SI-03" ], "general-nist-800-161-r1": [ "SI-2", "SI-3" ], "general-nist-800-161-r1-cscrm": [ "SI-2", "SI-3" ], "general-nist-800-161-r1-flowdown": [ "SI-2", "SI-3" ], "general-nist-800-161-r1-level-2": [ "SI-2", "SI-3" ], "general-nist-800-161-r1-level-3": [ "SI-2", "SI-3" ], "general-nist-800-171-r2": [ "3.14.4" ], "general-nist-800-171-r3": [ "03.14.02.b" ], "general-nist-800-171a": [ "3.14.4" ], "general-nist-800-171a-r3": [ "A.03.14.02.b" ], "general-pci-dss-4-0-1": [ "5.3", "5.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "5.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "5.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "5.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "5.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "5.3.1" ], "general-swift-cscf-2025": [ "6.1" ], "usa-federal-fbi-cjis-6-0": [ "SI-2", "SI-3" ], "usa-federal-dow-cmmc-2-level-1": [ "SI.L1-B.1.XIV" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "SI.L1-B.1.XIV[a]" ], "usa-federal-dow-cmmc-2-level-2": [ "SIL2.-3.14.4" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(xiv)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-02", "SI-03" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-02", "SI-03" ], "usa-federal-gsa-fedramp-5-high": [ "SI-02", "SI-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-02", "SI-03" ], "usa-federal-irs-1075-2021": [ "SI-2", "SI-3" ], "usa-federal-cms-marse-2-0": [ "SI-2", "SI-3", "SI-3(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SI-02", "SI-03" ], "usa-state-tx-txramp-2-0-level-1": [ "SI-02", "SI-03" ], "usa-state-tx-txramp-2-0-level-2": [ "SI-02", "SI-03" ], "usa-state-vt-act-171-2018": [ "2447(c)(7)" ], "emea-eu-nis2-annex-2024": [ "6.9.2" ], "emea-isr-cmo-1-0": [ "7.9" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "4" ], "emea-gbr-def-stan-05-138-2024": [ "2426" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2426" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2426" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2426" ], "apac-sgp-mas-trm-2021": [ "11.3.4" ], "americas-can-itsp-10-171-2025": [ "03.14.02.B" ] } }, { "control_id": "END-04.2", "title": "Documented Protection Measures", "family": "END", "description": "Mechanisms exist to document antimalware technologies.", "scf_question": "Does the organization document antimalware technologies?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document antimalware technologies.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Antivirus/antimalware software\n∙ Keep OS updated", "small": "∙ Endpoint protection platform (e.g., Windows Defender)\n∙ Patch management", "medium": "∙ EDR solution (e.g., CrowdStrike Falcon Go)\n∙ Centralized endpoint management", "large": "∙ Enterprise EDR/EPP (e.g., CrowdStrike, SentinelOne)\n∙ MDM/UEM (e.g., Microsoft Intune)", "enterprise": "∙ Enterprise EDR/XDR platform (e.g., CrowdStrike, SentinelOne)\n∙ UEM (e.g., Microsoft Intune, JAMF)\n∙ Zero-trust endpoint controls" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-4", "R-GV-6", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-pci-dss-4-0-1": [ "5.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "5.1.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "5.1.2" ], "general-shared-assessments-sig-2025": [ "U.1.5.1" ] } }, { "control_id": "END-04.3", "title": "Centralized Management of Antimalware Technologies", "family": "END", "description": "Mechanisms exist to centrally-manage antimalware technologies.", "scf_question": "Does the organization centrally-manage antimalware technologies?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-END-03", "E-MON-02" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to centrally-manage antimalware technologies.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Antimalware software", "small": "∙ Antimalware software", "medium": "∙ Antimalware software", "large": "∙ Antimalware software", "enterprise": "∙ Antimalware software" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-cis-csc-8-1": [ "10.6" ], "general-cis-csc-8-1-ig2": [ "10.6" ], "general-cis-csc-8-1-ig3": [ "10.6" ], "general-iec-62443-3-3-2013": [ "SR 3.2 RE 2" ], "general-iec-62443-4-2-2019": [ "HDR 3.2(1)" ], "general-nist-800-53-r4": [ "SI-3(1)" ], "general-nist-800-53-r5-2": [ "PL-09" ], "general-nist-800-53-r5-2-privacy": [ "PL-09" ], "general-nist-800-82-r3": [ "PL-09" ], "general-nist-800-161-r1": [ "PL-9" ], "general-nist-800-161-r1-level-1": [ "PL-9" ], "general-nist-800-161-r1-level-2": [ "PL-9" ], "general-nist-800-171-r3": [ "03.14.02.a" ], "general-pci-dss-4-0-1": [ "5.3.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "5.3.4" ], "general-pci-dss-4-0-1-saq-c": [ "5.3.4" ], "general-pci-dss-4-0-1-saq-c-vt": [ "5.3.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "5.3.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "5.3.4" ], "usa-federal-fbi-cjis-6-0": [ "PL-9" ], "usa-federal-gsa-fedramp-5-low": [ "PL-09" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-09" ], "usa-federal-gsa-fedramp-5-high": [ "PL-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-09" ], "usa-federal-cms-marse-2-0": [ "SI-3(1)" ], "emea-isr-cmo-1-0": [ "7.7", "12.20" ], "apac-sgp-mas-trm-2021": [ "11.3.5" ], "americas-can-itsp-10-171-2025": [ "03.14.02.A" ] } }, { "control_id": "END-04.4", "title": "Heuristic / Nonsignature-Based Detection", "family": "END", "description": "Mechanisms exist to utilize heuristic / nonsignature-based antimalware detection capabilities.", "scf_question": "Does the organization utilize heuristic / nonsignature-based antimalware detection capabilities?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize heuristic / nonsignature-based antimalware detection capabilities.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Antimalware software", "small": "∙ Antimalware software", "medium": "∙ Antimalware software", "large": "∙ Antimalware software", "enterprise": "∙ Antimalware software" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-cis-csc-8-1": [ "10.7" ], "general-cis-csc-8-1-ig2": [ "10.7" ], "general-cis-csc-8-1-ig3": [ "10.7" ], "general-govramp": [ "SI-03" ], "general-govramp-core": [ "SI-03" ], "general-govramp-low": [ "SI-03" ], "general-govramp-low-plus": [ "SI-03" ], "general-govramp-mod": [ "SI-03" ], "general-govramp-high": [ "SI-03" ], "general-nist-800-53-r4": [ "SI-3(7)" ], "general-nist-800-53-r5-2": [ "SI-03" ], "general-nist-800-53-r5-2-privacy": [ "SI-03" ], "general-nist-800-53-r5-2-low": [ "SI-03" ], "general-nist-800-82-r3": [ "SI-03" ], "general-nist-800-82-r3-low": [ "SI-03" ], "general-nist-800-82-r3-mod": [ "SI-03" ], "general-nist-800-82-r3-high": [ "SI-03" ], "general-nist-800-161-r1": [ "SI-3" ], "general-nist-800-161-r1-cscrm": [ "SI-3" ], "general-nist-800-161-r1-flowdown": [ "SI-3" ], "general-nist-800-161-r1-level-2": [ "SI-3" ], "general-nist-800-161-r1-level-3": [ "SI-3" ], "general-shared-assessments-sig-2025": [ "U.1.5.1" ], "usa-federal-fbi-cjis-6-0": [ "SI-3" ], "usa-federal-gsa-fedramp-5-low": [ "SI-03" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-03" ], "usa-federal-gsa-fedramp-5-high": [ "SI-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-03" ], "usa-federal-irs-1075-2021": [ "SI-3" ], "usa-federal-cms-marse-2-0": [ "SI-3" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 3.3" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SI-03" ], "usa-state-tx-txramp-2-0-level-1": [ "SI-03" ], "usa-state-tx-txramp-2-0-level-2": [ "SI-03" ], "emea-isr-cmo-1-0": [ "7.8" ], "emea-sau-ecc-1-2018": [ "2-4-3-4" ], "apac-aus-ism-2024-june": [ "ISM-1284", "ISM-1286", "ISM-1288", "ISM-1289", "ISM-1293", "ISM-1417", "ISM-1608", "ISM-1782" ] } }, { "control_id": "END-04.5", "title": "Malware Protection Mechanism Testing", "family": "END", "description": "Mechanisms exist to test antimalware technologies by introducing a known benign, non-spreading test case into the system and subsequently verifying that both detection of the test case and associated incident reporting occurs.", "scf_question": "Does the organization test antimalware technologies by introducing a known benign, non-spreading test case into the system and subsequently verifying that both detection of the test case and associated incident reporting occurs?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to test antimalware technologies by introducing a known benign, non-spreading test case into the system and subsequently verifying that both detection of the test case and associated incident reporting occurs.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ EICAR test file", "small": "∙ EICAR test file", "medium": "∙ EICAR test file", "large": "∙ EICAR test file", "enterprise": "∙ EICAR test file" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-iec-62443-2-1-2024": [ "COMP 2.3" ], "general-nist-800-53-r4": [ "SI-3(6)" ], "general-nist-800-53-r5-2": [ "SI-03(06)" ], "general-nist-800-82-r3": [ "SI-03(06)" ] } }, { "control_id": "END-04.6", "title": "Evolving Malware Threats", "family": "END", "description": "Mechanisms exist to perform periodic evaluations evolving malware threats to assess systems that are generally not considered to be commonly affected by malicious software.", "scf_question": "Does the organization perform periodic evaluations evolving malware threats to assess systems that are generally not considered to be commonly affected by malicious software?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Anti-malware technologies are centralized, deployed on all technology assets that can run anti-malware software.\n▪ Anti-malware technologies are configured to generate event logs that can be centrally-reviewed (e.g., forwarded to a SIEM).\n▪ Anti-malware detection tools are configured to provide real-time protection (e.g., always on).", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform periodic evaluations evolving malware threats to assess systems that are generally not considered to be commonly affected by malicious software.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Antivirus/antimalware software\n∙ Keep OS updated", "small": "∙ Endpoint protection platform (e.g., Windows Defender)\n∙ Patch management", "medium": "∙ EDR solution (e.g., CrowdStrike Falcon Go)\n∙ Centralized endpoint management", "large": "∙ Enterprise EDR/EPP (e.g., CrowdStrike, SentinelOne)\n∙ MDM/UEM (e.g., Microsoft Intune)", "enterprise": "∙ Enterprise EDR/XDR platform (e.g., CrowdStrike, SentinelOne)\n∙ UEM (e.g., Microsoft Intune, JAMF)\n∙ Zero-trust endpoint controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-pci-dss-4-0-1": [ "5.2.3", "5.2.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "5.2.3", "5.2.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "5.2.3", "5.2.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "5.2.3", "5.2.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "5.2.3", "5.2.3.1" ], "general-shared-assessments-sig-2025": [ "J.5.1" ], "emea-isr-cmo-1-0": [ "12.20" ] } }, { "control_id": "END-04.7", "title": "Always On Protection", "family": "END", "description": "Mechanisms exist to ensure that anti-malware technologies are continuously running in real-time and cannot be disabled or altered by non-privileged users, unless specifically authorized by management on a case-by-case basis for a limited time period.", "scf_question": "Does the organization ensure that anti-malware technologies are continuously running in real-time and cannot be disabled or altered by non-privileged users, unless specifically authorized by management on a case-by-case basis for a limited time period?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Anti-malware technologies are centralized, deployed on all technology assets that can run anti-malware software.\n▪ Anti-malware technologies are configured to generate event logs that can be centrally-reviewed (e.g., forwarded to a SIEM).\n▪ Anti-malware detection tools are configured to provide real-time protection (e.g., always on).", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that anti-malware technologies are continuously running in real-time and cannot be disabled or altered by non-privileged users, unless specifically authorized by management on a case-by-case basis for a limited time period.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Antimalware software", "small": "∙ Antimalware software", "medium": "∙ Antimalware software", "large": "∙ Antimalware software", "enterprise": "∙ Antimalware software" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.8-POF5" ], "general-cis-csc-8-1": [ "10.4" ], "general-cis-csc-8-1-ig2": [ "10.4" ], "general-cis-csc-8-1-ig3": [ "10.4" ], "general-cobit-2019": [ "DSS05.01" ], "general-csa-cmm-4-1-0": [ "UEM-09" ], "general-iec-62443-2-1-2024": [ "COMP 2.1" ], "general-mpa-csbp-5-3-1": [ "TS-1.0", "TS-1.3" ], "general-nist-800-171-r2": [ "3.14.5" ], "general-nist-800-171-r3": [ "03.14.02.a", "03.14.02.c.01", "03.14.02.c.02" ], "general-nist-800-171a": [ "3.14.5[c]" ], "general-nist-800-171a-r3": [ "A.03.14.02.c.01[01]", "A.03.14.02.c.01[02]" ], "general-pci-dss-4-0-1": [ "5.3", "5.3.2", "5.3.2.1", "5.3.3", "5.3.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "5.3.2", "5.3.2.1", "5.3.3", "5.3.5" ], "general-pci-dss-4-0-1-saq-c": [ "5.3.2", "5.3.2.1", "5.3.3", "5.3.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "5.3.2", "5.3.3", "5.3.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "5.3.2", "5.3.2.1", "5.3.3", "5.3.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "5.3.2", "5.3.2.1", "5.3.3", "5.3.5" ], "usa-federal-dow-cmmc-2-level-1": [ "SI.L1-B.1.XV" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "SI.L1-B.1.XV[c]" ], "usa-federal-dow-cmmc-2-level-2": [ "SIL2.-3.14.5" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(xv)" ], "usa-federal-irs-1075-2021": [ "SI-3(IRS-Defined)-1", "SI-3(IRS-Defined)-2" ], "emea-isr-cmo-1-0": [ "7.5", "12.25" ], "emea-sau-otcc-1-2022": [ "2-3-1-8" ], "emea-gbr-def-stan-05-138-2024": [ "2426" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2426" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2426" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2426" ], "apac-ind-sebi-2024": [ "PR.IP.S4" ], "americas-can-itsp-10-171-2025": [ "03.14.02.A", "03.14.02.C.01", "03.14.02.C.02" ] } }, { "control_id": "END-05", "title": "Software Firewall", "family": "END", "description": "Mechanisms exist to utilize host-based firewall software, or a similar technology, on all endpoint devices, where technically feasible.", "scf_question": "Does the organization utilize host-based firewall software, or a similar technology, on all endpoint devices, where technically feasible?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize host-based firewall software, or a similar technology, on all endpoint devices, where technically feasible.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Host-based firewall software", "small": "∙ Host-based firewall software", "medium": "∙ Host-based firewall software", "large": "∙ Host-based firewall software", "enterprise": "∙ Host-based firewall software" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-cis-csc-8-1": [ "4.4", "4.5" ], "general-cis-csc-8-1-ig1": [ "4.4", "4.5" ], "general-cis-csc-8-1-ig2": [ "4.4", "4.5" ], "general-cis-csc-8-1-ig3": [ "4.4", "4.5" ], "general-csa-cmm-4-1-0": [ "UEM-10" ], "general-pci-dss-4-0-1": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.5.1" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "1" ], "apac-aus-ism-2024-june": [ "ISM-1416" ], "amaericas-can-osfi-self-assessment": [ "4.3", "4.4" ] } }, { "control_id": "END-06", "title": "Endpoint File Integrity Monitoring (FIM)", "family": "END", "description": "Mechanisms exist to utilize File Integrity Monitor (FIM), or similar technologies, to detect and report on unauthorized changes to selected files and configuration settings.", "scf_question": "Does the organization utilize File Integrity Monitor (FIM), or similar technologies, to detect and report on unauthorized changes to selected files and configuration settings?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-END-01" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize File Integrity Monitor (FIM), or similar technologies, to detect and report on unauthorized changes to selected files and configuration settings.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ File Integrity Monitor (FIM)\n∙ ManageEngine Endpoint Central (https://manageengine.com)", "small": "∙ File Integrity Monitor (FIM)\n∙ ManageEngine Endpoint Central (https://manageengine.com)", "medium": "∙ File Integrity Monitor (FIM)\n∙ ManageEngine Endpoint Central (https://manageengine.com)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "large": "∙ File Integrity Monitor (FIM)\n∙ ManageEngine Endpoint Central (https://manageengine.com)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "enterprise": "∙ File Integrity Monitor (FIM)\n∙ ManageEngine Endpoint Central (https://manageengine.com)\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.8", "CC7.1-POF2", "CC7.1-POF3", "CC7.1-POF4" ], "general-csa-iot-2": [ "SAP-06" ], "general-govramp": [ "SI-07" ], "general-govramp-core": [ "SI-07" ], "general-govramp-low-plus": [ "SI-07" ], "general-govramp-mod": [ "SI-07" ], "general-govramp-high": [ "SI-07" ], "general-iec-62443-4-1-2018": [ "SM-6" ], "general-iec-62443-4-2-2019": [ "CR 3.4" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.003", "T1020.001", "T1027", "T1027.002", "T1027.007", "T1027.008", "T1027.009", "T1036", "T1036.001", "T1036.005", "T1037", "T1037.002", "T1037.003", "T1037.004", "T1037.005", "T1040", "T1047", "T1053.006", "T1056.002", "T1059", "T1059.001", "T1059.002", "T1059.003", "T1059.004", "T1059.005", "T1059.006", "T1059.007", "T1059.008", "T1059.010", "T1059.011", "T1068", "T1070", "T1070.001", "T1070.002", "T1070.003", "T1070.007", "T1070.008", "T1070.009", "T1070.010", "T1072", "T1080", "T1098.001", "T1098.002", "T1098.003", "T1112", "T1114", "T1114.001", "T1114.002", "T1114.003", "T1119", "T1127", "T1127.002", "T1129", "T1133", "T1136", "T1136.001", "T1136.002", "T1136.003", "T1176", "T1185", "T1189", "T1190", "T1195", "T1195.001", "T1195.003", "T1203", "T1204", "T1204.002", "T1204.003", "T1210", "T1211", "T1212", "T1213", "T1213.001", "T1213.002", "T1213.004", "T1213.005", "T1216", "T1216.001", "T1216.002", "T1218", "T1218.001", "T1218.002", "T1218.003", "T1218.004", "T1218.005", "T1218.008", "T1218.009", "T1218.010", "T1218.011", "T1218.012", "T1218.013", "T1218.014", "T1218.015", "T1219", "T1220", "T1221", "T1222", "T1222.001", "T1222.002", "T1485", "T1485.001", "T1486", "T1490", "T1491", "T1491.001", "T1491.002", "T1495", "T1505", "T1505.001", "T1505.002", "T1505.004", "T1525", "T1530", "T1542", "T1542.001", "T1542.003", "T1542.004", "T1542.005", "T1543", "T1543.002", "T1546", "T1546.002", "T1546.004", "T1546.006", "T1546.008", "T1546.009", "T1546.010", "T1546.013", "T1547.002", "T1547.003", "T1547.004", "T1547.005", "T1547.006", "T1547.008", "T1547.013", "T1548", "T1548.004", "T1548.006", "T1550.001", "T1550.004", "T1552", "T1552.004", "T1553", "T1553.001", "T1553.003", "T1553.005", "T1553.006", "T1554", "T1556", "T1556.001", "T1556.003", "T1556.004", "T1556.008", "T1556.009", "T1557", "T1557.002", "T1557.004", "T1558", "T1558.002", "T1558.003", "T1558.004", "T1558.005", "T1561", "T1561.001", "T1561.002", "T1562", "T1562.001", "T1562.002", "T1562.004", "T1562.006", "T1562.009", "T1562.010", "T1562.011", "T1562.012", "T1564.003", "T1564.004", "T1564.006", "T1564.008", "T1564.009", "T1564.010", "T1565", "T1565.001", "T1565.002", "T1565.003", "T1569", "T1569.002", "T1574", "T1574.001", "T1574.004", "T1574.006", "T1574.007", "T1574.008", "T1574.009", "T1574.012", "T1574.013", "T1574.014", "T1599", "T1599.001", "T1601", "T1601.001", "T1601.002", "T1602", "T1602.001", "T1602.002", "T1609", "T1611", "T1647" ], "general-nist-privacy-framework-1-0": [ "PR.DS-P6" ], "general-nist-800-53-r4": [ "SI-7" ], "general-nist-800-53-r5-2": [ "SI-07" ], "general-nist-800-53-r5-2-privacy": [ "SI-07" ], "general-nist-800-53-r5-2-mod": [ "SI-07" ], "general-nist-800-82-r3": [ "SI-07" ], "general-nist-800-82-r3-mod": [ "SI-07" ], "general-nist-800-82-r3-high": [ "SI-07" ], "general-nist-800-160-vol-2-r1": [ "SI-07" ], "general-nist-800-161-r1": [ "SI-7" ], "general-nist-800-161-r1-cscrm": [ "SI-7" ], "general-nist-800-161-r1-flowdown": [ "SI-7" ], "general-nist-800-161-r1-level-2": [ "SI-7" ], "general-nist-800-161-r1-level-3": [ "SI-7" ], "general-nist-csf-2-0": [ "DE.CM-09" ], "general-pci-dss-4-0-1": [ "10.3.4", "11.5", "11.5.2", "11.6.1" ], "general-pci-dss-4-0-1-saq-a": [ "11.6.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.3.4", "11.5.2", "11.6.1" ], "general-pci-dss-4-0-1-saq-c": [ "10.3.4", "11.5.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.3.4", "11.5.2", "11.6.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.3.4", "11.5.2", "11.6.1" ], "general-swift-cscf-2025": [ "6.2" ], "usa-federal-fbi-cjis-6-0": [ "SI-7" ], "usa-federal-gsa-fedramp-5-low": [ "SI-07" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-07" ], "usa-federal-gsa-fedramp-5-high": [ "SI-07" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-07" ], "usa-federal-irs-1075-2021": [ "SI-7" ], "usa-federal-cms-marse-2-0": [ "SI-7" ], "usa-state-tx-txramp-2-0-level-2": [ "SI-07" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(36)(e)" ], "emea-isr-cmo-1-0": [ "6.4", "12.19" ], "emea-sau-otcc-1-2022": [ "1-5-4" ], "emea-gbr-def-stan-05-138-2024": [ "2425" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2425" ], "apac-ind-sebi-2024": [ "PR.DS.S6" ], "apac-nzl-ism-3-9": [ "14.1.12.C.01", "14.1.12.C.02", "14.1.12.C.03" ] } }, { "control_id": "END-06.1", "title": "Integrity Checks", "family": "END", "description": "Mechanisms exist to validate configurations through integrity checking of software and firmware.", "scf_question": "Does the organization validate configurations through integrity checking of software and firmware?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to validate configurations through integrity checking of software and firmware.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ File Integrity Monitor (FIM)", "small": "∙ File Integrity Monitor (FIM)", "medium": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)\n∙ File Integrity Monitor (FIM)", "large": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)\n∙ File Integrity Monitor (FIM)", "enterprise": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)\n∙ File Integrity Monitor (FIM)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.1" ], "general-csa-iot-2": [ "IOT-03" ], "general-govramp": [ "SI-07(01)" ], "general-govramp-mod": [ "SI-07(01)" ], "general-govramp-high": [ "SI-07(01)" ], "general-iec-62443-3-3-2013": [ "SR 2.4 RE 1" ], "general-nist-privacy-framework-1-0": [ "PR.DS-P6", "PR.DS-P8" ], "general-nist-800-53-r4": [ "SI-7(1)" ], "general-nist-800-53-r5-2": [ "SI-07(01)" ], "general-nist-800-53-r5-2-mod": [ "SI-07(01)" ], "general-nist-800-82-r3": [ "SI-07(01)" ], "general-nist-800-82-r3-mod": [ "SI-07(01)" ], "general-nist-800-82-r3-high": [ "SI-07(01)" ], "general-nist-800-160-vol-2-r1": [ "SI-07(01)" ], "general-swift-cscf-2025": [ "6.2" ], "usa-federal-fbi-cjis-6-0": [ "SI-7(1)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-07(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-07(01)" ], "usa-federal-irs-1075-2021": [ "SI-7(CE-1)" ], "usa-federal-cms-marse-2-0": [ "SI-7(1)" ], "usa-state-tx-txramp-2-0-level-2": [ "SI-07 (01)" ], "emea-gbr-def-stan-05-138-2024": [ "2425" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2425" ], "apac-ind-sebi-2024": [ "PR.DS.S6" ] } }, { "control_id": "END-06.2", "title": "Endpoint Detection & Response (EDR)", "family": "END", "description": "Mechanisms exist to detect and respond to unauthorized configuration changes as cybersecurity incidents.", "scf_question": "Does the organization detect and respond to unauthorized configuration changes as cybersecurity incidents?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to detect and respond to unauthorized configuration changes as cybersecurity incidents.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ ManageEngine Endpoint Central (https://manageengine.com)", "small": "∙ ManageEngine Endpoint Central (https://manageengine.com)", "medium": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "large": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "enterprise": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.3" ], "general-cis-csc-8-1": [ "2.3", "2.4", "13.7" ], "general-cis-csc-8-1-ig1": [ "2.3" ], "general-cis-csc-8-1-ig2": [ "2.3", "2.4" ], "general-cis-csc-8-1-ig3": [ "2.3", "2.4", "13.7" ], "general-govramp": [ "SI-07(07)" ], "general-govramp-core": [ "SI-07(07)" ], "general-govramp-mod": [ "SI-07(07)" ], "general-govramp-high": [ "SI-07(07)" ], "general-nist-800-53-r4": [ "SI-7(7)" ], "general-nist-800-53-r5-2": [ "SI-07(07)" ], "general-nist-800-53-r5-2-mod": [ "SI-07(07)" ], "general-nist-800-82-r3": [ "SI-07(07)" ], "general-nist-800-82-r3-mod": [ "SI-07(07)" ], "general-nist-800-82-r3-high": [ "SI-07(07)" ], "general-nist-800-160-vol-2-r1": [ "SI-07(07)" ], "general-pci-dss-4-0-1": [ "10.7", "10.7.1", "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.7.1", "10.7.2", "10.7.3" ], "general-shared-assessments-sig-2025": [ "J.4" ], "usa-federal-fbi-cjis-6-0": [ "SI-7(7)" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.3.4", "2.7", "2.7.1", "2.7.2" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-07(07)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-07(07)" ], "usa-federal-irs-1075-2021": [ "SI-7(CE-7)", "SI-7(CE-7).a", "SI-7(CE-7).b" ], "usa-federal-cms-marse-2-0": [ "SI-7(7)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.14(b)(1)" ], "usa-state-tx-txramp-2-0-level-2": [ "SI-07 (07)" ], "emea-isr-cmo-1-0": [ "7.2" ] } }, { "control_id": "END-06.3", "title": "Automated Notifications of Integrity Violations", "family": "END", "description": "Automated mechanisms exist to alert incident response personnel upon discovering discrepancies during integrity verification.", "scf_question": "Does the organization use automated mechanisms to alert incident response personnel upon discovering discrepancies during integrity verification?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically alert incident response personnel upon discovering discrepancies during integrity verification.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Antivirus/antimalware software\n∙ Keep OS updated", "small": "∙ Endpoint protection platform (e.g., Windows Defender)\n∙ Patch management", "medium": "∙ EDR solution (e.g., CrowdStrike Falcon Go)\n∙ Centralized endpoint management", "large": "∙ Enterprise EDR/EPP (e.g., CrowdStrike, SentinelOne)\n∙ MDM/UEM (e.g., Microsoft Intune)", "enterprise": "∙ Enterprise EDR/XDR platform (e.g., CrowdStrike, SentinelOne)\n∙ UEM (e.g., Microsoft Intune, JAMF)\n∙ Zero-trust endpoint controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-govramp": [ "SI-07(02)" ], "general-govramp-high": [ "SI-07(02)" ], "general-nist-privacy-framework-1-0": [ "PR.DS-P6" ], "general-nist-800-53-r4": [ "SI-7(2)" ], "general-nist-800-53-r5-2": [ "SI-07(02)" ], "general-nist-800-53-r5-2-high": [ "SI-07(02)" ], "general-nist-800-82-r3": [ "SI-07(02)" ], "general-nist-800-82-r3-high": [ "SI-07(02)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-07(02)" ] } }, { "control_id": "END-06.4", "title": "Automated Response to Integrity Violations", "family": "END", "description": "Automated mechanisms exist to implement remediation actions when integrity violations are discovered.", "scf_question": "Does the organization use automated mechanisms to implement remediation actions when integrity violations are discovered?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically implement remediation actions when integrity violations are discovered.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Antivirus/antimalware software\n∙ Keep OS updated", "small": "∙ Endpoint protection platform (e.g., Windows Defender)\n∙ Patch management", "medium": "∙ EDR solution (e.g., CrowdStrike Falcon Go)\n∙ Centralized endpoint management", "large": "∙ Enterprise EDR/EPP (e.g., CrowdStrike, SentinelOne)\n∙ MDM/UEM (e.g., Microsoft Intune)", "enterprise": "∙ Enterprise EDR/XDR platform (e.g., CrowdStrike, SentinelOne)\n∙ UEM (e.g., Microsoft Intune, JAMF)\n∙ Zero-trust endpoint controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-govramp": [ "SI-07(05)" ], "general-govramp-high": [ "SI-07(05)" ], "general-nist-800-53-r4": [ "SI-7(5)" ], "general-nist-800-53-r5-2": [ "SI-07(05)" ], "general-nist-800-53-r5-2-high": [ "SI-07(05)" ], "general-nist-800-82-r3": [ "SI-07(05)" ], "general-nist-800-82-r3-high": [ "SI-07(05)" ], "general-nist-800-160-vol-2-r1": [ "SI-07(05)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-07(05)" ] } }, { "control_id": "END-06.5", "title": "Boot Process Integrity", "family": "END", "description": "Automated mechanisms exist to verify the integrity of the boot process of systems.", "scf_question": "Does the organization use automated mechanisms to verify the integrity of the boot process of systems?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically verify the integrity of the boot process of systems.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ UEFI Secure Boot", "small": "∙ UEFI Secure Boot", "medium": "∙ UEFI Secure Boot", "large": "∙ UEFI Secure Boot", "enterprise": "∙ UEFI Secure Boot" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-iec-62443-4-2-2019": [ "CR 3.14", "EDR 3.14", "HDR 3.14", "NDR 3.14" ], "general-nist-800-53-r4": [ "SI-7(9)" ], "general-nist-800-53-r5-2": [ "SI-07(09)" ], "general-nist-800-82-r3": [ "SI-07(09)" ], "general-nist-800-160-vol-2-r1": [ "SI-07(09)" ], "general-sparta": [ "CM0014" ], "apac-aus-cop-sitc-2020": [ "Principle 8" ] } }, { "control_id": "END-06.6", "title": "Protection of Boot Firmware", "family": "END", "description": "Automated mechanisms exist to protect the integrity of boot firmware in systems.", "scf_question": "Does the organization use automated mechanisms to protect the integrity of boot firmware in systems?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically protect the integrity of boot firmware in systems.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ UEFI Secure Boot", "small": "∙ UEFI Secure Boot", "medium": "∙ UEFI Secure Boot", "large": "∙ UEFI Secure Boot", "enterprise": "∙ UEFI Secure Boot" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-iec-62443-4-2-2019": [ "EDR 3.14(1)", "HDR 3.14(1)", "NDR 3.14(1)" ], "general-nist-800-53-r4": [ "SI-7(10)" ], "general-nist-800-53-r5-2": [ "SI-07(10)" ], "general-nist-800-82-r3": [ "SI-07(10)" ], "general-nist-800-160-vol-2-r1": [ "SI-07(10)" ], "general-sparta": [ "CM0014" ], "usa-federal-irs-1075-2021": [ "SI-7(CE-10)" ], "apac-aus-cop-sitc-2020": [ "Principle 8" ] } }, { "control_id": "END-06.7", "title": "Binary or Machine-Executable Code", "family": "END", "description": "Mechanisms exist to prohibit the use of binary or machine-executable code from sources with limited or no warranty and without access to source code.", "scf_question": "Does the organization prohibit the use of binary or machine-executable code from sources with limited or no warranty and without access to source code?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit the use of binary or machine-executable code from sources with limited or no warranty and without access to source code.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Antimalware software", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Antimalware software", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Antimalware software", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Antimalware software", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Antimalware software" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-nist-800-53-r4": [ "SI-7(14)" ], "general-nist-800-53-r5-2": [ "CM-07(08)" ], "general-nist-800-82-r3": [ "CM-07(08)" ], "general-nist-800-161-r1": [ "CM-7(8)", "SI-7(14)" ], "general-nist-800-161-r1-level-2": [ "CM-7(8)", "SI-7(14)" ], "general-nist-800-161-r1-level-3": [ "CM-7(8)", "SI-7(14)" ] } }, { "control_id": "END-06.8", "title": "Extended Detection & Response (XDR)", "family": "END", "description": "Mechanisms exist to implement Extended Detection & Response (XDR) technologies to correlate data and respond to threats across multiple security layers, including:\n(1) Endpoints;\n(2) On-premises networks; \n(3) Cloud-based networks;\n(4) Electronic communications; \n(5) Applications; and\n(6) Services.", "scf_question": "Does the organization implement Extended Detection & Response (XDR) technologies to correlate data and respond to threats across multiple security layers, including:\n(1) Endpoints;\n(2) On-premises networks; \n(3) Cloud-based networks;\n(4) Electronic communications; \n(5) Applications; and\n(6) Services?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement Extended Detection & Response (XDR) technologies to correlate data and respond to threats across multiple security layers, including:\n(1) Endpoints;\n(2) On-premises networks; \n(3) Cloud-based networks;\n(4) Electronic communications; \n(5) Applications; and\n(6) Services.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Antivirus/antimalware software\n∙ Keep OS updated", "small": "∙ Endpoint protection platform (e.g., Windows Defender)\n∙ Patch management", "medium": "∙ EDR solution (e.g., CrowdStrike Falcon Go)\n∙ Centralized endpoint management", "large": "∙ Enterprise EDR/EPP (e.g., CrowdStrike, SentinelOne)\n∙ MDM/UEM (e.g., Microsoft Intune)", "enterprise": "∙ Enterprise EDR/XDR platform (e.g., CrowdStrike, SentinelOne)\n∙ UEM (e.g., Microsoft Intune, JAMF)\n∙ Zero-trust endpoint controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "2.7.2", "2.7.3" ] } }, { "control_id": "END-07", "title": "Host Intrusion Detection and Prevention Systems (HIDS / HIPS)", "family": "END", "description": "Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS), or similar technologies, to monitor for and protect against anomalous host activity, including lateral movement across the network.", "scf_question": "Does the organization utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS), or similar technologies, to monitor for and protect against anomalous host activity, including lateral movement across the network?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS), or similar technologies, to monitor for and protect against anomalous host activity, including lateral movement across the network.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS)", "small": "∙ Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS)", "medium": "∙ Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS)", "large": "∙ Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS)", "enterprise": "∙ Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.8" ], "general-cis-csc-8-1": [ "13.2", "13.7" ], "general-cis-csc-8-1-ig2": [ "13.2" ], "general-cis-csc-8-1-ig3": [ "13.2", "13.7" ], "general-csa-iot-2": [ "CLS-14", "SAP-06" ], "general-mpa-csbp-5-3-1": [ "TS-2.7" ], "general-nist-800-171-r3": [ "03.14.06.a.01", "03.14.06.a.02", "03.14.06.b", "03.14.06.c" ], "general-shared-assessments-sig-2025": [ "N.7" ], "general-swift-cscf-2025": [ "6.5A" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.IN.IDPSY", "3.PEP.SE.ACMIT", "3.PEP.WE.ACMIT" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.14(b)(1)" ], "emea-isr-cmo-1-0": [ "7.4", "7.5", "12.18", "12.24", "23.6" ], "emea-esp-ccn-stic-825-2023": [ "7.6.1 [OP.MON.1]" ], "apac-aus-ism-2024-june": [ "ISM-1034", "ISM-1341", "ISM-1418" ], "apac-nzl-ism-3-9": [ "18.4.13.C.01" ], "amaericas-can-osfi-self-assessment": [ "4.3", "4.4" ], "americas-can-itsp-10-171-2025": [ "03.14.06.A.01", "03.14.06.A.02", "03.14.06.B", "03.14.06.C" ] } }, { "control_id": "END-08", "title": "Phishing & Spam Protection", "family": "END", "description": "Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.", "scf_question": "Does the organization utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Anti-spam/phishing technologies are centralized and built into existing email capabilities.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Anti-spam/phishing technologies are centralized and built into existing email capabilities.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Anti-spam / phishing solution", "small": "∙ Anti-spam / phishing solution", "medium": "∙ Anti-spam / phishing solution", "large": "∙ Anti-spam / phishing solution", "enterprise": "∙ Anti-spam / phishing solution" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-cis-csc-8-1": [ "9.0", "9.6", "9.7" ], "general-cis-csc-8-1-ig2": [ "9.6" ], "general-cis-csc-8-1-ig3": [ "9.6", "9.7" ], "general-govramp": [ "SI-08" ], "general-govramp-low-plus": [ "SI-08" ], "general-govramp-mod": [ "SI-08" ], "general-govramp-high": [ "SI-08" ], "general-mitre-att&ck-16-1": [ "T1137", "T1137.001", "T1137.002", "T1137.003", "T1137.004", "T1137.005", "T1137.006", "T1204", "T1204.001", "T1204.002", "T1204.003", "T1221", "T1566", "T1566.001", "T1566.002", "T1566.003", "T1598", "T1598.001", "T1598.002", "T1598.003" ], "general-mpa-csbp-5-3-1": [ "TS-1.9" ], "general-nist-800-53-r4": [ "SI-8" ], "general-nist-800-53-r5-2": [ "SI-08" ], "general-nist-800-53-r5-2-mod": [ "SI-08" ], "general-nist-800-82-r3": [ "SI-08" ], "general-nist-800-82-r3-mod": [ "SI-08" ], "general-nist-800-82-r3-high": [ "SI-08" ], "general-pci-dss-4-0-1": [ "5.4", "5.4.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "5.4.1" ], "general-pci-dss-4-0-1-saq-c": [ "5.4.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "5.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "5.4.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "5.4.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.APPRO", "3.PEP.EM.ASPRO", "3.PEP.UN.APPRO" ], "usa-federal-fbi-cjis-6-0": [ "SI-8" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-08" ], "usa-federal-gsa-fedramp-5-high": [ "SI-08" ], "usa-federal-irs-1075-2021": [ "SI-8" ], "usa-federal-cms-marse-2-0": [ "SI-8", "SI-8.a", "SI-8.b", "SI-8(1)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.1.a" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.14(a)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SI-08" ], "emea-sau-ecc-1-2018": [ "2-4-3-1" ], "emea-sau-sacs-002-2022": [ "TPC-16" ], "emea-gbr-def-stan-05-138-2024": [ "2509" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2509" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2509" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2509" ], "apac-nzl-ism-3-9": [ "15.2.21.C.01", "15.2.23.C.01", "15.2.23.C.02", "15.2.23.C.03", "15.2.24.C.01", "15.2.24.C.02" ], "apac-sgp-mas-trm-2021": [ "14.1.6" ], "amaericas-can-osfi-self-assessment": [ "4.3", "4.4" ] } }, { "control_id": "END-08.1", "title": "Central Management", "family": "END", "description": "Mechanisms exist to centrally-manage anti-phishing and spam protection technologies.", "scf_question": "Does the organization centrally-manage anti-phishing and spam protection technologies?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Anti-spam/phishing technologies are centralized and built into existing email capabilities.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Anti-spam/phishing technologies are centralized and built into existing email capabilities.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to centrally-manage anti-phishing and spam protection technologies.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Antivirus/antimalware software\n∙ Keep OS updated", "small": "∙ Endpoint protection platform (e.g., Windows Defender)\n∙ Patch management", "medium": "∙ EDR solution (e.g., CrowdStrike Falcon Go)\n∙ Centralized endpoint management", "large": "∙ Enterprise EDR/EPP (e.g., CrowdStrike, SentinelOne)\n∙ MDM/UEM (e.g., Microsoft Intune)", "enterprise": "∙ Enterprise EDR/XDR platform (e.g., CrowdStrike, SentinelOne)\n∙ UEM (e.g., Microsoft Intune, JAMF)\n∙ Zero-trust endpoint controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-nist-800-53-r4": [ "SI-8(1)" ], "general-nist-800-53-r5-2": [ "PL-09" ], "general-nist-800-53-r5-2-privacy": [ "PL-09" ], "general-nist-800-82-r3": [ "PL-09" ], "general-nist-800-161-r1": [ "PL-9" ], "general-nist-800-161-r1-level-1": [ "PL-9" ], "general-nist-800-161-r1-level-2": [ "PL-9" ], "usa-federal-fbi-cjis-6-0": [ "PL-9" ], "usa-federal-gsa-fedramp-5-low": [ "PL-09" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-09" ], "usa-federal-gsa-fedramp-5-high": [ "PL-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-09" ], "amaericas-can-osfi-self-assessment": [ "4.3", "4.4" ] } }, { "control_id": "END-08.2", "title": "Automatic Spam and Phishing Protection Updates", "family": "END", "description": "Mechanisms exist to automatically update anti-phishing and spam protection technologies when new releases are available in accordance with configuration and change management practices.", "scf_question": "Does the organization automatically update anti-phishing and spam protection technologies when new releases are available in accordance with configuration and change management practices?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Anti-spam/phishing technologies are centralized and built into existing email capabilities.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Anti-spam/phishing technologies are centralized and built into existing email capabilities.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically update anti-phishing and spam protection technologies when new releases are available in accordance with configuration and change management practices.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Antivirus/antimalware software\n∙ Keep OS updated", "small": "∙ Endpoint protection platform (e.g., Windows Defender)\n∙ Patch management", "medium": "∙ EDR solution (e.g., CrowdStrike Falcon Go)\n∙ Centralized endpoint management", "large": "∙ Enterprise EDR/EPP (e.g., CrowdStrike, SentinelOne)\n∙ MDM/UEM (e.g., Microsoft Intune)", "enterprise": "∙ Enterprise EDR/XDR platform (e.g., CrowdStrike, SentinelOne)\n∙ UEM (e.g., Microsoft Intune, JAMF)\n∙ Zero-trust endpoint controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-govramp": [ "SI-08(02)" ], "general-govramp-mod": [ "SI-08(02)" ], "general-govramp-high": [ "SI-08(02)" ], "general-nist-800-53-r4": [ "SI-8(2)" ], "general-nist-800-53-r5-2": [ "SI-08(02)" ], "general-nist-800-53-r5-2-mod": [ "SI-08(02)" ], "general-nist-800-82-r3": [ "SI-08(02)" ], "usa-federal-fbi-cjis-6-0": [ "SI-8(2)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-08(02)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-08(02)" ], "usa-federal-irs-1075-2021": [ "SI-8(CE-2)" ], "usa-federal-cms-marse-2-0": [ "SI-8(2)" ] } }, { "control_id": "END-09", "title": "Trusted Path", "family": "END", "description": "Mechanisms exist to establish a trusted communications path between the user and the security functions of the operating system.", "scf_question": "Does the organization establish a trusted communications path between the user and the security functions of the operating system?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish a trusted communications path between the user and the security functions of the operating system.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-iso-27002-2022": [ "8.5" ], "general-iso-27017-2015": [ "9.4.2" ], "general-iso-27018-2025": [ "8.5" ], "general-nist-800-53-r4": [ "SC-11" ], "general-nist-800-53-r5-2": [ "SC-11" ], "general-nist-800-82-r3": [ "SC-11" ], "general-nist-800-160-vol-2-r1": [ "SC-11" ], "general-ul-2900-2-2-2016": [ "8.10(b)" ], "emea-isr-cmo-1-0": [ "4.37" ] } }, { "control_id": "END-10", "title": "Mobile Code", "family": "END", "description": "Mechanisms exist to address mobile code / operating system-independent applications.", "scf_question": "Does the organization address mobile code / operating system-independent applications?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-32" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to address mobile code / operating system-independent applications.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-govramp": [ "SC-18" ], "general-govramp-mod": [ "SC-18" ], "general-govramp-high": [ "SC-18" ], "general-iec-62443-3-3-2013": [ "SR 2.4", "SR 2.4(a)", "SR 2.4(b)", "SR 2.4(c)", "SR 2.4(d)" ], "general-iec-62443-4-2-2019": [ "SAR 2.4", "SAR 2.4(a)", "SAR 2.4(b)", "SAR 2.4(c)", "SAR 2.4(1)", "EDR 2.4", "EDR 2.4(a)", "EDR 2.4(b)", "EDR 2.4(c)", "HDR 2.4", "HDR 2.4(a)", "HDR 2.4(b)", "HDR 2.4(c)", "NDR 2.4", "NDR 2.4(a)", "NDR 2.4(b)", "NDR 2.4(c)", "NDR 2.4(1)" ], "general-mitre-att&ck-16-1": [ "T1021.003", "T1055", "T1055.001", "T1055.002", "T1055.003", "T1055.004", "T1055.005", "T1055.008", "T1055.009", "T1055.011", "T1055.012", "T1055.013", "T1055.014", "T1059", "T1059.005", "T1059.007", "T1068", "T1127.002", "T1137", "T1137.001", "T1137.002", "T1137.003", "T1137.004", "T1137.005", "T1137.006", "T1189", "T1190", "T1203", "T1210", "T1211", "T1212", "T1218.001", "T1218.015", "T1548", "T1548.004", "T1559", "T1559.001", "T1559.002" ], "general-nist-800-53-r4": [ "SC-18", "SC-18(1)", "SC-18(2)", "SC-18(3)", "SC-18(4)", "SC-27" ], "general-nist-800-53-r5-2": [ "SC-18", "SC-18(01)", "SC-18(02)", "SC-18(03)", "SC-18(04)", "SC-27" ], "general-nist-800-53-r5-2-privacy": [ "SC-18(01)", "SC-18(02)", "SC-18(03)", "SC-18(04)" ], "general-nist-800-53-r5-2-mod": [ "SC-18" ], "general-nist-800-82-r3": [ "SC-18", "SC-18(01)", "SC-18(02)", "SC-18(03)", "SC-18(04)", "SC-27" ], "general-nist-800-82-r3-mod": [ "SC-18" ], "general-nist-800-82-r3-high": [ "SC-18" ], "general-nist-800-160-vol-2-r1": [ "SC-27" ], "general-nist-800-161-r1": [ "SC-18", "SC-18(2)", "SC-27" ], "general-nist-800-161-r1-level-2": [ "SC-27" ], "general-nist-800-161-r1-level-3": [ "SC-18", "SC-18(2)", "SC-27" ], "general-nist-800-171-r2": [ "3.13.13" ], "general-nist-800-171-r3": [ "03.13.13.a", "03.13.13.b" ], "general-nist-800-171a": [ "3.13.13[a]", "3.13.13[b]" ], "general-nist-800-171a-r3": [ "A.03.13.13.a[01]", "A.03.13.13.a[02]", "A.03.13.13.b[01]", "A.03.13.13.b[02]", "A.03.13.13.b[03]" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.SE.ACMIT", "3.PEP.WE.ACMIT" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.N" ], "usa-federal-fbi-cjis-6-0": [ "SC-18" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.13" ], "usa-federal-gsa-fedramp-5-low": [ "SC-18(01)", "SC-18(02)", "SC-18(03)", "SC-18(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-18", "SC-18(01)", "SC-18(02)", "SC-18(03)", "SC-18(04)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-18", "SC-18(01)", "SC-18(02)", "SC-18(03)", "SC-18(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-18(01)", "SC-18(02)", "SC-18(03)", "SC-18(04)" ], "usa-federal-irs-1075-2021": [ "SC-18", "SC-18(CE-1)", "SC-18(CE-2)" ], "usa-federal-cms-marse-2-0": [ "SC-18", "SC-18.a", "SC-18.b", "SC-18.c" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.1.d" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-18" ], "emea-gbr-def-stan-05-138-2024": [ "2413" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2413" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2413" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2413" ], "americas-can-itsp-10-171-2025": [ "03.13.13.A", "03.13.13.B" ] } }, { "control_id": "END-11", "title": "Thin Nodes", "family": "END", "description": "Mechanisms exist to configure thin nodes to have minimal functionality and information storage.", "scf_question": "Does the organization configure thin nodes to have minimal functionality and information storage?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to configure thin nodes to have minimal functionality and information storage.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-nist-800-53-r4": [ "SC-25" ], "general-nist-800-53-r5-2": [ "SC-25" ], "general-nist-800-82-r3": [ "SC-25" ], "general-nist-800-160-vol-2-r1": [ "SC-25" ] } }, { "control_id": "END-12", "title": "Port & Input / Output (I/O) Device Access", "family": "END", "description": "Mechanisms exist to physically disable or remove unnecessary connection ports or input/output devices from sensitive systems.", "scf_question": "Does the organization physically disable or remove unnecessary connection ports or input/output devices from sensitive systems?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to physically disable or remove unnecessary connection ports or input/output devices from sensitive systems.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1025", "T1052", "T1052.001", "T1091", "T1200" ], "general-nist-800-53-r4": [ "SC-41" ], "general-nist-800-53-r5-2": [ "SC-41" ], "general-nist-800-82-r3": [ "SC-41" ], "general-nist-800-82-r3-low": [ "SC-41" ], "general-nist-800-82-r3-mod": [ "SC-41" ], "general-nist-800-82-r3-high": [ "SC-41" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 1.2" ] } }, { "control_id": "END-13", "title": "Sensor Capability", "family": "END", "description": "Mechanisms exist to configure embedded sensors on systems to: \n(1) Prohibit the remote activation of sensing capabilities; and\n(2) Provide an explicit indication of sensor use to users.", "scf_question": "Does the organization configure embedded sensors on systems to: \n (1) Prohibit the remote activation of sensing capabilities; and\n (2) Provide an explicit indication of sensor use to users?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to configure embedded sensors on systems to: \n(1) Prohibit the remote activation of sensing capabilities; and\n(2) Provide an explicit indication of sensor use to users.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-nist-800-53-r4": [ "SC-42" ], "general-nist-800-53-r5-2": [ "SC-42" ], "general-nist-800-82-r3": [ "SC-42" ] } }, { "control_id": "END-13.1", "title": "Authorized Use", "family": "END", "description": "Mechanisms exist to utilize organization-defined measures so that data or information collected by sensors is only used for authorized purposes.", "scf_question": "Does the organization utilize organization-defined measures so that data or information collected by sensors is only used for authorized purposes?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize organization-defined measures so that data or information collected by sensors is only used for authorized purposes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-nist-800-53-r4": [ "SC-42(2)" ], "general-nist-800-53-r5-2": [ "SC-42(02)" ], "general-nist-800-82-r3": [ "SC-42(02)" ], "general-scf-dpmp-2025": [ "7.4" ], "general-shared-assessments-sig-2025": [ "P.2.2.1" ], "emea-zaf-popia-2013": [ "8", "9", "13.1" ] } }, { "control_id": "END-13.2", "title": "Notice of Collection", "family": "END", "description": "Mechanisms exist to notify individuals that Personal Data (PD) is collected by sensors.", "scf_question": "Does the organization notify individuals that Personal Data (PD) is collected by sensors?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to notify individuals that Personal Data (PD) is collected by sensors.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert", "small": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert", "medium": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert", "large": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert", "enterprise": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-3", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-nist-800-53-r5-2": [ "SC-42(04)" ], "general-nist-800-82-r3": [ "SC-42(04)" ], "general-scf-dpmp-2025": [ "7.4" ], "general-tisax-6-0-3": [ "8.2.6" ], "emea-zaf-popia-2013": [ "18" ] } }, { "control_id": "END-13.3", "title": "Collection Minimization", "family": "END", "description": "Mechanisms exist to utilize sensors that are configured to minimize the collection of information about individuals.", "scf_question": "Does the organization utilize sensors that are configured to minimize the collection of information about individuals?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize sensors that are configured to minimize the collection of information about individuals.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-3", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-iec-tr-60601-4-5-2021": [ "4.5" ], "general-nist-800-53-r5-2": [ "PM-25", "SA-08(33)", "SC-42(05)" ], "general-nist-800-53-r5-2-privacy": [ "PM-25", "SA-08(33)" ], "general-nist-800-82-r3": [ "PM-25", "SA-08(33)", "SC-42(05)" ], "general-nist-800-82-r3-low": [ "PM-25" ], "general-nist-800-82-r3-mod": [ "PM-25" ], "general-nist-800-82-r3-high": [ "PM-25" ], "general-nist-800-161-r1": [ "PM-25" ], "general-nist-800-161-r1-level-2": [ "PM-25" ], "general-scf-dpmp-2025": [ "7.4" ], "usa-federal-gsa-fedramp-5-low": [ "PM-25", "SA-08(33)" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-25", "SA-08(33)" ], "usa-federal-gsa-fedramp-5-high": [ "PM-25", "SA-08(33)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-25", "SA-08(33)" ], "emea-sau-cgiot-2024": [ "2-6-3" ], "emea-zaf-popia-2013": [ "10" ] } }, { "control_id": "END-13.4", "title": "Sensor Delivery Verification", "family": "END", "description": "Mechanisms exist to verify embedded technology sensors are configured so that data collected by the sensor(s) is only reported to authorized individuals or roles.", "scf_question": "Does the organization verify embedded technology sensors are configured so that data collected by the sensor(s) is only reported to authorized individuals or roles?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to verify embedded technology sensors are configured so that data collected by the sensor(s) is only reported to authorized individuals or roles.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-nist-800-53-r5-2": [ "SC-42(01)" ], "general-nist-800-82-r3": [ "SC-42(01)" ] } }, { "control_id": "END-14", "title": "Collaborative Computing Devices", "family": "END", "description": "Mechanisms exist to unplug or prohibit the remote activation of collaborative computing devices with the following exceptions: \n(1) Networked whiteboards; \n(2) Video teleconference cameras; and \n(3) Teleconference microphones.", "scf_question": "Does the organization unplug or prohibit the remote activation of collaborative computing devices with the following exceptions: \n (1) Networked whiteboards; \n (2) Video teleconference cameras; and \n (3) Teleconference microphones?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to unplug or prohibit the remote activation of collaborative computing devices with the following exceptions: \n(1) Networked whiteboards; \n(2) Video teleconference cameras; and \n(3) Teleconference microphones.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-govramp": [ "SC-15" ], "general-govramp-high": [ "SC-15" ], "general-nist-800-53-r4": [ "SC-15", "SC-15(1)" ], "general-nist-800-53-r5-2": [ "SC-15", "SC-15(01)" ], "general-nist-800-53-r5-2-low": [ "SC-15" ], "general-nist-800-82-r3": [ "SC-15", "SC-15(01)" ], "general-nist-800-82-r3-low": [ "SC-15" ], "general-nist-800-82-r3-mod": [ "SC-15" ], "general-nist-800-82-r3-high": [ "SC-15" ], "general-nist-800-160-vol-2-r1": [ "SC-15(01)" ], "general-nist-800-171-r2": [ "3.13.12" ], "general-nist-800-171-r3": [ "03.13.12.a" ], "general-nist-800-171a": [ "3.13.12[a]", "3.13.12[b]", "3.13.12[c]" ], "general-nist-800-171a-r3": [ "A.03.13.12.ODP[01]", "A.03.13.12.a" ], "usa-federal-fbi-cjis-6-0": [ "SC-15" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.12" ], "usa-federal-gsa-fedramp-5-low": [ "SC-15" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-15" ], "usa-federal-gsa-fedramp-5-high": [ "SC-15" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-15" ], "usa-federal-irs-1075-2021": [ "SC-15" ], "usa-federal-cms-marse-2-0": [ "SC-15", "SC-15.a", "SC-15.b" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-15" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-15" ], "emea-isr-cmo-1-0": [ "5.6" ], "apac-aus-ism-2024-june": [ "ISM-0231" ], "apac-chn-pipl-2021": [ "26" ], "americas-can-itsp-10-171-2025": [ "03.13.12.A" ] } }, { "control_id": "END-14.1", "title": "Disabling / Removal In Secure Work Areas", "family": "END", "description": "Mechanisms exist to disable or remove collaborative computing devices from critical systems and secure work areas.", "scf_question": "Does the organization disable or remove collaborative computing devices from critical systems and secure work areas?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to disable or remove collaborative computing devices from critical systems and secure work areas.", "4": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Endpoint Security (END) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Configuration Management (CM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-nist-800-53-r4": [ "SC-15(3)" ], "general-nist-800-53-r5-2": [ "SC-15(03)" ], "general-nist-800-82-r3": [ "SC-15(03)" ], "general-shared-assessments-sig-2025": [ "M.3" ] } }, { "control_id": "END-14.2", "title": "Explicitly Indicate Current Participants", "family": "END", "description": "Automated mechanisms exist to provide an explicit indication of current participants in online meetings and teleconferences.", "scf_question": "Does the organization use automated mechanisms to provide an explicit indication of current participants in online meetings and teleconferences?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically provide an explicit indication of current participants in online meetings and teleconferences.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert", "small": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert", "medium": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert", "large": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert", "enterprise": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-nist-800-53-r4": [ "SC-15(4)" ], "general-nist-800-53-r5-2": [ "SC-15(04)" ], "general-nist-800-82-r3": [ "SC-15(04)" ], "general-shared-assessments-sig-2025": [ "M.3" ], "usa-federal-irs-1075-2021": [ "SC-15(CE-4)" ] } }, { "control_id": "END-14.3", "title": "Participant Identity Verification", "family": "END", "description": "Mechanisms exist to verify individual identities to ensure that access to virtual meetings is limited to appropriate individuals.", "scf_question": "Does the organization verify individual identities to ensure that access to virtual meetings is limited to appropriate individuals?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to verify individual identities to ensure that access to virtual meetings is limited to appropriate individuals.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-4", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-3", "R-EX-4", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.UN.IVERI" ] } }, { "control_id": "END-14.4", "title": "Participant Connection Management", "family": "END", "description": "Mechanisms exist to ensure the meeting host can positively control an individual's participation in virtual meetings.", "scf_question": "Does the organization ensure the meeting host can positively control an individual's participation in virtual meetings?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the meeting host can positively control an individual's participation in virtual meetings.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-4", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-3", "R-EX-4", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.UN.CTERM" ] } }, { "control_id": "END-14.5", "title": "Malicious Link & File Protections", "family": "END", "description": "Automated mechanisms exist to detect malicious links and/or files in communications and prevent users from accessing those malicious links and/or files.", "scf_question": "Does the organization use automated mechanisms to detect malicious links and/or files in communications and prevent users from accessing those malicious links and/or files?", "relative_weight": 7, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically detect malicious links and/or files in communications and prevent users from accessing those malicious links and/or files.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Antimalware software", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Antimalware software", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Antimalware software", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Antimalware software", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Antimalware software" }, "risks": [ "R-AM-1", "R-AM-2", "R-EX-7", "R-GV-1", "R-GV-8" ], "threats": [ "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.UN.LCTPR", "3.PEP.UN.MFPRO", "3.PEP.UN.MLPRO" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 3.1" ] } }, { "control_id": "END-14.6", "title": "Explicit Indication Of Use", "family": "END", "description": "Mechanisms exist to configure collaborative computing devices to provide physically-present individuals with an explicit indication of use.", "scf_question": "Does the organization configure collaborative computing devices to provide physically-present individuals with an explicit indication of use?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to configure collaborative computing devices to provide physically-present individuals with an explicit indication of use.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert", "small": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert", "medium": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert", "large": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert", "enterprise": "∙ Secure Baseline Configurations (SBC) ensure a visible or auditory alert" }, "risks": [ "R-AC-1", "R-AC-4", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-3", "R-EX-4", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-nist-800-171-r3": [ "03.13.12.b" ], "general-nist-800-171a-r3": [ "A.03.13.12.b" ], "general-shared-assessments-sig-2025": [ "M.3" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.UN.MFPRO" ], "americas-can-itsp-10-171-2025": [ "03.13.12.B" ] } }, { "control_id": "END-15", "title": "Hypervisor Access", "family": "END", "description": "Mechanisms exist to restrict access to hypervisor management functions or administrative consoles for systems hosting virtualized systems.", "scf_question": "Does the organization restrict access to hypervisor management functions or administrative consoles for systems hosting virtualized systems?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict access to hypervisor management functions or administrative consoles for systems hosting virtualized systems.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": {} }, { "control_id": "END-16", "title": "Restrict Access To Security Functions", "family": "END", "description": "Mechanisms exist to ensure security functions are restricted to authorized individuals and enforce least privilege control requirements for necessary job functions.", "scf_question": "Does the organization ensure security functions are restricted to authorized individuals and enforce least privilege control requirements for necessary job functions?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure security functions are restricted to authorized individuals and enforce least privilege control requirements for necessary job functions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)\n∙ Privileged Account Management (PAM)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-govramp": [ "SC-03" ], "general-govramp-high": [ "SC-03" ], "general-nist-800-53-r4": [ "SC-3" ], "general-nist-800-53-r5-2": [ "SC-03" ], "general-nist-800-53-r5-2-privacy": [ "SC-03" ], "general-nist-800-53-r5-2-high": [ "SC-03" ], "general-nist-800-82-r3": [ "SC-03" ], "general-nist-800-82-r3-high": [ "SC-03" ], "general-nist-800-160-vol-2-r1": [ "SC-03" ], "general-owasp-top-10-2025": [ "A01:2025", "A05:2025" ], "general-pci-dss-4-0-1": [ "2.2.3", "3.4.1", "10.7.1", "11.4.5", "11.4.6" ], "general-pci-dss-4-0-1-saq-a-ep": [ "2.2.3", "11.4.5" ], "general-pci-dss-4-0-1-saq-b": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "3.4.1", "11.4.5" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.3", "3.4.1", "11.4.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "2.2.3", "3.4.1", "11.4.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "2.2.3", "3.4.1", "10.7.1", "11.4.5", "11.4.6" ], "usa-federal-gsa-fedramp-5-low": [ "SC-03" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-03" ], "usa-federal-gsa-fedramp-5-high": [ "SC-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-03" ], "apac-aus-ism-2024-june": [ "ISM-1006" ] } }, { "control_id": "END-16.1", "title": "Host-Based Security Function Isolation", "family": "END", "description": "Mechanisms exist to implement underlying software separation mechanisms to facilitate security function isolation.", "scf_question": "Does the organization implement underlying software separation mechanisms to facilitate security function isolation?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Endpoint Security (END) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with END domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Endpoint security management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Endpoint Security (END) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Endpoint security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Endpoint security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Endpoint Security (END) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with END domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with END domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain END domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of endpoint security operations (e.g., unified endpoint management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with END domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement underlying software separation mechanisms to facilitate security function isolation.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Endpoint Security", "crosswalks": { "general-govramp": [ "SC-07(12)" ], "general-govramp-low-plus": [ "SC-07(12)" ], "general-govramp-mod": [ "SC-07(12)" ], "general-govramp-high": [ "SC-07(12)" ], "general-nist-800-53-r4": [ "SC-7(12)" ], "general-nist-800-53-r5-2": [ "SC-07(12)" ], "general-nist-800-82-r3": [ "SC-07(12)" ], "general-pci-dss-4-0-1": [ "2.2.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "2.2.3" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "2.2.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "2.2.3" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07(12)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(12)" ], "usa-federal-irs-1075-2021": [ "SC-7(CE-12)" ], "usa-federal-cms-marse-2-0": [ "SC-7(12)" ] } }, { "control_id": "HRS-01", "title": "Human Resources Security Management", "family": "HRS", "description": "Mechanisms exist to facilitate the implementation of personnel security controls.", "scf_question": "Does the organization facilitate the implementation of personnel security controls?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-01", "E-HRS-15", "E-HRS-27" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR maintains a current list of authorized personnel and facilitates the implementation of physical access management controls.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ The HR department works with cybersecurity personnel to facilitate workforce development and awareness to help ensure secure practices are implemented.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of personnel security controls.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1", "CC1.1-POF1", "CC1.1-POF3", "CC1.2-POF1", "CC1.2-POF2", "CC1.2-POF3", "CC1.2-POF4", "CC1.3-POF6", "CC1.4", "CC1.4-POF1", "CC1.4-POF2", "CC1.4-POF3", "CC1.5-POF2", "CC1.5-POF3", "CC1.5-POF4", "CC1.5-POF5", "CC2.2-POF3", "CC2.3-POF4", "CC3.3-POF1", "CC3.3-POF2", "CC3.3-POF3", "CC3.3-POF4", "CC3.3-POF5" ], "general-bsi-200-1-1-0": [ "6" ], "general-cobit-2019": [ "APO07.01", "APO07.04", "APO07.05", "APO07.06" ], "general-coso-2013": [ "1", "4", "5" ], "general-csa-cmm-4-1-0": [ "HRS-01" ], "general-govramp": [ "PS-01" ], "general-govramp-low": [ "PS-01" ], "general-govramp-low-plus": [ "PS-01" ], "general-govramp-mod": [ "PS-01" ], "general-govramp-high": [ "PS-01" ], "general-iso-27001-2022": [ "7.2(d)", "7.3", "7.3(a)", "7.3(b)", "7.3(c)" ], "general-iso-27002-2022": [ "5.4" ], "general-iso-27701-2025": [ "7.2" ], "general-iso-42001-2023": [ "7.2" ], "general-mpa-csbp-5-3-1": [ "OR-3.0", "OP-2.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(4)(a)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 4.1" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P9" ], "general-nist-800-53-r4": [ "PS-1" ], "general-nist-800-53-r5-2": [ "PS-01" ], "general-nist-800-53-r5-2-privacy": [ "PS-01" ], "general-nist-800-53-r5-2-low": [ "PS-01" ], "general-nist-800-66-r2": [ "164.308(a)(3)", "164.312(d)" ], "general-nist-800-82-r3": [ "PS-01" ], "general-nist-800-82-r3-low": [ "PS-01" ], "general-nist-800-82-r3-mod": [ "PS-01" ], "general-nist-800-82-r3-high": [ "PS-01" ], "general-nist-800-161-r1": [ "PS-1" ], "general-nist-800-161-r1-cscrm": [ "PS-1" ], "general-nist-800-161-r1-flowdown": [ "PS-1" ], "general-nist-800-161-r1-level-1": [ "PS-1" ], "general-nist-800-161-r1-level-2": [ "PS-1" ], "general-nist-800-161-r1-level-3": [ "PS-1" ], "general-nist-800-171-r2": [ "3.1.22", "NFO - PS-1" ], "general-nist-800-171-r3": [ "03.01.01.g.02", "03.15.03.a", "03.15.03.d" ], "general-nist-800-171a": [ "3.2.2[a]", "3.2.2[b]", "3.2.2[c]", "3.9.2[a]" ], "general-nist-800-171a-r3": [ "A.03.01.01.ODP[01]", "A.03.01.01.ODP[02]", "A.03.01.01.ODP[03]", "A.03.01.01.ODP[04]" ], "general-nist-800-218": [ "PO.2.1" ], "general-nist-csf-2-0": [ "GV.RR-04", "ID.AM" ], "general-pci-dss-4-0-1": [ "12.2", "12.2.1", "12.7", "12.7.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.2.1", "12.7.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.2.1", "12.7.1" ], "general-scf-dpmp-2025": [ "7.9" ], "general-swift-cscf-2025": [ "5.1", "5.3A" ], "general-tisax-6-0-3": [ "8.2.5" ], "usa-federal-dow-cert-rmm-1-2": [ "HRM:SG1", "HRM:SG1.SP1", "HRM:SG1.SP2", "HRM:SG2.SP1", "HRM:SG2.SP2", "HRM:SG3", "HRM:SG3.SP3", "HRM:SG4", "HRM:SG4.SP1", "HRM:SG4.SP2", "HRM:SG4.SP3", "HRM:GG1.GP1", "HRM:GG2", "HRM:GG2.GP2", "PM:SG3", "PM:SG3.SP1", "PM:SG3.SP2", "PM:GG1.GP1", "PM:GG2", "PM:GG2.GP2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.UATRA" ], "usa-federal-fbi-cjis-6-0": [ "PS-1" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1g", "WORKFORCE-3e", "WORKFORCE-3f" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.IV" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.22" ], "usa-federal-doc-data-privacy-framework-2023": [ "III.9.b.iii" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iv)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(b)(3)", "609.930(c)(4)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(i)", "11.10(j)" ], "usa-federal-gsa-fedramp-5-low": [ "PS-01" ], "usa-federal-gsa-fedramp-5-mod": [ "PS-01" ], "usa-federal-gsa-fedramp-5-high": [ "PS-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PS-01" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(e)(2)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(ii)(A)", "164.312(d)", "164.530(e)(2)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(ii)(A)", "164.312(d)" ], "usa-federal-irs-1075-2021": [ "2.C.3-1", "2.C.3-2", "2.C.3-5", "PS-1" ], "usa-federal-cms-marse-2-0": [ "PS-1" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.1", "CIP-004-7 R3" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)2" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PS-01" ], "usa-state-tx-txramp-2-0-level-1": [ "PS-01" ], "usa-state-tx-txramp-2-0-level-2": [ "PS-01" ], "emea-eu-eba-ict-srm-2025": [ "3.3.2(15)" ], "emea-eu-nis2-2022": [ "Article 21.2(i)" ], "emea-eu-nis2-annex-2024": [ "10.1.1", "10.1.3", "10.2.3" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-isr-cmo-1-0": [ "19.1" ], "emea-sau-cscc-1-2019": [ "1-5", "2-5" ], "emea-sau-cgiot-2024": [ "1-3-2", "1-8-1" ], "emea-sau-ecc-1-2018": [ "1-9-1", "1-9-6", "2-6-4" ], "emea-sau-otcc-1-2022": [ "1-7", "1-7-2", "1-8" ], "emea-sau-sacs-002-2022": [ "TPC-6", "TPC-71" ], "emea-sau-sama-csf-1-2017": [ "3.3.1" ], "emea-zaf-popia-2013": [ "19", "20" ], "emea-esp-boe-a-2022-7191": [ "Article 15.1" ], "emea-esp-decree-311-2022": [ "15.1" ], "emea-uae-niaf-2023": [ "3.2.3" ], "emea-gbr-def-stan-05-138-2024": [ "1300", "2702" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1300", "2702" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1300", "2702" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1300", "2702" ], "apac-chn-cybersecurity-law-2017": [ "Article 34(1)" ], "apac-ind-dpdpa-2023": [ "21(1)(a)", "21(1)(b)", "21(1)(c)", "21(1)(d)", "21(1)(e)", "21(2)", "22(1)", "22(2)", "22(3)" ], "apac-ind-sebi-2024": [ "GV.RR.S6", "RS.CO.S1" ], "apac-jpn-ppi-2020": [ "21" ], "apac-jpn-ismap": [ "4.5.2.2", "5.1.1.12", "7", "7.1", "7.1.1.13" ], "apac-nzl-hisf-mlhsp-2023": [ "HML02" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP02" ], "apac-nzl-ism-3-9": [ "9.2.10.C.01", "9.2.11.C.01", "9.2.11.C.02", "14.3.5.C.01", "15.1.7.C.01" ], "apac-sgp-mas-trm-2021": [ "3.5.1", "3.5.2" ], "americas-bmu-mba-coc-2020": [ "5.13" ], "amaericas-can-osfi-self-assessment": [ "1.5" ], "americas-can-itsp-10-171-2025": [ "03.01.01.G.02", "03.15.03.A", "03.15.03.D" ] } }, { "control_id": "HRS-01.1", "title": "Onboarding, Transferring & Offboarding Personnel", "family": "HRS", "description": "Mechanisms exist to proactively govern the following personnel management actions:\n(1) Onboarding new personnel (e.g., new hires);\n(2) Transferring personnel into new roles within the organization; and \n(3) Offboarding personnel (e.g., termination of employment).", "scf_question": "Does the organization proactively govern the following personnel management actions:\n(1) Onboarding new personnel (e.g., new hires);\n(2) Transferring personnel into new roles within the organization; and \n(3) Offboarding personnel (e.g., termination of employment)?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ Responsibility for initial training and enforcing policies being assigned to the individual's immediate supervisor/manager, including the definition and enforcement of the user’s specific role(s) and responsibilities.\n▪ HR requires personnel with access to sensitive/regulated data to sign a Non-Disclosure Agreement (NDA).\n▪ Formal roles and responsibilities for cybersecurity and/or data protection are not consistent and/or standardized.\n▪ HR maintains a current list of authorized personnel and facilitates the implementation of physical access management controls.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ The HR department governs personnel management operations and notifies IT and/or cybersecurity personnel of role changes for logical access provisioning and deprovisioning actions.\n▪ Personnel managers ensure personnel are responsible for educating new hires on the organization's cybersecurity and data protection policies.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to proactively govern the following personnel management actions:\n(1) Onboarding new personnel (e.g., new hires);\n(2) Transferring personnel into new roles within the organization; and \n(3) Offboarding personnel (e.g., termination of employment).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-bsi-200-1-1-0": [ "6" ], "general-csa-cmm-4-1-0": [ "HRS-06" ], "general-iec-62443-2-1-2024": [ "ORG 1.4" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.1" ], "general-mpa-csbp-5-3-1": [ "OR-3.1", "OR-3.2" ], "general-nist-800-171-r2": [ "3.9.2" ], "usa-federal-dow-cmmc-2-level-2": [ "PSL2.-3.9.2" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(j)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-nerc-cip-2024": [ "CIP-004-7 5.3", "CIP-004-7 5.4", "CIP-004-7 6.3" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(A)(i)", "7123(c)(3)(A)(ii)", "7123(c)(3)(C)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)2", "17.03(2)(e)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PS-04-SID", "PS-05-SID" ], "usa-state-vt-act-171-2018": [ "2447(b)(5)" ], "emea-eu-nis2-annex-2024": [ "10.1.2(b)", "10.3.1" ], "emea-sau-cgiot-2024": [ "1-8-1", "1-8-2" ], "emea-uae-niaf-2023": [ "3.2.3" ], "emea-gbr-def-stan-05-138-2024": [ "2702" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2702" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2702" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2702" ], "apac-jpn-ismap": [ "8.1.4.1", "8.1.4.2", "8.1.4.3", "8.1.4.4", "9.2.6.2", "9.2.6.4", "9.2.6.5", "9.2.6.6" ] } }, { "control_id": "HRS-02", "title": "Position Categorization", "family": "HRS", "description": "Mechanisms exist to manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions.", "scf_question": "Does the organization manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-01", "E-HRS-02", "E-HRS-03", "E-HRS-04", "E-HRS-11", "E-HRS-22" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, evaluates the business-critical cybersecurity and data protection skills needed to support the organization's mission.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ The HR department, in conjunction with IT and/or cybersecurity personnel, evaluates the business-critical cybersecurity and data protection skills needed to support the organization's mission and identify gaps that exist.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.2", "CC1.2-POF1", "CC1.2-POF2", "CC1.2-POF3", "CC1.2-POF4" ], "general-bsi-200-1-1-0": [ "6" ], "general-coso-2013": [ "2" ], "general-govramp": [ "PS-02" ], "general-govramp-mod": [ "PS-02" ], "general-govramp-high": [ "PS-02" ], "general-iso-27001-2022": [ "7.2(a)" ], "general-iso-27017-2015": [ "6.1" ], "general-iso-42001-2023": [ "7.2" ], "general-mpa-csbp-5-3-1": [ "OR-3.1" ], "general-nist-800-53-r4": [ "PS-2" ], "general-nist-800-53-r5-2": [ "PS-02" ], "general-nist-800-53-r5-2-privacy": [ "PS-02" ], "general-nist-800-53-r5-2-low": [ "PS-02" ], "general-nist-800-66-r2": [ "164.308(a)(3)", "164.312(a)" ], "general-nist-800-82-r3": [ "PS-02" ], "general-nist-800-82-r3-low": [ "PS-02" ], "general-nist-800-82-r3-mod": [ "PS-02" ], "general-nist-800-82-r3-high": [ "PS-02" ], "general-nist-800-171-r3": [ "03.01.01.c.01", "03.01.01.c.02", "03.01.01.d.01", "03.01.01.d.02", "03.01.02", "03.09.01.a", "03.09.01.b" ], "general-nist-800-172": [ "3.9.1e" ], "general-nist-csf-2-0": [ "GV.RR-02", "PR.AA-05" ], "general-pci-dss-4-0-1": [ "12.7", "12.7.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.7.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.7.1" ], "general-swift-cscf-2025": [ "5.1" ], "general-tisax-6-0-3": [ "1.2.2", "2.1.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.UATRA" ], "usa-federal-fbi-cjis-6-0": [ "PS-2" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-3h", "WORKFORCE-3a" ], "usa-federal-sro-fca-crm-2023": [ "609.930(b)(3)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(i)" ], "usa-federal-gsa-fedramp-5-low": [ "PS-02" ], "usa-federal-gsa-fedramp-5-mod": [ "PS-02" ], "usa-federal-gsa-fedramp-5-high": [ "PS-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PS-02" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(ii)(B)", "164.312(a)(1)", "164.530(a)(2)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(ii)(B)", "164.312(a)(1)" ], "usa-federal-irs-1075-2021": [ "PS-2" ], "usa-federal-cms-marse-2-0": [ "PS-2", "PS-2.a", "PS-2.b", "PS-2.c" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(B)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(a)(2)(ii)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PS-02" ], "usa-state-tx-txramp-2-0-level-1": [ "PS-02" ], "usa-state-tx-txramp-2-0-level-2": [ "PS-02" ], "emea-eu-eba-ict-srm-2025": [ "3.3.2(15)" ], "emea-eu-gdpr-2016": [ "Article 32.4" ], "emea-eu-nis2-annex-2024": [ "10.1.2(b)", "10.1.3" ], "emea-isr-cmo-1-0": [ "19.1" ], "emea-sau-cscc-1-2019": [ "1-5-1-2" ], "emea-sau-cgiot-2024": [ "1-8-1" ], "emea-sau-ecc-1-2018": [ "1-9-2" ], "emea-sau-sacs-002-2022": [ "TPC-26" ], "emea-esp-boe-a-2022-7191": [ "Article 13.2" ], "emea-esp-decree-311-2022": [ "13.2" ], "apac-ind-sebi-2024": [ "DE.DP.S1", "GV.RR.S2", "PR.AT.S4", "RS.CO.S1" ], "apac-jpn-ismap": [ "4.5.2.2" ], "apac-nzl-ism-3-9": [ "9.2.10.C.01", "9.2.10.C.02", "9.2.11.C.01", "9.2.11.C.02" ], "americas-can-itsp-10-171-2025": [ "03.01.01.C.01", "03.01.01.C.02", "03.01.01.D.01", "03.01.01.D.02", "03.01.02", "03.09.01.A", "03.09.01.B" ] } }, { "control_id": "HRS-02.1", "title": "Users With Elevated Privileges", "family": "HRS", "description": "Mechanisms exist to ensure that every user accessing Technology Assets, Applications and/or Services (TAAS) that process, store and/or transmit sensitive/regulated data is cleared and regularly trained to handle the information in question.", "scf_question": "Does the organization ensure that every user accessing Technology Assets, Applications and/or Services (TAAS) that process, store and/or transmit sensitive/regulated data is cleared and regularly trained to handle the information in question?", "relative_weight": 10, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-HRS-02", "E-HRS-03", "E-HRS-04", "E-HRS-11", "E-HRS-22" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ The HR department, in conjunction with IT and/or cybersecurity personnel, evaluates risk for individuals requiring elevated privileges or access to sensitive/regulated data.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that every user accessing Technology Assets, Applications and/or Services (TAAS) that process, store and/or transmit sensitive/regulated data is cleared and regularly trained to handle the information in question.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-coso-2013": [ "4" ], "general-mpa-csbp-5-3-1": [ "OR-3.1" ], "general-nist-800-171-r3": [ "03.01.02" ], "general-nist-800-172": [ "3.9.2e" ], "general-pci-dss-4-0-1": [ "12.7", "12.7.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.7.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.7.1" ], "general-swift-cscf-2025": [ "5.3A" ], "general-tisax-6-0-3": [ "2.1.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.UATRA" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-3h" ], "usa-federal-dow-cmmc-2-level-3": [ "PS.L3-3.9.2E" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(i)" ], "emea-eu-nis2-annex-2024": [ "10.1.2(b)" ], "apac-sgp-mas-trm-2021": [ "3.5.2", "6.1.5" ], "americas-can-itsp-10-171-2025": [ "03.01.02" ] } }, { "control_id": "HRS-02.2", "title": "Probationary Periods", "family": "HRS", "description": "Mechanisms exist to identify newly onboarded personnel for enhanced monitoring during their probationary period.", "scf_question": "Does the organization identify newly onboarded personnel for enhanced monitoring during their probationary period?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify newly onboarded personnel for enhanced monitoring during their probationary period.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4-POF2", "CC1.4-POF3" ], "general-nist-800-53-r5-2": [ "SI-04(21)" ], "general-nist-800-82-r3": [ "SI-04(21)" ] } }, { "control_id": "HRS-03", "title": "Defined Roles & Responsibilities", "family": "HRS", "description": "Mechanisms exist to define cybersecurity roles & responsibilities for all personnel.", "scf_question": "Does the organization define cybersecurity roles & responsibilities for all personnel?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-01", "E-HRS-02", "E-HRS-03", "E-HRS-04", "E-HRS-11", "E-HRS-13", "E-HRS-18", "E-HRS-22", "E-HRS-28" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ Formal roles and responsibilities for cybersecurity and/or data protection are not consistent and/or standardized.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define cybersecurity roles & responsibilities for all personnel.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ NIST NICE cybersecurity workforce framework alignment\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "small": "∙ NIST NICE cybersecurity workforce framework alignment\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "medium": "∙ NIST NICE cybersecurity workforce framework alignment\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "large": "∙ NIST NICE cybersecurity workforce framework alignment\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "enterprise": "∙ NIST NICE cybersecurity workforce framework alignment\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF3" ], "general-aicpa-tsc-2017": [ "CC1.2", "CC1.2-POF1", "CC1.2-POF2", "CC1.3", "CC1.3-POF3", "CC1.3-POF4", "CC1.3-POF5", "CC1.4-POF6", "CC1.5-POF1", "CC2.1-POF6", "CC2.2", "CC2.2-POF5", "CC5.3-POF2", "CC7.4-POF1" ], "general-apec-privacy-framework-2015": [ "9" ], "general-bsi-200-1-1-0": [ "7.2" ], "general-cobit-2019": [ "DSS06.03" ], "general-coso-2013": [ "2", "3", "14" ], "general-csa-cmm-4-1-0": [ "CEK-02", "GRC-06", "HRS-09" ], "general-csa-iot-2": [ "GVN-01" ], "general-iec-62443-2-1-2024": [ "ORG 1.3" ], "general-iec-62443-4-1-2018": [ "SM-2" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.1" ], "general-iso-21434-2021": [ "RQ-05-07", "RQ-06-01" ], "general-iso-22301-2019": [ "5.3", "8.4.2.2", "8.4.2.4(a)", "8.4.2.4(b)" ], "general-iso-27001-2022": [ "5.3", "7.3", "7.3(b)" ], "general-iso-27002-2022": [ "5.2" ], "general-iso-27017-2015": [ "6.1.1" ], "general-iso-27018-2025": [ "5.2" ], "general-iso-27701-2025": [ "4.2", "5.3", "7.3" ], "general-iso-31000-2018": [ "5.4.3" ], "general-iso-42001-2023": [ "5.3", "7.2", "A.3.2" ], "general-mpa-csbp-5-3-1": [ "OR-3.1" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.0", "GOVERN 2.1" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 1.5", "GV-1.5-001" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P2", "GV.PO-P3", "CM.PO-P2" ], "general-nist-800-37-r2": [ "TASK P-1" ], "general-nist-800-53-r4": [ "PM-13" ], "general-nist-800-53-r5-2": [ "PM-13", "PS-09" ], "general-nist-800-53-r5-2-privacy": [ "PM-13" ], "general-nist-800-53-r5-2-low": [ "PS-09" ], "general-nist-800-66-r2": [ "164.308(a)(3)", "164.310(a)", "164.312(a)" ], "general-nist-800-82-r3": [ "PM-13", "PS-09" ], "general-nist-800-82-r3-low": [ "PM-13", "PS-09" ], "general-nist-800-82-r3-mod": [ "PM-13", "PS-09" ], "general-nist-800-82-r3-high": [ "PM-13", "PS-09" ], "general-nist-800-161-r1": [ "PM-13" ], "general-nist-800-161-r1-level-1": [ "PM-13" ], "general-nist-800-161-r1-level-2": [ "PM-13" ], "general-nist-800-171-r3": [ "03.01.22.a", "03.06.04.a", "03.06.05.d", "03.07.06.a", "03.08.02", "03.15.03.b", "03.16.03.b" ], "general-nist-800-171a-r3": [ "A.03.06.05.d" ], "general-nist-800-172": [ "3.9.1e" ], "general-nist-800-218": [ "PO.2", "PO.2.1" ], "general-nist-csf-2-0": [ "GV.RM-05", "GV.RR", "GV.RR-02", "ID.AM" ], "general-pci-dss-4-0-1": [ "1.1.2", "2.1.2", "3.1.2", "3.7.8", "4.1.2", "5.1.2", "6.1.2", "7.1.2", "8.1.2", "9.1.2", "10.1.2", "11.1.2", "12.1.3", "12.10.1", "A3.1.3" ], "general-pci-dss-4-0-1-saq-a": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.1.3", "12.10.1" ], "general-pci-dss-4-0-1-saq-b": [ "12.1.3", "12.10.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.1.3", "12.10.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.1.3", "12.10.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.1.2", "2.1.2", "3.1.2", "3.7.8", "4.1.2", "5.1.2", "6.1.2", "7.1.2", "8.1.2", "9.1.2", "10.1.2", "11.1.2", "12.1.3", "12.10.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.1.2", "2.1.2", "3.1.2", "3.7.8", "5.1.2", "6.1.2", "7.1.2", "8.1.2", "9.1.2", "10.1.2", "11.1.2", "12.1.3", "12.10.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.1.3", "12.10.1" ], "general-tisax-6-0-3": [ "1.2.2", "1.2.4", "2.1.1", "9.7.2" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:GG2.GP4", "ADM:GG2.GP6", "AM:GG2.GP4", "AM:GG2.GP6", "COMM:GG2.GP4", "COMM:GG2.GP6", "COMP:GG2.GP4", "COMP:GG2.GP6", "CTRL:GG2.GP4", "CTRL:GG2.GP6", "EC:GG2.GP4", "EC:GG2.GP6", "EF:GG2.GP4", "EF:GG2.GP6", "EXD:GG2.GP4", "EXD:GG2.GP6", "FRM:GG2.GP4", "FRM:GG2.GP6", "HRM:SG3.SP1", "HRM:GG2.GP4", "HRM:GG2.GP6", "ID:GG2.GP4", "ID:GG2.GP6", "IMC:GG2.GP4", "IMC:GG2.GP6", "KIM:GG2.GP4", "KIM:GG2.GP6", "MA:GG2.GP4", "MA:GG2.GP6", "MON:GG2.GP4", "MON:GG2.GP6", "OPD:GG2.GP4", "OPD:GG2.GP6", "OPF:GG2.GP4", "OPF:GG2.GP6", "OTA:GG2.GP4", "OTA:GG2.GP6", "PM:GG2.GP4", "PM:GG2.GP6", "RISK:GG2.GP4", "RISK:GG2.GP6", "RRD:GG2.GP4", "RRD:GG2.GP6", "RRM:GG2.GP4", "RRM:GG2.GP6", "RTSE:GG2.GP4", "RTSE:GG2.GP6", "SC:GG2.GP4", "SC:GG2.GP6", "TM:GG2.GP4", "TM:GG2.GP6", "VAR:GG2.GP4", "VAR:GG2.GP6", "GG2.GP4", "GG2.GP6" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.UATRA" ], "usa-federal-fbi-cjis-6-0": [ "PS-9" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-2a", "RESPONSE-3a", "WORKFORCE-3a", "WORKFORCE-3b", "WORKFORCE-3c", "WORKFORCE-3d" ], "usa-federal-sro-fca-crm-2023": [ "609.930(b)(3)", "609.930(c)(4)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(i)" ], "usa-federal-gsa-fedramp-5-low": [ "PM-13", "PS-09" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-13", "PS-09" ], "usa-federal-gsa-fedramp-5-high": [ "PM-13", "PS-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-13", "PS-09" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(ii)(B)", "164.310(a)(2)(i)", "164.312(a)(1)", "164.530(a)(2)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(ii)(B)", "164.310(a)(2)(i)", "164.312(a)(1)" ], "usa-federal-irs-1075-2021": [ "PS-9" ], "usa-federal-cms-marse-2-0": [ "PM-13" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 1.3", "CIP-009-6 1.2" ], "usa-federal-nispom-2020": [ "§117.18(c)(2)", "§117.18(c)(2)(i)", "§117.18(c)(2)(ii)", "§117.18(c)(2)(iii)", "§117.18(c)(2)(iv)", "§117.18(c)(2)(v)", "§117.18(c)(2)(vi)", "§117.18(c)(2)(vii)", "§117.18(c)(2)(vii)(A)", "§117.18(c)(2)(vii)(B)", "§117.18(c)(2)(vii)(C)", "§117.18(c)(2)(vii)(D)", "§117.18(c)(2)(vii)(E)", "§117.18(c)(2)(vii)(F)", "§117.18(c)(2)(vii)(G)", "§117.18(c)(2)(vii)(H)", "§117.18(c)(2)(vii)(I)", "§117.18(c)(3)", "§117.18(c)(3)(i)", "§117.18(c)(3)(ii)", "§117.18(c)(3)(iii)", "§117.18(c)(4)", "§117.18(c)(4)(i)", "§117.18(c)(4)(ii)", "§117.18(c)(4)(iii)", "§117.18(c)(4)(iv)", "§117.18(c)(4)(v)", "§117.18(c)(4)(vi)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.e" ], "usa-state-il-ipa-2009": [ "35(a)(3)", "37(a)(3)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)2" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(1)", "500.16(a)(2)(ii)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PS-09" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(12)", "3.3.2(15)" ], "emea-eu-dora-2023": [ "Article 5.2(c)" ], "emea-eu-gdpr-2016": [ "Article 32.4" ], "emea-eu-nis2-annex-2024": [ "1.1.1(g)", "1.2.1", "1.2.4", "1.2.6", "2.1.2(i)", "3.1.2(c)", "3.1.3", "4.2.4(c)", "4.3.2(a)", "10.1.1" ], "emea-deu-c5-2020": [ "PSS-08" ], "emea-isr-cmo-1-0": [ "4.13", "18.10" ], "emea-sau-cgiot-2024": [ "1-3-1", "1-3-2", "1-8-1" ], "emea-sau-otcc-1-2022": [ "1-2", "1-2-1", "1-2-1-1" ], "emea-sau-pdpl-2023": [ "Article 30.2" ], "emea-sau-sacs-002-2022": [ "TPC-26" ], "emea-sau-sama-csf-1-2017": [ "3.1.4" ], "emea-esp-boe-a-2022-7191": [ "Article 11.1", "Article 11.2", "Article 11.3", "Article 13.1", "Article 13.2", "Article 13.2(a)", "Article 13.2(b)", "Article 13.2(c)", "Article 13.2(d)", "Article 13.3", "Article 13.4", "Article 13.5" ], "emea-esp-decree-311-2022": [ "11.1", "11.2", "11.3", "13.1", "13.2", "13.2(a)", "13.2(b)", "13.2(c)", "13.2(d)", "13.3", "13.4", "13.5" ], "emea-esp-ccn-stic-825-2023": [ "6.4 [ORG.4]", "8.2.1 [MP.PER.1]", "8.2.2 [MP.PER.2]" ], "emea-gbr-def-stan-05-138-2024": [ "1102", "2321", "3101", "3102" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1102", "2321", "3101" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1102", "2321", "3101" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1102", "2321", "3102" ], "apac-aus-ism-2024-june": [ "ISM-0717", "ISM-0720", "ISM-0724", "ISM-0725", "ISM-0726", "ISM-0731", "ISM-0732", "ISM-0733", "ISM-0734", "ISM-0735" ], "apac-aus-ps-cps-234-2019": [ "14" ], "apac-chn-data-security-law-2021": [ "27" ], "apac-ind-dpdpa-2023": [ "6(9)", "10(2)(a)(iv)" ], "apac-ind-sebi-2024": [ "DE.DP.S1", "GV.RR.S2", "PR.AT.S4", "PR.AT.S5", "RS.CO.S1" ], "apac-jpn-ppi-2020": [ "21" ], "apac-jpn-ismap": [ "4.5.2.2", "6.1.1", "6.1.1.1", "6.1.1.2", "6.1.1.3", "6.1.1.4", "6.1.1.5", "6.1.1.6", "6.1.1.7", "6.1.1.13.PB" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP02", "HHSP23", "HML02", "HML23" ], "apac-nzl-hisf-microsmall-2023": [ "HMS01" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP02", "HSUP21" ], "apac-nzl-ism-3-9": [ "3.3.4.C.01", "3.3.4.C.02", "3.3.4.C.03", "3.3.4.C.04", "3.3.4.C.05", "3.3.5.C.01", "3.3.5.C.02", "3.3.6.C.01", "3.3.6.C.02", "3.3.6.C.03", "3.3.6.C.04", "3.3.6.C.05", "3.3.6.C.06", "3.3.7.C.01", "3.3.8.C.01", "3.3.8.C.02", "3.3.8.C.03", "3.3.8.C.04", "3.3.8.C.05", "3.3.9.C.01", "3.3.10.C.01", "3.3.10.C.02", "3.3.10.C.03", "3.3.10.C.04", "3.3.11.C.01", "3.3.12.C.01", "3.3.13.C.01", "3.3.13.C.02", "3.3.14.C.01", "3.3.14.C.02", "3.3.14.C.03", "3.3.15.C.01", "3.4.10.C.01", "3.4.10.C.02" ], "amaericas-can-osfi-self-assessment": [ "1.2" ], "americas-can-itsp-10-171-2025": [ "03.01.22.A", "03.06.04.A", "03.06.05.D", "03.07.06.A", "03.08.02", "03.15.03.B", "03.16.03.B" ] } }, { "control_id": "HRS-03.1", "title": "User Awareness", "family": "HRS", "description": "Mechanisms exist to communicate with users about their roles and responsibilities to maintain a safe and secure working environment.", "scf_question": "Does the organization communicate with users about their roles and responsibilities to maintain a safe and secure working environment?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-01", "E-HRS-13", "E-HRS-16", "E-HRS-18" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to communicate with users about their roles and responsibilities to maintain a safe and secure working environment.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "medium": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "large": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "enterprise": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF3" ], "general-bsi-200-1-1-0": [ "4.2", "6" ], "general-coso-2013": [ "4" ], "general-csa-cmm-4-1-0": [ "HRS-13" ], "general-iso-27001-2022": [ "7.3", "7.3(a)", "7.3(b)", "7.3(c)" ], "general-iso-27701-2025": [ "7.3" ], "general-iso-42001-2023": [ "7.3" ], "general-mpa-csbp-5-3-1": [ "OR-3.1", "OP-2.0" ], "general-nist-100-1-ai-rmf": [ "GOVERN 4.1" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P2" ], "general-nist-800-171-r3": [ "03.01.22.a", "03.15.03.b" ], "general-nist-csf-2-0": [ "GV.RR-04" ], "general-pci-dss-4-0-1": [ "1.1.2", "2.1.2", "3.1.2", "4.1.2", "5.1.2", "6.1.2", "7.1.2", "8.1.2", "9.1.2", "10.1.2", "11.1.2", "12.1.3", "12.6.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-b": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-c": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.1.2", "2.1.2", "3.1.2", "4.1.2", "5.1.2", "6.1.2", "7.1.2", "8.1.2", "9.1.2", "10.1.2", "11.1.2", "12.1.3", "12.6.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.1.2", "2.1.2", "3.1.2", "5.1.2", "6.1.2", "7.1.2", "8.1.2", "9.1.2", "10.1.2", "11.1.2", "12.1.3", "12.6.3" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.1.3" ], "general-tisax-6-0-3": [ "2.1.3" ], "usa-federal-dow-cert-rmm-1-2": [ "HRM:SG3.SP2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.UATRA" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1e", "WORKFORCE-2a" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)" ], "usa-federal-nerc-cip-2024": [ "CIP-004-7 R2", "CIP-004-7 2.2" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)2" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(2)" ], "emea-eu-nis2-annex-2024": [ "8.1.1", "10.1.2(a)", "10.1.2(c)" ], "emea-esp-boe-a-2022-7191": [ "Article 13.1", "Article 15.1" ], "emea-esp-decree-311-2022": [ "13.1", "15.1" ], "emea-gbr-def-stan-05-138-2024": [ "2600", "2603" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2600", "2603" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2600", "2603" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2600", "2603" ], "apac-aus-ism-2024-june": [ "ISM-0824" ], "apac-ind-sebi-2024": [ "GV.RR.S6", "PR.AT.S4", "PR.AT.S5" ], "apac-jpn-ismap": [ "4.5.2.6", "4.5.2.7", "4.5.2.8", "7.1.2.7", "7.2", "7.2.1.4", "8.1.3.1" ], "americas-can-itsp-10-171-2025": [ "03.01.22.A", "03.15.03.B" ] } }, { "control_id": "HRS-03.2", "title": "Competency Requirements for Security-Related Positions", "family": "HRS", "description": "Mechanisms exist to ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set.", "scf_question": "Does the organization ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-21", "E-HRS-23" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ Formal roles and responsibilities for cybersecurity and/or data protection are not consistent and/or standardized.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Demonstrated Subject Matter Expert (SME) experience\n∙ Professional references\n∙ Education / certification transcripts", "small": "∙ Demonstrated Subject Matter Expert (SME) experience\n∙ Professional references\n∙ Education / certification transcripts", "medium": "∙ Demonstrated Subject Matter Expert (SME) experience\n∙ Professional references\n∙ Education / certification transcripts", "large": "∙ Demonstrated Subject Matter Expert (SME) experience\n∙ Professional references\n∙ Education / certification transcripts", "enterprise": "∙ Demonstrated Subject Matter Expert (SME) experience\n∙ Professional references\n∙ Education / certification transcripts" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF4" ], "general-aicpa-tsc-2017": [ "CC1.2", "CC1.2-POF2", "CC1.2-POF4", "CC1.3", "CC1.4-POF2", "CC1.4-POF6", "CC1.5", "CC5.3", "CC5.3-POF5" ], "general-cobit-2019": [ "APO01.08" ], "general-coso-2013": [ "2", "3", "4", "5" ], "general-govramp": [ "PS-02" ], "general-govramp-mod": [ "PS-02" ], "general-govramp-high": [ "PS-02" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.1.2" ], "general-iso-21434-2021": [ "RQ-05-07" ], "general-iso-22301-2019": [ "7.2", "7.2(a)", "7.2(b)", "7.2(c)", "7.2(d)", "8.4.2.3", "8.4.2.3(a)", "8.4.2.3(b)", "8.4.2.3(c)", "8.4.2.3(d)", "8.4.2.3(e)", "8.4.2.3(f)", "8.4.2.3(g)", "8.4.2.3(h)" ], "general-iso-27001-2022": [ "7.2", "7.2(a)", "7.2(b)", "7.2(c)", "7.2(d)" ], "general-iso-27701-2025": [ "7.2" ], "general-iso-42001-2023": [ "7.2" ], "general-nist-100-1-ai-rmf": [ "GOVERN 4.1", "MAP 1.2", "MAP 3.4" ], "general-nist-800-53-r4": [ "PS-2" ], "general-nist-800-53-r5-2": [ "PS-02" ], "general-nist-800-53-r5-2-privacy": [ "PS-02" ], "general-nist-800-53-r5-2-low": [ "PS-02" ], "general-nist-800-82-r3": [ "PS-02" ], "general-nist-800-82-r3-low": [ "PS-02" ], "general-nist-800-82-r3-mod": [ "PS-02" ], "general-nist-800-82-r3-high": [ "PS-02" ], "general-nist-800-171-r3": [ "03.07.06.d" ], "general-nist-800-218": [ "PO.2" ], "general-pci-dss-4-0-1": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.2" ], "general-tisax-6-0-3": [ "1.2.2", "2.1.1" ], "usa-federal-fbi-cjis-6-0": [ "PS-2" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-5e", "THREAT-3e", "RISK-5e", "ACCESS-4e", "SITUATION-4e", "RESPONSE-5e", "THIRD-PARTIES-3e", "WORKFORCE-5e", "ARCHITECTURE-6e", "PROGRAM-3e" ], "usa-federal-sro-fca-crm-2023": [ "609.930(b)(3)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(i)" ], "usa-federal-gsa-fedramp-5-low": [ "PS-02" ], "usa-federal-gsa-fedramp-5-mod": [ "PS-02" ], "usa-federal-gsa-fedramp-5-high": [ "PS-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PS-02" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(e)(2)" ], "usa-federal-irs-1075-2021": [ "PS-2" ], "usa-federal-cms-marse-2-0": [ "PS-2" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(ii)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PS-02" ], "usa-state-tx-txramp-2-0-level-1": [ "PS-02" ], "usa-state-tx-txramp-2-0-level-2": [ "PS-02" ], "emea-sau-ecc-1-2018": [ "1-9-2" ], "emea-sau-sacs-002-2022": [ "TPC-26" ], "emea-esp-boe-a-2022-7191": [ "Article 15.1", "Article 16.1", "Article 16.2", "Article 16.3" ], "emea-esp-decree-311-2022": [ "15.1", "16.1", "16.2", "16.3" ], "emea-gbr-caf-4-0": [ "C1.e" ], "apac-jpn-ismap": [ "4.5.2.2", "4.5.2.3", "7.1.1.6", "14.2.1.7", "14.2.1.8", "14.2.1.11" ], "apac-nzl-ism-3-9": [ "5.1.14.C.01" ], "apac-sgp-mas-trm-2021": [ "3.5.1", "6.1.5" ], "amaericas-can-osfi-self-assessment": [ "1.5", "1.7" ], "americas-can-itsp-10-171-2025": [ "03.07.06.D" ] } }, { "control_id": "HRS-04", "title": "Personnel Screening", "family": "HRS", "description": "Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.", "scf_question": "Does the organization manage personnel security risk by screening individuals prior to authorizing access?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-17", "E-HRS-21" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to manage personnel security risk by screening individuals prior to authorizing access.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Criminal, education and employment background checks\n∙ Professional references\n∙ Education / certification transcripts", "small": "∙ Criminal, education and employment background checks\n∙ Professional references\n∙ Education / certification transcripts", "medium": "∙ Criminal, education and employment background checks\n∙ Professional references\n∙ Education / certification transcripts", "large": "∙ Criminal, education and employment background checks\n∙ Professional references\n∙ Education / certification transcripts", "enterprise": "∙ Criminal, education and employment background checks\n∙ Professional references\n∙ Education / certification transcripts" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4-POF5" ], "general-coso-2013": [ "4" ], "general-csa-cmm-4-1-0": [ "HRS-01" ], "general-govramp": [ "PS-03" ], "general-govramp-low": [ "PS-03" ], "general-govramp-low-plus": [ "PS-03" ], "general-govramp-mod": [ "PS-03" ], "general-govramp-high": [ "PS-03" ], "general-iec-62443-2-1-2024": [ "ORG 1.2" ], "general-iso-27001-2022": [ "7.2(b)", "7.2(c)" ], "general-iso-27002-2022": [ "6.1" ], "general-iso-27017-2015": [ "7.1.1" ], "general-iso-27018-2025": [ "6.1" ], "general-iso-42001-2023": [ "7.2" ], "general-mpa-csbp-5-3-1": [ "OR-3.0" ], "general-nist-800-53-r4": [ "PS-3" ], "general-nist-800-53-r5-2": [ "PS-03" ], "general-nist-800-53-r5-2-low": [ "PS-03" ], "general-nist-800-66-r2": [ "164.312(d)" ], "general-nist-800-82-r3": [ "PS-03" ], "general-nist-800-82-r3-low": [ "PS-03" ], "general-nist-800-82-r3-mod": [ "PS-03" ], "general-nist-800-82-r3-high": [ "PS-03" ], "general-nist-800-161-r1": [ "PS-3" ], "general-nist-800-161-r1-cscrm": [ "PS-3" ], "general-nist-800-161-r1-flowdown": [ "PS-3" ], "general-nist-800-161-r1-level-2": [ "PS-3" ], "general-nist-800-161-r1-level-3": [ "PS-3" ], "general-nist-800-171-r2": [ "3.9.1" ], "general-nist-800-171-r3": [ "03.09.01.a", "03.09.01.b" ], "general-nist-800-171a": [ "3.9.1" ], "general-nist-800-171a-r3": [ "A.03.09.01.ODP[01]", "A.03.09.01.a", "A.03.09.01.b", "A.03.09.02.b.01[01]" ], "general-nist-800-172": [ "3.9.1e" ], "general-pci-dss-4-0-1": [ "12.7", "12.7.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.7.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.7.1" ], "general-scf-dpmp-2025": [ "7.1" ], "general-swift-cscf-2025": [ "5.3A" ], "general-tisax-6-0-3": [ "2.1.1" ], "usa-federal-fbi-cjis-6-0": [ "PS-3" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1a", "WORKFORCE-1b", "WORKFORCE-1c", "WORKFORCE-1f" ], "usa-federal-dow-cmmc-2-level-2": [ "PSL2.-3.9.1" ], "usa-federal-gsa-fedramp-5-low": [ "PS-03" ], "usa-federal-gsa-fedramp-5-mod": [ "PS-03" ], "usa-federal-gsa-fedramp-5-high": [ "PS-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PS-03" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(d)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(d)" ], "usa-federal-irs-1075-2021": [ "2.C.3", "2.C.3-3", "2.C.3-6", "2.C.3-6.1", "2.C.3-6.2", "2.C.3-6.3", "PS-3" ], "usa-federal-cms-marse-2-0": [ "PS-3", "PS-3.a", "PS-3.b", "PS-3.c", "PS-3-IS.1", "PS-3-IS.2" ], "usa-federal-nerc-cip-2024": [ "CIP-004-7 3.1", "CIP-004-7 3.2", "CIP-004-7 3.2.1", "CIP-004-7 3.2.2", "CIP-004-7 3.3", "CIP-004-7 3.4", "CIP-004-7 3.5" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PS-03" ], "usa-state-tx-txramp-2-0-level-1": [ "PS-03" ], "usa-state-tx-txramp-2-0-level-2": [ "PS-03" ], "emea-eu-nis2-annex-2024": [ "10.1.2(d)", "10.2.1", "10.2.2(a)", "10.2.2(b)" ], "emea-deu-c5-2020": [ "HR-01" ], "emea-isr-cmo-1-0": [ "19.2" ], "emea-sau-cscc-1-2019": [ "1-5-1-1" ], "emea-sau-ecc-1-2018": [ "1-9-3", "1-9-3-2" ], "emea-sau-otcc-1-2022": [ "1-7-1" ], "emea-zaf-popia-2013": [ "19", "20" ], "emea-gbr-def-stan-05-138-2024": [ "2700", "2701" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2700", "2701" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2700", "2701" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2700", "2701" ], "apac-aus-ism-2024-june": [ "ISM-0434" ], "apac-jpn-ismap": [ "7.1.1", "7.1.1.1", "7.1.1.2", "7.1.1.3", "7.1.1.5", "7.1.1.9", "7.1.1.10" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP20", "HML20" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP18" ], "apac-sgp-mas-trm-2021": [ "3.5.2" ], "americas-bmu-mba-coc-2020": [ "5.13" ], "amaericas-can-osfi-self-assessment": [ "1.6" ], "americas-can-itsp-10-171-2025": [ "03.09.01.A" ] } }, { "control_id": "HRS-04.1", "title": "Roles With Special Protection Measures", "family": "HRS", "description": "Mechanisms exist to ensure that individuals accessing a system that stores, transmits or processes information requiring special protection satisfy organization-defined personnel screening criteria.", "scf_question": "Does the organization ensure that individuals accessing a system that stores, transmits or processes information requiring special protection satisfy organization-defined personnel screening criteria?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-17", "E-HRS-21" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that individuals accessing a system that stores, transmits or processes information requiring special protection satisfy organization-defined personnel screening criteria.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Criminal, education and employment background checks", "small": "∙ Criminal, education and employment background checks", "medium": "∙ Criminal, education and employment background checks", "large": "∙ Criminal, education and employment background checks", "enterprise": "∙ Criminal, education and employment background checks" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-cobit-2019": [ "DSS06.03" ], "general-coso-2013": [ "4" ], "general-govramp": [ "PS-03(03)" ], "general-govramp-high": [ "PS-03(03)" ], "general-iso-27002-2022": [ "5.2", "6.1" ], "general-iso-27017-2015": [ "6.1.1", "7.1.1" ], "general-iso-27018-2025": [ "5.2", "6.1" ], "general-iso-27701-2025": [ "7.3" ], "general-iso-42001-2023": [ "7.2", "A.3.2" ], "general-mpa-csbp-5-3-1": [ "OR-3.0" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.0", "GOVERN 4.1" ], "general-nist-privacy-framework-1-0": [ "CM.PO-P2" ], "general-nist-800-53-r4": [ "PS-3(1)", "PS-3(3)" ], "general-nist-800-53-r5-2": [ "PS-03(01)", "PS-03(03)" ], "general-nist-800-82-r3": [ "PS-03(01)", "PS-03(03)" ], "general-nist-800-171-r2": [ "3.9.1" ], "general-nist-800-171-r3": [ "03.01.22.a", "03.02.02.a.01", "03.09.01.a", "03.09.01.b" ], "general-nist-800-171a-r3": [ "A.03.09.01.ODP[01]" ], "general-nist-800-172": [ "3.9.1e" ], "general-pci-dss-4-0-1": [ "12.7", "12.7.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.7.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.7.1" ], "general-swift-cscf-2025": [ "5.1", "5.3A" ], "general-tisax-6-0-3": [ "2.1.1" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-3h", "WORKFORCE-1f" ], "usa-federal-dow-cmmc-2-level-2": [ "PSL2.-3.9.1" ], "usa-federal-gsa-fedramp-5-mod": [ "PS-03(03)" ], "usa-federal-gsa-fedramp-5-high": [ "PS-03(03)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(e)(2)" ], "usa-federal-irs-1075-2021": [ "2.C.3-4" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(1)" ], "emea-eu-nis2-annex-2024": [ "10.1.2(d)" ], "emea-deu-c5-2020": [ "HR-01", "PSS-08" ], "emea-isr-cmo-1-0": [ "19.2" ], "emea-sau-ecc-1-2018": [ "1-9-3-2" ], "emea-sau-otcc-1-2022": [ "1-7-1" ], "emea-sau-sacs-002-2022": [ "TPC-26" ], "apac-aus-ism-2024-june": [ "ISM-0446", "ISM-0447" ], "apac-chn-data-security-law-2021": [ "27" ], "apac-jpn-ismap": [ "7.1.1.7", "7.1.1.8" ], "apac-sgp-mas-trm-2021": [ "3.5.2" ], "amaericas-can-osfi-self-assessment": [ "1.6" ], "americas-can-itsp-10-171-2025": [ "03.01.22.A", "03.02.02.A.01", "03.09.01.A", "03.09.01.B" ] } }, { "control_id": "HRS-04.2", "title": "Formal Indoctrination", "family": "HRS", "description": "Mechanisms exist to formally educate authorized users on proper data handling practices for all the relevant types of data to which they have access.", "scf_question": "Does the organization formally educate authorized users on proper data handling practices for all the relevant types of data to which they have access?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-18" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ The HR department governs personnel management operations and notifies IT and/or cybersecurity personnel of role changes for logical access provisioning and deprovisioning actions.\n▪ Personnel managers ensure personnel are responsible for educating new hires on the organization's cybersecurity and data protection policies.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to formally educate authorized users on proper data handling practices for all the relevant types of data to which they have access.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Formal onboarding training", "small": "∙ Formal onboarding training", "medium": "∙ Formal onboarding training", "large": "∙ Formal onboarding training", "enterprise": "∙ Formal onboarding training" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF3" ], "general-coso-2013": [ "4" ], "general-csa-cmm-4-1-0": [ "HRS-07", "HRS-13" ], "general-iso-22301-2019": [ "7.3", "7.3(a)", "7.3(b)", "7.3(c)", "7.3(d)" ], "general-iso-27001-2022": [ "7.3", "7.3(a)", "7.3(b)", "7.3(c)" ], "general-iso-27002-2022": [ "5.4" ], "general-iso-27701-2025": [ "7.3" ], "general-iso-31000-2018": [ "6.2" ], "general-iso-42001-2023": [ "7.3" ], "general-mpa-csbp-5-3-1": [ "OR-3.1" ], "general-nist-800-53-r4": [ "PS-3(2)" ], "general-nist-800-53-r5-2": [ "PS-03(02)" ], "general-nist-800-82-r3": [ "PS-03(02)" ], "general-nist-800-171-r2": [ "3.2.1", "3.2.2" ], "general-nist-800-171-r3": [ "03.01.22.a", "03.02.02.a.01", "03.06.04.a", "03.06.04.a.01", "03.15.03.b" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1e", "WORKFORCE-2a" ], "usa-federal-dow-cmmc-2-level-2": [ "ATL2.-3.2.1", "ATL2.-3.2.2" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(i)", "11.10(j)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(2)" ], "emea-sau-ecc-1-2018": [ "1-9-4", "1-9-4-1" ], "emea-sau-otcc-1-2022": [ "1-8" ], "emea-sau-sacs-002-2022": [ "TPC-26", "TPC-71" ], "emea-esp-boe-a-2022-7191": [ "Article 13.2", "Article 15.1" ], "emea-esp-decree-311-2022": [ "13.2", "15.1" ], "apac-aus-ism-2024-june": [ "ISM-0435" ], "apac-jpn-ismap": [ "4.5.2.6", "7.2", "7.2.1.1", "8.1.3.1" ], "apac-nzl-ism-3-9": [ "9.1.7.C.01" ], "americas-can-itsp-10-171-2025": [ "03.01.22.A", "03.02.02.A.01", "03.06.04.A", "03.06.04.A.01", "03.15.03.B" ] } }, { "control_id": "HRS-04.3", "title": "Citizenship Requirements", "family": "HRS", "description": "Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/or contractual requirements for citizenship.", "scf_question": "Does the organization verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/or contractual requirements for citizenship?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/or contractual requirements for citizenship.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-nist-800-53-r5-2": [ "PS-03(04)" ], "general-nist-800-82-r3": [ "PS-03(04)" ], "emea-sau-cscc-1-2019": [ "1-5-1-2" ], "apac-aus-ism-2024-june": [ "ISM-0409", "ISM-0411", "ISM-0420", "ISM-0446", "ISM-0447", "ISM-1773" ], "apac-nzl-ism-3-9": [ "9.2.10.C.01", "9.2.10.C.02", "9.2.11.C.01", "9.2.11.C.02", "9.2.15.C.01", "9.2.15.C.02", "9.2.16.C.01" ] } }, { "control_id": "HRS-04.4", "title": "Citizenship Identification", "family": "HRS", "description": "Mechanisms exist to identify foreign nationals, including by their specific citizenship.", "scf_question": "Does the organization identify foreign nationals, including by their specific citizenship?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify foreign nationals, including by their specific citizenship.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "apac-aus-ism-2024-june": [ "ISM-0420" ], "apac-nzl-ism-3-9": [ "9.2.15.C.01", "9.2.15.C.02", "9.2.16.C.01", "16.1.39.C.01", "16.1.39.C.02" ] } }, { "control_id": "HRS-05", "title": "Terms of Employment", "family": "HRS", "description": "Mechanisms exist to require all employees and contractors to apply cybersecurity and data protection principles in their daily work to enable secure, compliant and resilient capabilities.", "scf_question": "Does the organization require all employees and contractors to apply cybersecurity and data protection principles in their daily work to enable secure, compliant and resilient capabilities?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-16", "E-HRS-22" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR defines terms of employment, including acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.\n▪ HR maintains formal Terms of Employment (ToE) and/or Rules of Behavior (RoB) that stipulates acceptable and unacceptable employee activities.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require all employees and contractors to apply cybersecurity and data protection principles in their daily work to enable secure, compliant and resilient capabilities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "medium": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "large": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "enterprise": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1" ], "general-coso-2013": [ "1" ], "general-csa-cmm-4-1-0": [ "HRS-02", "HRS-07", "HRS-08", "HRS-13" ], "general-govramp": [ "PL-04" ], "general-govramp-low": [ "PL-04" ], "general-govramp-low-plus": [ "PL-04" ], "general-govramp-mod": [ "PL-04" ], "general-govramp-high": [ "PL-04" ], "general-iso-27001-2022": [ "7.3", "7.3(a)", "7.3(b)", "7.3(c)" ], "general-iso-27002-2022": [ "5.4", "5.14", "6.2" ], "general-iso-27017-2015": [ "5.1", "7.1.2", "7.2.1", "13.2.1" ], "general-iso-27018-2025": [ "5.4", "5.14", "6.2" ], "general-iso-42001-2023": [ "7.3" ], "general-mpa-csbp-5-3-1": [ "OR-3.0", "OR-3.1" ], "general-nist-800-53-r4": [ "PL-4" ], "general-nist-800-53-r5-2": [ "PL-04" ], "general-nist-800-53-r5-2-privacy": [ "PL-04" ], "general-nist-800-53-r5-2-low": [ "PL-04" ], "general-nist-800-66-r2": [ "164.310(b)" ], "general-nist-800-82-r3": [ "PL-04" ], "general-nist-800-82-r3-low": [ "PL-04" ], "general-nist-800-82-r3-mod": [ "PL-04" ], "general-nist-800-82-r3-high": [ "PL-04" ], "general-nist-800-161-r1": [ "PL-4" ], "general-nist-800-161-r1-cscrm": [ "PL-4" ], "general-nist-800-161-r1-level-2": [ "PL-4" ], "general-nist-800-161-r1-level-3": [ "PL-4" ], "general-nist-800-171-r2": [ "3.1.22", "NFO - PL-4" ], "general-nist-800-171-r3": [ "03.01.01.h", "03.01.22.a", "03.15.03.a" ], "general-nist-800-171a-r3": [ "A.03.15.03.b" ], "general-nist-csf-2-0": [ "ID.AM" ], "general-pci-dss-4-0-1": [ "12.1.3", "12.2", "12.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-b": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-c": [ "12.1.3", "12.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.1.3", "12.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.1.3", "12.2.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.1.3" ], "general-tisax-6-0-3": [ "2.1.2", "9.7.1" ], "usa-federal-fbi-cjis-6-0": [ "PL-4" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1e" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.IV" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.22" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iv)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(j)" ], "usa-federal-gsa-fedramp-5-low": [ "PL-04" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-04" ], "usa-federal-gsa-fedramp-5-high": [ "PL-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-04" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(c)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(b)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(b)" ], "usa-federal-irs-1075-2021": [ "PL-4" ], "usa-federal-cms-marse-2-0": [ "PL-4" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PL-04" ], "usa-state-tx-txramp-2-0-level-1": [ "PL-04" ], "usa-state-tx-txramp-2-0-level-2": [ "PL-04" ], "usa-state-vt-act-171-2018": [ "2447(b)(2)(B)" ], "emea-eu-nis2-annex-2024": [ "1.2.2", "10.3.2" ], "emea-deu-c5-2020": [ "HR-02", "HR-03", "AM-05" ], "emea-isr-cmo-1-0": [ "5.1", "19.3", "19.4" ], "emea-sau-cscc-1-2019": [ "2-5" ], "emea-sau-ecc-1-2018": [ "1-9-3-1", "1-9-3-2", "1-9-4-2" ], "emea-sau-sacs-002-2022": [ "TPC-26" ], "emea-esp-boe-a-2022-7191": [ "Article 11.2", "Article 11.3" ], "emea-esp-decree-311-2022": [ "11.2", "11.3" ], "emea-esp-ccn-stic-825-2023": [ "8.2.2 [MP.PER.2]" ], "emea-gbr-def-stan-05-138-2024": [ "2604" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2604" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2604" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2604" ], "apac-aus-ism-2024-june": [ "ISM-0258", "ISM-0824", "ISM-1146" ], "apac-jpn-ismap": [ "7.1.2", "7.1.2.1", "7.1.2.2", "7.1.2.3", "7.1.2.4", "7.1.2.5", "7.1.2.6", "7.1.2.8", "7.1.2.9", "7.2.1", "7.2.1.5", "9.2.4.2" ], "apac-nzl-ism-3-9": [ "3.5.4.C.01", "3.5.4.C.02", "3.5.4.C.03", "5.5.7.C.01", "8.1.12.C.01", "9.3.7.C.01", "9.3.7.C.02", "9.3.7.C.03", "9.3.7.C.04", "9.3.8.C.01", "9.3.8.C.02", "9.3.8.C.03" ], "americas-can-itsp-10-171-2025": [ "03.01.01.H", "03.01.22.A", "03.15.03.A" ] } }, { "control_id": "HRS-05.1", "title": "Rules of Behavior", "family": "HRS", "description": "Mechanisms exist to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.", "scf_question": "Does the organization define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-22" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR maintains formal Terms of Employment (ToE) and/or Rules of Behavior (RoB) that stipulates acceptable and unacceptable employee activities.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR defines terms of employment, including acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.\n▪ HR maintains formal Terms of Employment (ToE) and/or Rules of Behavior (RoB) that stipulates acceptable and unacceptable employee activities.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "medium": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "large": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "enterprise": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1", "CC1.1-POF2" ], "general-cis-csc-8-1": [ "9.4" ], "general-cis-csc-8-1-ig2": [ "9.4" ], "general-cis-csc-8-1-ig3": [ "9.4" ], "general-coso-2013": [ "1" ], "general-csa-cmm-4-1-0": [ "HRS-02", "HRS-03", "HRS-08" ], "general-govramp": [ "PL-04" ], "general-govramp-low": [ "PL-04" ], "general-govramp-low-plus": [ "PL-04" ], "general-govramp-mod": [ "PL-04" ], "general-govramp-high": [ "PL-04" ], "general-iso-27001-2022": [ "7.3", "7.3(a)", "7.3(b)", "7.3(c)" ], "general-iso-27002-2022": [ "5.4", "5.1", "5.14", "6.2" ], "general-iso-27017-2015": [ "5.1", "7.1.2", "7.2.1", "8.1.3", "13.2.1" ], "general-iso-27018-2025": [ "5.4", "5.10", "5.14", "6.2" ], "general-iso-42001-2023": [ "7.3" ], "general-mpa-csbp-5-3-1": [ "OR-1.1" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.0", "GOVERN 4.1" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.1-010" ], "general-nist-800-53-r4": [ "PL-4" ], "general-nist-800-53-r5-2": [ "PL-04" ], "general-nist-800-53-r5-2-privacy": [ "PL-04" ], "general-nist-800-53-r5-2-low": [ "PL-04" ], "general-nist-800-66-r2": [ "164.310(b)" ], "general-nist-800-82-r3": [ "PL-04" ], "general-nist-800-82-r3-low": [ "PL-04" ], "general-nist-800-82-r3-mod": [ "PL-04" ], "general-nist-800-82-r3-high": [ "PL-04" ], "general-nist-800-161-r1": [ "PL-4" ], "general-nist-800-161-r1-cscrm": [ "PL-4" ], "general-nist-800-161-r1-level-2": [ "PL-4" ], "general-nist-800-161-r1-level-3": [ "PL-4" ], "general-nist-800-171-r2": [ "3.1.22", "NFO - PL-4" ], "general-nist-800-171-r3": [ "03.01.12.a", "03.01.18.a", "03.01.22.a", "03.15.03.a", "03.15.03.d" ], "general-nist-800-171a-r3": [ "A.03.15.03.ODP[01]", "A.03.15.03.a", "A.03.15.03.d[01]", "A.03.15.03.d[02]" ], "general-nist-csf-2-0": [ "ID.AM" ], "general-pci-dss-4-0-1": [ "12.1.3", "12.2", "12.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-b": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-c": [ "12.1.3", "12.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.1.3", "12.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.1.3", "12.2.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.1.3" ], "general-scf-dpmp-2025": [ "7.7" ], "general-tisax-6-0-3": [ "8.2.5", "8.2.7" ], "usa-federal-fbi-cjis-6-0": [ "PL-4" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1e" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.IV" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.22" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.4.2" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iv)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(j)" ], "usa-federal-gsa-fedramp-5-low": [ "PL-04" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-04" ], "usa-federal-gsa-fedramp-5-high": [ "PL-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-04" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(b)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(b)" ], "usa-federal-irs-1075-2021": [ "PL-4" ], "usa-federal-cms-marse-2-0": [ "PL-4", "PL-4.a", "PL-4.b", "PL-4.c", "PL-4.d", "PL-4-IS" ], "usa-state-ca-ccpa-cpra-2026": [ "7122(c)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PL-04" ], "usa-state-tx-txramp-2-0-level-1": [ "PL-04" ], "usa-state-tx-txramp-2-0-level-2": [ "PL-04" ], "emea-eu-nis2-annex-2024": [ "12.2.2(b)" ], "emea-deu-c5-2020": [ "HR-03" ], "emea-isr-cmo-1-0": [ "5.1", "15.6", "19.3", "19.6" ], "emea-sau-cscc-1-2019": [ "2-5" ], "emea-sau-ecc-1-2018": [ "1-9-3-1", "1-9-4-2", "2-1-3", "2-1-4", "2-15-3-4" ], "emea-sau-sacs-002-2022": [ "TPC-1", "TPC-8", "TPC-9" ], "emea-esp-boe-a-2022-7191": [ "Article 11.2", "Article 11.3" ], "emea-esp-decree-311-2022": [ "11.2", "11.3" ], "emea-gbr-def-stan-05-138-2024": [ "2604" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2604" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2604" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2604" ], "apac-aus-ism-2024-june": [ "ISM-0820", "ISM-0821" ], "apac-jpn-ppi-2020": [ "21" ], "apac-jpn-ismap": [ "7.2.1.2", "8.1.3", "8.1.3.2" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP01" ], "apac-nzl-ism-3-9": [ "3.5.4.C.01", "3.5.4.C.02", "3.5.4.C.03", "5.5.7.C.01", "8.1.12.C.01", "9.1.8.C.01", "9.3.7.C.01", "9.3.7.C.02", "9.3.7.C.03", "9.3.7.C.04", "9.3.8.C.01", "9.3.8.C.02", "9.3.8.C.03", "14.3.5.C.01", "15.1.7.C.01", "21.1.22.C.01", "21.1.22.C.02" ], "americas-can-itsp-10-171-2025": [ "03.01.12.A", "03.01.18.A", "03.01.22.A", "03.15.03.A" ] } }, { "control_id": "HRS-05.2", "title": "Social Media & Social Networking Restrictions", "family": "HRS", "description": "Mechanisms exist to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information.", "scf_question": "Does the organization define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-DCH-11", "E-HRS-22" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR maintains formal Terms of Employment (ToE) and/or Rules of Behavior (RoB) that stipulates acceptable and unacceptable employee activities.\n▪ ToE and/or RoB address the use of entity-issued and personally-owned devices.\n▪ ToE and/or RoB address the requirement to comply with applicable software usage requirements and copyright laws.\n▪ ToE and/or RoB address posting content to websites, social media or other publicly-accessible sources.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR defines terms of employment, including acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.\n▪ HR maintains formal Terms of Employment (ToE) and/or Rules of Behavior (RoB) that stipulates acceptable and unacceptable employee activities.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "medium": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "large": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "enterprise": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-cis-csc-8-1": [ "9.0" ], "general-govramp": [ "PL-04(01)" ], "general-govramp-mod": [ "PL-04(01)" ], "general-govramp-high": [ "PL-04(01)" ], "general-iso-27001-2022": [ "7.3", "7.3(a)", "7.3(b)", "7.3(c)" ], "general-iso-27002-2022": [ "5.4", "5.1", "6.2" ], "general-iso-27017-2015": [ "7.1.2", "8.1.3" ], "general-iso-27018-2025": [ "5.10", "6.2" ], "general-iso-42001-2023": [ "7.3" ], "general-mpa-csbp-5-3-1": [ "OR-1.1" ], "general-nist-800-53-r4": [ "PL-4(1)" ], "general-nist-800-53-r5-2": [ "PL-04(01)" ], "general-nist-800-53-r5-2-privacy": [ "PL-04(01)" ], "general-nist-800-53-r5-2-low": [ "PL-04(01)" ], "general-nist-800-82-r3": [ "PL-04(01)" ], "general-nist-800-82-r3-low": [ "PL-04(01)" ], "general-nist-800-82-r3-mod": [ "PL-04(01)" ], "general-nist-800-82-r3-high": [ "PL-04(01)" ], "general-nist-800-171-r2": [ "3.1.22", "NFO - PL-4(1)" ], "general-nist-800-171-r3": [ "03.15.03.a" ], "general-nist-800-171a-r3": [ "A.03.15.03.a" ], "general-scf-dpmp-2025": [ "7.7" ], "usa-federal-fbi-cjis-6-0": [ "PL-4(1)" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1e" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.IV" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.22" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iv)" ], "usa-federal-gsa-fedramp-5-low": [ "PL-04(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-04(01)" ], "usa-federal-gsa-fedramp-5-high": [ "PL-04(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-04(01)" ], "usa-federal-irs-1075-2021": [ "PL-4(CE-1)", "PL-4(CE-1).a", "PL-4(CE-1).b", "PL-4(CE-1).c" ], "usa-federal-cms-marse-2-0": [ "PL-4(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PL-04(1)" ], "usa-state-tx-txramp-2-0-level-2": [ "PL-04 (01)" ], "emea-isr-cmo-1-0": [ "4.13", "19.6", "19.7" ], "emea-sau-ecc-1-2018": [ "1-9-4-2" ], "emea-gbr-def-stan-05-138-2024": [ "2604" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2604" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2604" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2604" ], "apac-aus-ism-2024-june": [ "ISM-0229", "ISM-0230", "ISM-0233", "ISM-0235", "ISM-0236", "ISM-0240", "ISM-0241", "ISM-0264", "ISM-0267", "ISM-0588", "ISM-0824", "ISM-0931", "ISM-1075", "ISM-1078", "ISM-1092", "ISM-1196", "ISM-1198", "ISM-1199", "ISM-1200", "ISM-1562", "ISM-1644" ], "apac-nzl-ism-3-9": [ "9.3.7.C.01", "9.3.7.C.02", "9.3.7.C.03", "9.3.7.C.04", "9.3.8.C.01", "9.3.8.C.02", "9.3.8.C.03" ], "americas-can-itsp-10-171-2025": [ "03.15.03.A" ] } }, { "control_id": "HRS-05.3", "title": "Technology Use Restrictions", "family": "HRS", "description": "Mechanisms exist to establish usage restrictions and implementation guidance for organizational technologies based on the potential to cause damage to Technology Assets, Applications and/or Services (TAAS), if used maliciously.", "scf_question": "Does the organization establish usage restrictions and implementation guidance for communications technologies based on the potential to cause damage to Technology Assets, Applications and/or Services (TAAS), if used maliciously?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-22" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR maintains formal Terms of Employment (ToE) and/or Rules of Behavior (RoB) that stipulates acceptable and unacceptable employee activities.\n▪ ToE and/or RoB address the use of entity-issued and personally-owned devices.\n▪ ToE and/or RoB address the requirement to comply with applicable software usage requirements and copyright laws.\n▪ ToE and/or RoB address posting content to websites, social media or other publicly-accessible sources.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR defines terms of employment, including acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.\n▪ HR maintains formal Terms of Employment (ToE) and/or Rules of Behavior (RoB) that stipulates acceptable and unacceptable employee activities.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish usage restrictions and implementation guidance for organizational technologies based on the potential to cause damage to Technology Assets, Applications and/or Services (TAAS), if used maliciously.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "medium": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "large": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "enterprise": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-csa-cmm-4-1-0": [ "HRS-02" ], "general-govramp": [ "PL-04" ], "general-govramp-low": [ "PL-04" ], "general-govramp-low-plus": [ "PL-04" ], "general-govramp-mod": [ "PL-04" ], "general-govramp-high": [ "PL-04" ], "general-iso-21434-2021": [ "RQ-05-14" ], "general-iso-27001-2022": [ "7.3", "7.3(a)", "7.3(b)", "7.3(c)" ], "general-iso-27002-2022": [ "5.4", "5.1", "6.2" ], "general-iso-27017-2015": [ "7.1.2", "8.1.3" ], "general-iso-27018-2025": [ "5.10", "6.2" ], "general-iso-42001-2023": [ "7.3" ], "general-mpa-csbp-5-3-1": [ "OR-1.1" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.1-010" ], "general-nist-800-53-r4": [ "SC-19" ], "general-nist-800-53-r5-2": [ "PL-04" ], "general-nist-800-53-r5-2-privacy": [ "PL-04" ], "general-nist-800-53-r5-2-low": [ "PL-04" ], "general-nist-800-66-r2": [ "164.310(b)" ], "general-nist-800-82-r3": [ "PL-04" ], "general-nist-800-82-r3-low": [ "PL-04" ], "general-nist-800-82-r3-mod": [ "PL-04" ], "general-nist-800-82-r3-high": [ "PL-04" ], "general-nist-800-161-r1": [ "PL-4" ], "general-nist-800-161-r1-cscrm": [ "PL-4" ], "general-nist-800-161-r1-level-2": [ "PL-4" ], "general-nist-800-161-r1-level-3": [ "PL-4" ], "general-nist-800-171-r3": [ "03.01.01.h", "03.01.12.a", "03.01.18.a", "03.15.03.a" ], "general-nist-800-171a-r3": [ "A.03.15.03.a" ], "general-pci-dss-4-0-1": [ "12.2", "12.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.2.1" ], "usa-federal-fbi-cjis-6-0": [ "PL-4" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1e" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(j)" ], "usa-federal-gsa-fedramp-5-low": [ "PL-04" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-04" ], "usa-federal-gsa-fedramp-5-high": [ "PL-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-04" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(b)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(b)" ], "usa-federal-irs-1075-2021": [ "3.3.2", "3.3.2.a-1", "3.3.2.b-1", "3.3.2.a-2", "3.3.2.b-2", "3.3.2.c-2", "3.3.2.a-3", "3.3.2.b-3", "3.3.2.c-3", "3.3.2.d-3", "3.3.2.e-3", "3.3.3", "3.3.3.a-1", "3.3.3.b-1", "3.3.3.a-2", "3.3.3.b-2", "3.3.3.c-2", "3.3.3.d-2", "3.3.3.d.1-2", "3.3.3.d.2-2", "3.3.3.a-3", "3.3.3.b-3", "PL-4", "PL-4(IRS-Defined)" ], "usa-federal-cms-marse-2-0": [ "PL-4" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-19-SID", "PL-04" ], "usa-state-tx-txramp-2-0-level-1": [ "PL-04" ], "usa-state-tx-txramp-2-0-level-2": [ "PL-04" ], "emea-isr-cmo-1-0": [ "5.4", "9.5", "15.6", "19.6" ], "emea-sau-cscc-1-2019": [ "2-5" ], "emea-sau-ecc-1-2018": [ "1-9-4-2", "2-1-3", "2-6-4", "2-15-3-4" ], "emea-sau-sacs-002-2022": [ "TPC-8", "TPC-9" ], "emea-gbr-def-stan-05-138-2024": [ "2604" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2604" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2604" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2604" ], "apac-jpn-ismap": [ "13.2.1.1", "13.2.1.2", "13.2.1.3", "13.2.1.4", "13.2.1.8", "13.2.1.11" ], "apac-nzl-ism-3-9": [ "9.3.4.C.01", "9.3.5.C.01", "9.3.5.C.02", "9.3.9.C.01", "9.3.10.C.01", "15.1.7.C.01", "21.1.22.C.01", "21.1.22.C.02" ], "americas-can-itsp-10-171-2025": [ "03.01.01.H", "03.01.12.A", "03.01.18.A", "03.15.03.A" ] } }, { "control_id": "HRS-05.4", "title": "Use of Critical Technologies", "family": "HRS", "description": "Mechanisms exist to govern usage policies for critical technologies.", "scf_question": "Does the organization govern usage policies for critical technologies?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-22" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR maintains formal Terms of Employment (ToE) and/or Rules of Behavior (RoB) that stipulates acceptable and unacceptable employee activities.\n▪ ToE and/or RoB address the use of entity-issued and personally-owned devices.\n▪ ToE and/or RoB address the requirement to comply with applicable software usage requirements and copyright laws.\n▪ ToE and/or RoB address posting content to websites, social media or other publicly-accessible sources.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR defines terms of employment, including acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.\n▪ HR maintains formal Terms of Employment (ToE) and/or Rules of Behavior (RoB) that stipulates acceptable and unacceptable employee activities.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern usage policies for critical technologies.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "medium": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "large": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "enterprise": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-cis-csc-8-1": [ "9.4" ], "general-cis-csc-8-1-ig2": [ "9.4" ], "general-cis-csc-8-1-ig3": [ "9.4" ], "general-iso-27001-2022": [ "7.3", "7.3(a)", "7.3(b)", "7.3(c)" ], "general-iso-42001-2023": [ "7.3" ], "general-mpa-csbp-5-3-1": [ "OR-1.1" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.0", "GOVERN 4.1" ], "general-nist-600-1-gen-ai-profile": [ "GV-4.2-001" ], "general-nist-privacy-framework-1-0": [ "ID.BE-P3" ], "general-nist-800-171-r3": [ "03.15.03.a" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1e" ], "emea-isr-cmo-1-0": [ "15.6", "19.6" ], "emea-sau-ecc-1-2018": [ "1-9-4-2", "2-1-3" ], "americas-can-itsp-10-171-2025": [ "03.15.03.A" ] } }, { "control_id": "HRS-05.5", "title": "Use of Mobile Devices", "family": "HRS", "description": "Mechanisms exist to manage business risks associated with permitting mobile device access to organizational resources.", "scf_question": "Does the organization manage business risks associated with permitting mobile device access to organizational resources?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-22" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to manage business risks associated with permitting mobile device access to organizational resources.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "small": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "medium": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "large": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)", "enterprise": "∙ Formal onboarding training\n∙ Acceptable Use / Rules of Behavior (RoB)" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-iso-27001-2022": [ "7.3", "7.3(a)", "7.3(b)", "7.3(c)" ], "general-iso-27002-2022": [ "6.2" ], "general-iso-27017-2015": [ "7.1.2" ], "general-iso-27018-2025": [ "6.2" ], "general-iso-42001-2023": [ "7.3" ], "general-mpa-csbp-5-3-1": [ "OR-1.1" ], "general-nist-800-171-r3": [ "03.01.18.a", "03.15.03.a" ], "general-nist-800-171a-r3": [ "A.03.15.03.a" ], "general-shared-assessments-sig-2025": [ "M.1.12" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1e" ], "emea-deu-c5-2020": [ "AM-05" ], "emea-isr-cmo-1-0": [ "13.2", "13.3", "13.7", "13.10", "15.6", "19.6" ], "emea-sau-ecc-1-2018": [ "1-9-4-2" ], "emea-gbr-def-stan-05-138-2024": [ "2322" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2322" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2322" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2322" ], "apac-aus-ism-2024-june": [ "ISM-0229", "ISM-0230", "ISM-0240", "ISM-0701", "ISM-0705", "ISM-0866", "ISM-0870", "ISM-0871", "ISM-0874", "ISM-1082", "ISM-1083", "ISM-1084", "ISM-1145", "ISM-1196", "ISM-1198", "ISM-1199", "ISM-1200", "ISM-1366" ], "apac-nzl-ism-3-9": [ "8.1.12.C.01", "11.4.9.C.01", "11.4.10.C.01", "11.4.10.C.02", "11.4.11.C.01", "11.4.12.C.01", "11.4.12.C.02", "11.5.13.C.01", "11.5.14.C.01", "11.5.14.C.02", "11.5.15.C.01", "11.5.15.C.02", "11.5.16.C.01", "11.5.16.C.02", "11.5.16.C.03", "21.1.11.C.01", "21.1.11.C.02", "21.1.22.C.01", "21.1.22.C.02" ], "americas-can-itsp-10-171-2025": [ "03.01.18.A", "03.15.03.A" ] } }, { "control_id": "HRS-05.6", "title": "Security-Minded Dress Code", "family": "HRS", "description": "Mechanisms exist to prohibit the use of oversized clothing (e.g., baggy pants, oversized hooded sweatshirts, etc.) to prevent the unauthorized exfiltration of data and technology assets.", "scf_question": "Does the organization prohibit the use of oversized clothing (e.g., baggy pants, oversized hooded sweatshirts, etc.) to prevent the unauthorized exfiltration of data and technology assets?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit the use of oversized clothing (e.g., baggy pants, oversized hooded sweatshirts, etc.) to prevent the unauthorized exfiltration of data and technology assets.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": {} }, { "control_id": "HRS-05.7", "title": "Policy Familiarization & Acknowledgement", "family": "HRS", "description": "Mechanisms exist to ensure personnel receive recurring familiarization with the organization's security, compliance and resilience policies and provide acknowledgement.", "scf_question": "Does the organization ensure personnel receive recurring familiarization with the organization's security, compliance and resilience policies and provide acknowledgement?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-18", "E-SAT-02", "E-SAT-04" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure personnel receive recurring familiarization with the organization's security, compliance and resilience policies and provide acknowledgement.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Formal onboarding training\n∙ Written policy acknowledgement", "small": "∙ Formal onboarding training\n∙ Written policy acknowledgement", "medium": "∙ Formal onboarding training\n∙ Written policy acknowledgement", "large": "∙ Formal onboarding training\n∙ Written policy acknowledgement", "enterprise": "∙ Formal onboarding training\n∙ Written policy acknowledgement" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Human Resources Security", "crosswalks": { "general-iso-27001-2022": [ "7.3", "7.3(c)" ], "general-iso-42001-2023": [ "7.3" ], "general-mpa-csbp-5-3-1": [ "OR-3.1" ], "general-nist-800-171-r3": [ "03.15.03.b", "03.15.03.c", "03.15.03.d" ], "general-nist-800-171a-r3": [ "A.03.15.03.c" ], "general-nist-csf-2-0": [ "GV.PO", "GV.PO-01", "GV.PO-02" ], "general-pci-dss-4-0-1": [ "12.6.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.6.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.6.3" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1e" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.530(b)(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PL-04-SID" ], "emea-eu-nis2-annex-2024": [ "1.1.1(f)" ], "emea-sau-sacs-002-2022": [ "TPC-26", "TPC-71" ], "apac-jpn-ismap": [ "4.5.2.6", "4.5.2.8", "7.2", "7.2.1.3", "8.1.3.1" ], "americas-can-itsp-10-171-2025": [ "03.15.03.B", "03.15.03.C", "03.15.03.D" ] } }, { "control_id": "HRS-06", "title": "Access Agreements", "family": "HRS", "description": "Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access.", "scf_question": "Does the organization require internal and third-party users to sign appropriate access agreements prior to being granted access?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-16" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR defines terms of employment, including acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.\n▪ HR maintains formal Terms of Employment (ToE) and/or Rules of Behavior (RoB) that stipulates acceptable and unacceptable employee activities.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require internal and third-party users to sign appropriate access agreements prior to being granted access.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Access agreement\n∙ Non-Disclosure Agreements (NDAs)", "small": "∙ Access agreement\n∙ Non-Disclosure Agreements (NDAs)", "medium": "∙ Access agreement\n∙ Non-Disclosure Agreements (NDAs)", "large": "∙ Access agreement\n∙ Non-Disclosure Agreements (NDAs)", "enterprise": "∙ Access agreement\n∙ Non-Disclosure Agreements (NDAs)" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.5" ], "general-coso-2013": [ "5" ], "general-govramp": [ "PS-06" ], "general-govramp-low": [ "PS-06" ], "general-govramp-low-plus": [ "PS-06" ], "general-govramp-mod": [ "PS-06" ], "general-govramp-high": [ "PS-06" ], "general-iso-27002-2022": [ "5.1", "5.14" ], "general-iso-27017-2015": [ "8.1.3", "13.2.1", "13.2.2" ], "general-iso-27018-2025": [ "5.10", "5.14" ], "general-iso-42001-2023": [ "7.3" ], "general-mpa-csbp-5-3-1": [ "OR-3.1" ], "general-nist-800-53-r4": [ "PS-6", "PS-6(2)" ], "general-nist-800-53-r5-2": [ "PS-06", "PS-06(02)" ], "general-nist-800-53-r5-2-privacy": [ "PS-06", "PS-06(02)" ], "general-nist-800-53-r5-2-low": [ "PS-06" ], "general-nist-800-82-r3": [ "PS-06", "PS-06(02)" ], "general-nist-800-82-r3-low": [ "PS-06" ], "general-nist-800-82-r3-mod": [ "PS-06" ], "general-nist-800-82-r3-high": [ "PS-06" ], "general-nist-800-161-r1": [ "PS-6" ], "general-nist-800-161-r1-cscrm": [ "PS-6" ], "general-nist-800-161-r1-flowdown": [ "PS-6" ], "general-nist-800-161-r1-level-2": [ "PS-6" ], "general-nist-800-161-r1-level-3": [ "PS-6" ], "general-nist-800-171-r2": [ "NFO - PS-6" ], "general-nist-800-171-r3": [ "03.01.18.a", "03.12.05.a", "03.15.03.b", "03.15.03.c" ], "general-tisax-6-0-3": [ "2.1.2" ], "usa-federal-fbi-cjis-6-0": [ "PS-6" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1e" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)" ], "usa-federal-gsa-fedramp-5-low": [ "PS-06", "PS-06(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "PS-06", "PS-06(02)" ], "usa-federal-gsa-fedramp-5-high": [ "PS-06", "PS-06(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PS-06", "PS-06(02)" ], "usa-federal-irs-1075-2021": [ "PS-6" ], "usa-federal-cms-marse-2-0": [ "PS-6", "PS-6.a", "PS-6.b", "PS-6.c", "PS-6.c.1", "PS-6.c.2" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PS-06" ], "usa-state-tx-txramp-2-0-level-1": [ "PS-06" ], "usa-state-tx-txramp-2-0-level-2": [ "PS-06" ], "emea-deu-c5-2020": [ "HR-02" ], "emea-isr-cmo-1-0": [ "19.6" ], "emea-sau-ecc-1-2018": [ "1-9-3" ], "emea-sau-sacs-002-2022": [ "TPC-9", "TPC-71" ], "apac-ind-sebi-2024": [ "GV.RR.S5" ], "apac-jpn-ppi-2020": [ "21" ], "americas-can-itsp-10-171-2025": [ "03.01.18.A", "03.12.05.A", "03.15.03.B", "03.15.03.C" ] } }, { "control_id": "HRS-06.1", "title": "Confidentiality Agreements", "family": "HRS", "description": "Mechanisms exist to require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, or both employees and third-parties.", "scf_question": "Does the organization require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, or both employees and third-parties?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-20" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR requires personnel with access to sensitive/regulated data to sign a Non-Disclosure Agreement (NDA).", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, or both employees and third-parties.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Access agreement\n∙ Non-Disclosure Agreements (NDAs)", "small": "∙ Access agreement\n∙ Non-Disclosure Agreements (NDAs)", "medium": "∙ Access agreement\n∙ Non-Disclosure Agreements (NDAs)", "large": "∙ Access agreement\n∙ Non-Disclosure Agreements (NDAs)", "enterprise": "∙ Access agreement\n∙ Non-Disclosure Agreements (NDAs)" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.5" ], "general-coso-2013": [ "5" ], "general-csa-cmm-4-1-0": [ "HRS-10" ], "general-govramp": [ "PS-06" ], "general-govramp-low": [ "PS-06" ], "general-govramp-low-plus": [ "PS-06" ], "general-govramp-mod": [ "PS-06" ], "general-govramp-high": [ "PS-06" ], "general-iso-27002-2022": [ "5.14", "6.6" ], "general-iso-27017-2015": [ "13.2.1", "13.2.2", "13.2.4" ], "general-iso-27018-2025": [ "5.14", "6.6" ], "general-iso-42001-2023": [ "7.3" ], "general-mpa-csbp-5-3-1": [ "OR-3.1" ], "general-nist-800-53-r4": [ "PS-6", "PS-6(2)" ], "general-nist-800-53-r5-2": [ "PS-06", "PS-06(02)" ], "general-nist-800-53-r5-2-privacy": [ "PS-06", "PS-06(02)" ], "general-nist-800-53-r5-2-low": [ "PS-06" ], "general-nist-800-82-r3": [ "PS-06", "PS-06(02)" ], "general-nist-800-82-r3-low": [ "PS-06" ], "general-nist-800-82-r3-mod": [ "PS-06" ], "general-nist-800-82-r3-high": [ "PS-06" ], "general-nist-800-161-r1": [ "PS-6" ], "general-nist-800-161-r1-cscrm": [ "PS-6" ], "general-nist-800-161-r1-flowdown": [ "PS-6" ], "general-nist-800-161-r1-level-2": [ "PS-6" ], "general-nist-800-161-r1-level-3": [ "PS-6" ], "general-nist-800-171-r3": [ "03.12.05.a", "03.15.03.c" ], "general-tisax-6-0-3": [ "2.1.2", "6.1.2" ], "usa-federal-fbi-cjis-6-0": [ "PS-6" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)" ], "usa-federal-gsa-fedramp-5-low": [ "PS-06", "PS-06(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "PS-06", "PS-06(02)" ], "usa-federal-gsa-fedramp-5-high": [ "PS-06", "PS-06(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PS-06", "PS-06(02)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.502(a)" ], "usa-federal-irs-1075-2021": [ "PS-6" ], "usa-federal-cms-marse-2-0": [ "PS-6" ], "usa-state-co-privacy-act-2021": [ "6-1-1305(3)(a)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PS-06" ], "usa-state-tx-txramp-2-0-level-1": [ "PS-06" ], "usa-state-tx-txramp-2-0-level-2": [ "PS-06" ], "emea-eu-nis2-annex-2024": [ "10.3.2" ], "emea-deu-c5-2020": [ "HR-06", "IDM-08", "PSS-07" ], "emea-isr-cmo-1-0": [ "19.4" ], "emea-sau-ecc-1-2018": [ "1-9-3-1" ], "emea-sau-sacs-002-2022": [ "TPC-9", "TPC-71" ], "apac-ind-sebi-2024": [ "GV.RR.S5" ], "apac-jpn-ppi-2020": [ "21" ], "apac-jpn-ismap": [ "13.2.4", "13.2.4.1", "13.2.4.2", "13.2.4.3", "13.2.4.4", "13.2.4.5", "13.2.4.6", "13.2.4.7", "13.2.4.8", "13.2.4.9", "13.2.4.10", "13.2.4.11", "13.2.4.12", "13.2.4.13", "13.2.4.14", "13.2.4.15", "13.2.4.16" ], "apac-nzl-ism-3-9": [ "9.1.8.C.01" ], "americas-can-itsp-10-171-2025": [ "03.12.05.A", "03.15.03.C" ] } }, { "control_id": "HRS-06.2", "title": "Post-Employment Requirements Awareness", "family": "HRS", "description": "Mechanisms exist to notify individuals of their applicable, legally-binding post-employment requirements for the protection of sensitive/regulated data.", "scf_question": "Does the organization notify individuals of their applicable, legally-binding post-employment requirements for the protection of sensitive/regulated data?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-19" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to notify individuals of their applicable, legally-binding post-employment requirements for the protection of sensitive/regulated data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Non-Disclosure Agreements (NDAs)", "small": "∙ Non-Disclosure Agreements (NDAs)", "medium": "∙ Non-Disclosure Agreements (NDAs)", "large": "∙ Non-Disclosure Agreements (NDAs)", "enterprise": "∙ Non-Disclosure Agreements (NDAs)" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-nist-800-53-r4": [ "PS-6(3)" ], "general-nist-800-53-r5-2": [ "PS-06(03)" ], "general-nist-800-82-r3": [ "PS-06(03)" ], "usa-federal-irs-1075-2021": [ "PS-6(CE-3)", "PS-6(CE-3).a", "PS-6(CE-3).b" ], "apac-jpn-ismap": [ "7.1.2.10" ] } }, { "control_id": "HRS-07", "title": "Personnel Sanctions", "family": "HRS", "description": "Mechanisms exist to sanction personnel failing to comply with established security policies, standards and procedures.", "scf_question": "Does the organization sanction personnel failing to comply with established security policies, standards and procedures?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-27", "E-HRS-29" ], "pptdf": "People", "nist_csf_function": "Respond", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ Requests for investigations are handled through a formal, management-approved process.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to sanction personnel failing to comply with established security policies, standards and procedures.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1-POF4", "CC1.5", "CC1.5-POF5", "CC1.5-POF6", "CC7.4-POF14" ], "general-coso-2013": [ "5" ], "general-govramp": [ "PS-08" ], "general-govramp-low": [ "PS-08" ], "general-govramp-low-plus": [ "PS-08" ], "general-govramp-mod": [ "PS-08" ], "general-govramp-high": [ "PS-08" ], "general-iso-27002-2022": [ "6.4" ], "general-iso-27018-2025": [ "6.4" ], "general-iso-42001-2023": [ "7.3" ], "general-nist-800-53-r4": [ "PS-8" ], "general-nist-800-53-r5-2": [ "PS-08" ], "general-nist-800-53-r5-2-low": [ "PS-08" ], "general-nist-800-66-r2": [ "164.308(a)(1)" ], "general-nist-800-82-r3": [ "PS-08" ], "general-nist-800-82-r3-low": [ "PS-08" ], "general-nist-800-82-r3-mod": [ "PS-08" ], "general-nist-800-82-r3-high": [ "PS-08" ], "general-nist-800-171-r2": [ "NFO - PS-8" ], "general-nist-800-171-r3": [ "03.01.01.f.04", "03.01.01.f.05" ], "general-nist-800-171a": [ "3.9.2[a]", "3.9.2[b]", "3.9.2[c]" ], "general-nist-800-172": [ "3.9.2e" ], "general-nist-csf-2-0": [ "GV.PO", "GV.PO-01", "GV.PO-02" ], "general-scf-dpmp-2025": [ "7.8" ], "usa-federal-dow-cert-rmm-1-2": [ "HRM:SG3.SP4" ], "usa-federal-fbi-cjis-6-0": [ "PS-8" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1g" ], "usa-federal-dow-cmmc-2-level-3": [ "PS.L3-3.9.2E" ], "usa-federal-gsa-fedramp-5-low": [ "PS-08" ], "usa-federal-gsa-fedramp-5-mod": [ "PS-08" ], "usa-federal-gsa-fedramp-5-high": [ "PS-08" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PS-08" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(1)(ii)(C)", "164.530(e)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(1)(ii)(C)" ], "usa-federal-irs-1075-2021": [ "2.C.4.2", "PS-8" ], "usa-federal-cms-marse-2-0": [ "PS-8", "PS-8.a", "PS-8.b" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(d)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PS-08" ], "usa-state-tx-txramp-2-0-level-1": [ "PS-08" ], "usa-state-tx-txramp-2-0-level-2": [ "PS-08" ], "usa-state-vt-act-171-2018": [ "2447(b)(4)" ], "emea-eu-nis2-annex-2024": [ "10.4.1" ], "emea-deu-c5-2020": [ "HR-04" ], "emea-isr-cmo-1-0": [ "19.8" ], "apac-jpn-ismap": [ "7.2.3", "7.2.3.1", "7.2.3.2", "7.2.3.3", "7.2.3.4" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP03", "HHSP72", "HHSP73", "HML03", "HML72", "HML73" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP03", "HSUP63", "HSUP64" ], "americas-can-itsp-10-171-2025": [ "03.01.01.F.04", "03.01.01.F.05" ] } }, { "control_id": "HRS-07.1", "title": "Workplace Investigations", "family": "HRS", "description": "Mechanisms exist to conduct employee misconduct investigations when there is reasonable assurance that a policy has been violated.", "scf_question": "Does the organization conduct employee misconduct investigations when there is reasonable assurance that a policy has been violated?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Respond", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ Requests for investigations are handled through a formal, management-approved process.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct employee misconduct investigations when there is reasonable assurance that a policy has been violated.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1", "CC1.5", "CC2.2-POF3", "CC2.3-POF4" ], "general-coso-2013": [ "1", "5" ], "general-iso-27002-2022": [ "6.4" ], "general-iso-27018-2025": [ "6.4" ], "general-nist-800-171-r3": [ "03.01.01.f.04", "03.01.01.f.05" ], "general-nist-800-172": [ "3.9.2e" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1g" ], "usa-federal-dow-cmmc-2-level-3": [ "PS.L3-3.9.2E" ], "usa-federal-law-facta-fcra-2023": [ "606(b)" ], "emea-eu-nis2-annex-2024": [ "10.4.1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP03", "HHSP73", "HML03", "HML73" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP03", "HSUP64" ], "americas-can-itsp-10-171-2025": [ "03.01.01.F.04", "03.01.01.F.05" ] } }, { "control_id": "HRS-07.2", "title": "Updating Disciplinary Processes", "family": "HRS", "description": "Mechanisms exist to periodically review and, where appropriate, update disciplinary practices due to:\n(1) Legal changes;\n(2) Significant changes to operations; and\n(3) Applicable threats and risks.", "scf_question": "Does the organization periodically review and, where appropriate, update disciplinary practices due to:\n(1) Legal changes;\n(2) Significant changes to operations; and\n(3) Applicable threats and risks?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to periodically review and, where appropriate, update disciplinary practices due to:\n(1) Legal changes;\n(2) Significant changes to operations; and\n(3) Applicable threats and risks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "emea-eu-nis2-annex-2024": [ "10.4.2" ] } }, { "control_id": "HRS-07.3", "title": "Preventative Access Restriction", "family": "HRS", "description": "Mechanisms exist to proactively restrict logical and physical access when an individual with access to sensitive/regulated data is under investigation for personnel sanctions that may lead to employment termination.", "scf_question": "Does the organization proactively restrict logical and physical access when an individual with access to sensitive/regulated data is under investigation for personnel sanctions that may lead to employment termination?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to proactively restrict logical and physical access when an individual with access to sensitive/regulated data is under investigation for personnel sanctions that may lead to employment termination.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-nist-800-172": [ "3.9.2e" ], "usa-federal-dow-cmmc-2-level-3": [ "PS.L3-3.9.2E" ] } }, { "control_id": "HRS-08", "title": "Personnel Transfer", "family": "HRS", "description": "Mechanisms exist to adjust logical and physical access authorizations to Technology Assets, Applications and/or Services (TAAS) and facilities upon personnel reassignment or transfer, in a timely manner.", "scf_question": "Does the organization adjust logical and physical access authorizations to Technology Assets, Applications and/or Services (TAAS) and facilities upon personnel reassignment or transfer, in a timely manner?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-29" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to adjust logical and physical access authorizations to Technology Assets, Applications and/or Services (TAAS) and facilities upon personnel reassignment or transfer, in a timely manner.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.5", "CC6.2-POF3" ], "general-csa-cmm-4-1-0": [ "IAM-07" ], "general-govramp": [ "PS-05" ], "general-govramp-low": [ "PS-05" ], "general-govramp-low-plus": [ "PS-05" ], "general-govramp-mod": [ "PS-05" ], "general-govramp-high": [ "PS-05" ], "general-iso-27002-2022": [ "6.5" ], "general-iso-27017-2015": [ "7.3.1" ], "general-iso-27018-2025": [ "6.5" ], "general-mpa-csbp-5-3-1": [ "OR-3.2" ], "general-nist-800-53-r4": [ "PS-5" ], "general-nist-800-53-r5-2": [ "PS-05" ], "general-nist-800-53-r5-2-low": [ "PS-05" ], "general-nist-800-66-r2": [ "164.308(a)(3)" ], "general-nist-800-82-r3": [ "PS-05" ], "general-nist-800-82-r3-low": [ "PS-05" ], "general-nist-800-82-r3-mod": [ "PS-05" ], "general-nist-800-82-r3-high": [ "PS-05" ], "general-nist-800-171-r2": [ "3.9.2" ], "general-nist-800-171-r3": [ "03.01.01.g.02", "03.09.02.a", "03.09.02.b.01" ], "general-nist-800-171a": [ "3.9.2[a]", "3.9.2[b]", "3.9.2[c]" ], "general-nist-800-171a-r3": [ "A.03.09.02.ODP[01]", "A.03.09.02.b.01[01]", "A.03.09.02.b.01[02]", "A.03.09.02.b.02" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.D" ], "usa-federal-fbi-cjis-6-0": [ "PS-5" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1d" ], "usa-federal-dow-cmmc-2-level-2": [ "PSL2.-3.9.2" ], "usa-federal-gsa-fedramp-5-low": [ "PS-05" ], "usa-federal-gsa-fedramp-5-mod": [ "PS-05" ], "usa-federal-gsa-fedramp-5-high": [ "PS-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PS-05" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(ii)(C)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(ii)(C)" ], "usa-federal-irs-1075-2021": [ "2.C.4.1", "PS-5" ], "usa-federal-cms-marse-2-0": [ "PS-5", "PS-5.a", "PS-5.b", "PS-5.b.1", "PS-5.b.2", "PS-5.b.3", "PS-5.b.4", "PS-5.c", "PS-5.d" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(a)(6)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PS-05" ], "usa-state-tx-txramp-2-0-level-1": [ "PS-05" ], "usa-state-tx-txramp-2-0-level-2": [ "PS-05" ], "emea-deu-c5-2020": [ "HR-05", "IDM-04" ], "emea-isr-cmo-1-0": [ "19.9" ], "emea-sau-sacs-002-2022": [ "TPC-18" ], "apac-aus-ism-2024-june": [ "ISM-0430" ], "americas-can-itsp-10-171-2025": [ "03.01.01.G.02", "03.09.02.A", "03.09.02.B.01" ] } }, { "control_id": "HRS-09", "title": "Personnel Termination", "family": "HRS", "description": "Mechanisms exist to govern the termination of individual employment.", "scf_question": "Does the organization govern the termination of individual employment?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-19", "E-HRS-29" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR, in conjunction with an individual's manager/supervisor, collects assets and return those assets to IT and/or cybersecurity personnel, upon termination of employment.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern the termination of individual employment.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.5", "CC6.2-POF3" ], "general-csa-cmm-4-1-0": [ "HRS-06" ], "general-govramp": [ "PS-04" ], "general-govramp-low": [ "PS-04" ], "general-govramp-low-plus": [ "PS-04" ], "general-govramp-mod": [ "PS-04" ], "general-govramp-high": [ "PS-04" ], "general-iso-27002-2022": [ "6.5" ], "general-iso-27017-2015": [ "7.3.1" ], "general-iso-27018-2025": [ "6.5" ], "general-mpa-csbp-5-3-1": [ "OR-3.2" ], "general-nist-800-53-r4": [ "PS-4" ], "general-nist-800-53-r5-2": [ "PS-04" ], "general-nist-800-53-r5-2-low": [ "PS-04" ], "general-nist-800-66-r2": [ "164.308(a)(3)" ], "general-nist-800-82-r3": [ "PS-04" ], "general-nist-800-82-r3-low": [ "PS-04" ], "general-nist-800-82-r3-mod": [ "PS-04" ], "general-nist-800-82-r3-high": [ "PS-04" ], "general-nist-800-171-r2": [ "3.9.2" ], "general-nist-800-171-r3": [ "03.01.01.f.03", "03.01.01.g.02", "03.09.02.a", "03.09.02.a.03", "03.09.02.b.01" ], "general-nist-800-171a": [ "3.9.2[a]", "3.9.2[b]", "3.9.2[c]" ], "general-nist-800-171a-r3": [ "A.03.09.02.ODP[01]", "A.03.09.02.a.01", "A.03.09.02.a.02[01]", "A.03.09.02.a.02[02]", "A.03.09.02.a.03" ], "general-pci-dss-4-0-1": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-a": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.D" ], "usa-federal-fbi-cjis-6-0": [ "PS-4" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1d", "WORKFORCE-1g" ], "usa-federal-dow-cmmc-2-level-2": [ "PSL2.-3.9.2" ], "usa-federal-gsa-fedramp-5-low": [ "PS-04" ], "usa-federal-gsa-fedramp-5-mod": [ "PS-04" ], "usa-federal-gsa-fedramp-5-high": [ "PS-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PS-04" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(ii)(C)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(ii)(C)" ], "usa-federal-irs-1075-2021": [ "2.C.4.3", "PS-4" ], "usa-federal-cms-marse-2-0": [ "PS-4", "PS-4.a", "PS-4.b", "PS-4.c", "PS-4.d", "PS-4.e", "PS-4.f", "PS-4.g", "PS-4-IS.1", "PS-4-IS.2" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(e)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(a)(6)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PS-04" ], "usa-state-tx-txramp-2-0-level-1": [ "PS-04" ], "usa-state-tx-txramp-2-0-level-2": [ "PS-04" ], "emea-eu-nis2-annex-2024": [ "10.3.1", "12.5" ], "emea-deu-c5-2020": [ "HR-05" ], "emea-isr-cmo-1-0": [ "19.9", "19.10" ], "emea-sau-sacs-002-2022": [ "TPC-6", "TPC-18" ], "apac-aus-ism-2024-june": [ "ISM-0430" ], "apac-jpn-ismap": [ "7.3", "7.3.1", "7.3.1.1", "7.3.1.2", "7.3.1.3" ], "americas-can-itsp-10-171-2025": [ "03.01.01.F.03", "03.01.01.G.02", "03.09.02.A", "03.09.02.A.03", "03.09.02.B.01" ] } }, { "control_id": "HRS-09.1", "title": "Asset Collection", "family": "HRS", "description": "Mechanisms exist to retrieve organization-owned assets upon termination of an individual's employment.", "scf_question": "Does the organization retrieve organization-owned assets upon termination of an individual's employment?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-19" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to retrieve organization-owned assets upon termination of an individual's employment.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.5", "CC6.4-POF3" ], "general-mpa-csbp-5-3-1": [ "OR-3.2" ], "general-nist-800-171-r3": [ "03.09.02.a.03" ], "general-nist-800-171a-r3": [ "A.03.09.02.a.03" ], "emea-eu-nis2-annex-2024": [ "12.5" ], "emea-isr-cmo-1-0": [ "19.10" ], "emea-sau-sacs-002-2022": [ "TPC-18" ], "americas-can-itsp-10-171-2025": [ "03.09.02.A.03" ] } }, { "control_id": "HRS-09.2", "title": "High-Risk Terminations", "family": "HRS", "description": "Mechanisms exist to expedite the process of removing \"high risk\" individual’s access to Technology Assets, Applications, Services and/or Data (TAASD) upon termination, as determined by management.", "scf_question": "Does the organization expedite the process of removing \"high risk\" individual’s access to Technology Assets, Applications, Services and/or Data (TAASD) upon termination, as determined by management?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-19" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to expedite the process of removing \"high risk\" individual’s access to TAASD upon termination, as determined by management.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.5" ], "general-csa-cmm-4-1-0": [ "IAM-07" ], "general-govramp": [ "AC-02(13)" ], "general-govramp-high": [ "AC-02(13)" ], "general-nist-800-53-r5-2": [ "AC-02(13)" ], "general-nist-800-53-r5-2-privacy": [ "AC-02(13)" ], "general-nist-800-53-r5-2-mod": [ "AC-02(13)" ], "general-nist-800-82-r3": [ "AC-02(13)" ], "general-nist-800-82-r3-mod": [ "AC-02(13)" ], "general-nist-800-82-r3-high": [ "AC-02(13)" ], "general-nist-800-171-r3": [ "03.09.02.a.01", "03.09.02.a.02", "03.09.02.b.01" ], "general-pci-dss-4-0-1": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-a": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.5" ], "usa-federal-fbi-cjis-6-0": [ "AC-2(13)" ], "usa-federal-gsa-fedramp-5-low": [ "AC-02(13)" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02(13)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02(13)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-02(13)" ], "usa-federal-irs-1075-2021": [ "AC-2(CE-13)" ], "emea-isr-cmo-1-0": [ "19.10" ], "emea-sau-sacs-002-2022": [ "TPC-6", "TPC-18" ], "americas-can-itsp-10-171-2025": [ "03.09.02.A.01", "03.09.02.A.02", "03.09.02.B.01" ] } }, { "control_id": "HRS-09.3", "title": "Post-Employment Requirements Notification", "family": "HRS", "description": "Mechanisms exist to govern former employee behavior by formally notifying terminated individuals of their applicable, legally binding post-employment requirements for the protection of sensitive/regulated data.", "scf_question": "Does the organization govern former employee behavior by formally notifying terminated individuals of their applicable, legally binding post-employment requirements for the protection of sensitive/regulated data?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-19" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern former employee behavior by formally notifying terminated individuals of their applicable, legally binding post-employment requirements for the protection of sensitive/regulated data.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Non-Disclosure Agreements (NDAs)", "small": "∙ Non-Disclosure Agreements (NDAs)", "medium": "∙ Non-Disclosure Agreements (NDAs)", "large": "∙ Non-Disclosure Agreements (NDAs)", "enterprise": "∙ Non-Disclosure Agreements (NDAs)" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.5" ], "general-iso-27002-2022": [ "6.5" ], "general-iso-27018-2025": [ "6.5" ], "general-mpa-csbp-5-3-1": [ "OR-3.2" ], "general-nist-800-53-r4": [ "PS-4(1)" ], "general-nist-800-53-r5-2": [ "PS-04(01)" ], "general-nist-800-82-r3": [ "PS-04(01)" ], "emea-isr-cmo-1-0": [ "19.10" ], "emea-sau-sacs-002-2022": [ "TPC-18" ] } }, { "control_id": "HRS-09.4", "title": "Automated Employment Status Notifications", "family": "HRS", "description": "Automated mechanisms exist to notify Identity and Access Management (IAM) personnel or roles upon termination of an individual employment or contract.", "scf_question": "Does the organization use automated mechanisms to notify Identity and Access Management (IAM) personnel or roles upon termination of an individual employment or contract?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically notify Identity and Access Management (IAM) personnel or roles upon termination of an individual employment or contract.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-govramp": [ "PS-04(02)" ], "general-govramp-high": [ "PS-04(02)" ], "general-mpa-csbp-5-3-1": [ "OR-3.2" ], "general-nist-800-53-r4": [ "PS-4(2)" ], "general-nist-800-53-r5-2": [ "PS-04(02)" ], "general-nist-800-53-r5-2-high": [ "PS-04(02)" ], "general-nist-800-82-r3": [ "PS-04(02)" ], "general-nist-800-82-r3-high": [ "PS-04(02)" ], "general-nist-800-171-r3": [ "03.01.01.g.02", "03.09.02.a.01", "03.09.02.a.02" ], "usa-federal-gsa-fedramp-5-high": [ "PS-04(02)" ], "emea-sau-sacs-002-2022": [ "TPC-6" ], "americas-can-itsp-10-171-2025": [ "03.01.01.G.02", "03.09.02.A.01", "03.09.02.A.02" ] } }, { "control_id": "HRS-10", "title": "Third-Party Personnel", "family": "HRS", "description": "Mechanisms exist to govern third-party personnel by reviewing and monitoring third-party security, compliance and/or resilience roles and responsibilities.", "scf_question": "Does the organization govern third-party personnel by reviewing and monitoring third-party security, compliance and/or resilience roles and responsibilities?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-16", "E-HRS-18", "E-HRS-22" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern third-party personnel by reviewing and monitoring third-party security, compliance and/or resilience roles and responsibilities.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Contract Statement of Work (SOW) review.\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "small": "∙ Contract Statement of Work (SOW) review.\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "medium": "∙ Contract Statement of Work (SOW) review.\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "large": "∙ Contract Statement of Work (SOW) review.\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "enterprise": "∙ Contract Statement of Work (SOW) review.\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.3" ], "general-cobit-2019": [ "APO07.06" ], "general-govramp": [ "PS-07" ], "general-govramp-low": [ "PS-07" ], "general-govramp-low-plus": [ "PS-07" ], "general-govramp-mod": [ "PS-07" ], "general-govramp-high": [ "PS-07" ], "general-nist-800-53-r4": [ "PS-7" ], "general-nist-800-53-r5-2": [ "PS-07" ], "general-nist-800-53-r5-2-low": [ "PS-07" ], "general-nist-800-82-r3": [ "PS-07" ], "general-nist-800-82-r3-low": [ "PS-07" ], "general-nist-800-82-r3-mod": [ "PS-07" ], "general-nist-800-82-r3-high": [ "PS-07" ], "general-nist-800-161-r1": [ "PS-7" ], "general-nist-800-161-r1-cscrm": [ "PS-7" ], "general-nist-800-161-r1-level-2": [ "PS-7" ], "general-nist-800-171-r2": [ "NFO - PS-7" ], "general-nist-800-171-r3": [ "03.16.03.b" ], "general-swift-cscf-2025": [ "5.3A" ], "usa-federal-fbi-cjis-6-0": [ "PS-7" ], "usa-federal-gsa-fedramp-5-low": [ "PS-07" ], "usa-federal-gsa-fedramp-5-mod": [ "PS-07" ], "usa-federal-gsa-fedramp-5-high": [ "PS-07" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PS-07" ], "usa-federal-irs-1075-2021": [ "PS-7" ], "usa-federal-cms-marse-2-0": [ "PS-7", "PS-7.a", "PS-7.b", "PS-7.c", "PS-7.d", "PS-7.e", "PS-7-IS.1" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PS-07" ], "usa-state-tx-txramp-2-0-level-1": [ "PS-07" ], "usa-state-tx-txramp-2-0-level-2": [ "PS-07" ], "emea-eu-nis2-annex-2024": [ "10.2.1" ], "emea-isr-cmo-1-0": [ "19.5" ], "emea-sau-ecc-1-2018": [ "1-9-1" ], "apac-jpn-ismap": [ "7.1.1.10" ], "americas-can-itsp-10-171-2025": [ "03.16.03.B" ] } }, { "control_id": "HRS-11", "title": "Separation of Duties (SoD)", "family": "HRS", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "scf_question": "Does the organization implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-25" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ The HR department, in conjunction with IT and/or cybersecurity personnel, implements and maintains Separation of Duties (SoD) to prevent potential malevolent activity without collusion.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Documented / assigned Separation of Duties (SoD)", "small": "∙ Documented / assigned Separation of Duties (SoD)", "medium": "∙ Documented / assigned Separation of Duties (SoD)", "large": "∙ Documented / assigned Separation of Duties (SoD)", "enterprise": "∙ Documented / assigned Separation of Duties (SoD)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.1", "CC5.1-POF6" ], "general-csa-cmm-4-1-0": [ "IAM-04" ], "general-govramp": [ "AC-05" ], "general-govramp-low-plus": [ "AC-05" ], "general-govramp-mod": [ "AC-05" ], "general-govramp-high": [ "AC-05" ], "general-iec-62443-2-1-2024": [ "USER 2.2" ], "general-iso-27002-2022": [ "5.3", "5.18" ], "general-iso-27017-2015": [ "6.1.2" ], "general-iso-27018-2025": [ "5.3", "5.18" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1021", "T1021.001", "T1021.002", "T1021.003", "T1021.004", "T1021.006", "T1021.007", "T1047", "T1053", "T1053.002", "T1053.003", "T1053.005", "T1053.006", "T1053.007", "T1055", "T1055.008", "T1056.003", "T1059", "T1059.001", "T1059.008", "T1070", "T1070.001", "T1070.002", "T1070.003", "T1070.007", "T1070.008", "T1070.009", "T1072", "T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1087.004", "T1098", "T1098.001", "T1098.002", "T1098.003", "T1098.004", "T1098.005", "T1098.007", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1134", "T1134.001", "T1134.002", "T1134.003", "T1134.005", "T1136", "T1136.001", "T1136.002", "T1136.003", "T1185", "T1190", "T1197", "T1210", "T1213", "T1213.001", "T1213.002", "T1213.003", "T1213.004", "T1218", "T1218.007", "T1222", "T1222.001", "T1222.002", "T1484", "T1489", "T1495", "T1505", "T1505.002", "T1505.003", "T1505.005", "T1525", "T1528", "T1530", "T1537", "T1538", "T1542", "T1542.001", "T1542.003", "T1542.005", "T1543", "T1543.001", "T1543.002", "T1543.003", "T1543.004", "T1543.005", "T1546.003", "T1547.004", "T1547.006", "T1547.009", "T1547.012", "T1547.013", "T1548", "T1548.002", "T1548.003", "T1548.006", "T1550", "T1550.002", "T1550.003", "T1552", "T1552.001", "T1552.002", "T1552.006", "T1552.007", "T1556", "T1556.001", "T1556.003", "T1556.004", "T1556.005", "T1556.009", "T1558", "T1558.001", "T1558.002", "T1558.003", "T1559", "T1559.001", "T1562", "T1562.001", "T1562.002", "T1562.004", "T1562.006", "T1562.007", "T1562.008", "T1562.009", "T1563", "T1563.001", "T1563.002", "T1569", "T1569.001", "T1569.002", "T1574", "T1574.004", "T1574.005", "T1574.007", "T1574.008", "T1574.009", "T1574.010", "T1574.012", "T1578", "T1578.001", "T1578.002", "T1578.003", "T1580", "T1599", "T1599.001", "T1601", "T1601.001", "T1601.002", "T1606", "T1609", "T1611", "T1619", "T1657" ], "general-mpa-csbp-5-3-1": [ "OR-1.4", "OP-3.2", "TS-1.0" ], "general-nist-600-1-gen-ai-profile": [ "MS-1.3-003" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P4" ], "general-nist-800-53-r4": [ "AC-5" ], "general-nist-800-53-r5-2": [ "AC-05" ], "general-nist-800-53-r5-2-privacy": [ "AC-05" ], "general-nist-800-53-r5-2-mod": [ "AC-05" ], "general-nist-800-82-r3": [ "AC-05" ], "general-nist-800-82-r3-mod": [ "AC-05" ], "general-nist-800-82-r3-high": [ "AC-05" ], "general-nist-800-161-r1": [ "AC-5" ], "general-nist-800-161-r1-flowdown": [ "AC-5" ], "general-nist-800-161-r1-level-2": [ "AC-5" ], "general-nist-800-161-r1-level-3": [ "AC-5" ], "general-nist-800-171-r2": [ "3.1.4" ], "general-nist-800-171-r3": [ "03.01.04.a" ], "general-nist-800-171a": [ "3.1.4[a]", "3.1.4[b]", "3.1.4[c]" ], "general-nist-800-171a-r3": [ "A.03.01.04.a" ], "general-nist-csf-2-0": [ "PR.AA-05" ], "general-pci-dss-4-0-1": [ "6.5.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.5.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.5.4" ], "general-swift-cscf-2025": [ "5.1" ], "usa-federal-fbi-cjis-6-0": [ "AC-5" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-2e", "ACCESS-3f" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.4" ], "usa-federal-gsa-fedramp-5-low": [ "AC-05" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-05" ], "usa-federal-gsa-fedramp-5-high": [ "AC-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-05" ], "usa-federal-irs-1075-2021": [ "AC-5" ], "usa-federal-cms-marse-2-0": [ "AC-5", "AC-5.a", "AC-5.b", "AC-5.c", "AC-5-IS.1", "AC-5-IS.2", "AC-5-IS.3", "AC-5-IS.4", "AC-5-IS.5" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-05" ], "emea-eu-nis2-annex-2024": [ "1.2.5", "11.2.2(a)" ], "emea-deu-c5-2020": [ "OIS-04", "IDM-01" ], "emea-isr-cmo-1-0": [ "4.11", "10.4" ], "emea-sau-cgiot-2024": [ "2-2-1" ], "emea-esp-boe-a-2022-7191": [ "Article 13.3" ], "emea-esp-decree-311-2022": [ "13.3" ], "emea-esp-ccn-stic-825-2023": [ "7.2.3 [OP.ACC.3]" ], "emea-gbr-def-stan-05-138-2024": [ "2207" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2207" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2207" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2207" ], "apac-ind-sebi-2024": [ "PR.AA.S3" ], "apac-jpn-ismap": [ "4.5.2.2", "6.1.2", "6.1.2.1", "6.1.2.2", "6.1.2.3", "6.1.2.4" ], "apac-sgp-mas-trm-2021": [ "9.1.1" ], "americas-can-osfi-b13-2022": [ "2.5.2" ], "americas-can-itsp-10-171-2025": [ "03.01.04.A" ] } }, { "control_id": "HRS-12", "title": "Incompatible Roles", "family": "HRS", "description": "Mechanisms exist to avoid incompatible development-specific roles through limiting and reviewing developer privileges to change hardware, software and firmware components within a production/operational environment.", "scf_question": "Does the organization avoid incompatible development-specific roles through limiting and reviewing developer privileges to change hardware, software and firmware components within a production/operational environment?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-25" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ The HR department, in conjunction with IT and/or cybersecurity personnel, evaluates risk for individuals requiring elevated privileges or access to sensitive/regulated data.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to avoid incompatible development-specific roles through limiting and reviewing developer privileges to change hardware, software and firmware components within a production/operational environment.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-cobit-2019": [ "DSS06.03" ], "general-csa-cmm-4-1-0": [ "CEK-02" ], "general-iso-27002-2022": [ "5.3" ], "general-iso-27017-2015": [ "6.1.2" ], "general-iso-27018-2025": [ "5.3" ], "general-nist-800-171-r3": [ "03.01.04.a" ], "emea-deu-c5-2020": [ "PSS-08" ], "apac-chn-data-security-law-2021": [ "27" ], "americas-can-itsp-10-171-2025": [ "03.01.04.A" ] } }, { "control_id": "HRS-12.1", "title": "Two-Person Rule", "family": "HRS", "description": "Mechanisms exist to enforce a two-person rule for implementing changes to sensitive Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization enforce a two-person rule for implementing changes to sensitive Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce a two-person rule for implementing changes to sensitive Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-nist-800-53-r4": [ "AC-3(2)" ], "general-nist-800-53-r5-2": [ "AC-03(02)" ], "general-nist-800-53-r5-2-privacy": [ "AC-03(02)" ], "general-nist-800-82-r3": [ "AC-03(02)" ], "general-nist-800-160-vol-2-r1": [ "AC-03(02)" ], "general-sparta": [ "CM0054" ], "usa-federal-gsa-fedramp-5-low": [ "AC-03(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-03(02)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-03(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-03(02)" ] } }, { "control_id": "HRS-13", "title": "Identify Critical Skills & Gaps", "family": "HRS", "description": "Mechanisms exist to evaluate the critical security, compliance and resilience skills needed to support the organization's mission and identify gaps that exist.", "scf_question": "Does the organization evaluate the critical security, compliance and resilience skills needed to support the organization's mission and identify gaps that exist?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-23", "E-HRS-24" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, evaluates the business-critical cybersecurity and data protection skills needed to support the organization's mission.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, identifies vital cybersecurity and data privacy staff and identify gaps that exist.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, establishes redundancy for vital cybersecurity and data privacy staff.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ The HR department, in conjunction with IT and/or cybersecurity personnel, evaluates the business-critical cybersecurity and data protection skills needed to support the organization's mission and identify gaps that exist.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to evaluate the critical security, compliance and resilience skills needed to support the organization's mission and identify gaps that exist.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ Identification of critical skills per team/department\n∙ Formal assessment to identify skills gaps", "large": "∙ Identification of critical skills per team/department\n∙ Formal assessment to identify skills gaps", "enterprise": "∙ Identification of critical skills per team/department\n∙ Formal assessment to identify skills gaps" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4-POF2", "CC1.4-POF3", "CC1.4-POF4" ], "general-cobit-2019": [ "APO01.08", "APO07.03" ], "usa-federal-dow-cert-rmm-1-2": [ "HRM:SG1.SP3" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-4b", "WORKFORCE-4c" ] } }, { "control_id": "HRS-13.1", "title": "Remediate Identified Skills Deficiencies", "family": "HRS", "description": "Mechanisms exist to remediate critical skills deficiencies necessary to support the organization's mission and business functions.", "scf_question": "Does the organization remediate critical skills deficiencies necessary to support its mission and business functions?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-24" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, evaluates the business-critical cybersecurity and data protection skills needed to support the organization's mission.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, identifies vital cybersecurity and data privacy staff and identify gaps that exist.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, establishes redundancy for vital cybersecurity and data privacy staff.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, performs succession planning for vital cybersecurity and data privacy roles.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ The HR department, in conjunction with IT and/or cybersecurity personnel, evaluates the business-critical cybersecurity and data protection skills needed to support the organization's mission and identify gaps that exist.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to remediate critical skills deficiencies necessary to support the organization's mission and business functions.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ Cross-training program on critical skills deficiencies\n∙ Hiring prioritization on critical skills deficiencies", "large": "∙ Cross-training program on critical skills deficiencies\n∙ Hiring prioritization on critical skills deficiencies", "enterprise": "∙ Cross-training program on critical skills deficiencies\n∙ Hiring prioritization on critical skills deficiencies" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-cobit-2019": [ "APO01.08", "APO07.03" ], "usa-federal-dow-cert-rmm-1-2": [ "HRM:SG2" ] } }, { "control_id": "HRS-13.2", "title": "Identify Vital Security, Compliance & Resilience Staff", "family": "HRS", "description": "Mechanisms exist to identify vital security, compliance and resilience staff.", "scf_question": "Does the organization identify vital security, compliance and resilience staff?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-26" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, evaluates the business-critical cybersecurity and data protection skills needed to support the organization's mission.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, identifies vital cybersecurity and data privacy staff and identify gaps that exist.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, establishes redundancy for vital cybersecurity and data privacy staff.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, performs succession planning for vital cybersecurity and data privacy roles.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ The HR department, in conjunction with IT and/or cybersecurity personnel, evaluates the business-critical cybersecurity and data protection skills needed to support the organization's mission and identify gaps that exist.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify vital security, compliance and resilience staff.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ Identification of vital security, compliance and resilience staff", "large": "∙ Identification of vital security, compliance and resilience staff", "enterprise": "∙ Identification of vital security, compliance and resilience staff" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Human Resources Security", "crosswalks": { "general-cobit-2019": [ "APO07.02" ], "usa-federal-dow-cert-rmm-1-2": [ "PM:SG1", "PM:SG1.SP1", "PM:SG2", "PM:SG2.SP1" ], "emea-esp-ccn-stic-825-2023": [ "8.2.5 [MP.PER.5]" ] } }, { "control_id": "HRS-13.3", "title": "Establish Redundancy for Vital Security, Compliance & Resilience Staff", "family": "HRS", "description": "Mechanisms exist to establish redundancy for vital security, compliance and resilience staff.", "scf_question": "Does the organization establish redundancy for vital security, compliance and resilience staff?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, evaluates the business-critical cybersecurity and data protection skills needed to support the organization's mission.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, identifies vital cybersecurity and data privacy staff and identify gaps that exist.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, establishes redundancy for vital cybersecurity and data privacy staff.\n▪ HR, in conjunction with IT and/or cybersecurity personnel, performs succession planning for vital cybersecurity and data privacy roles.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ The HR department, in conjunction with IT and/or cybersecurity personnel, evaluates the business-critical cybersecurity and data protection skills needed to support the organization's mission and identify gaps that exist.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish redundancy for vital security, compliance and resilience staff.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ Cross-training program on critical skills deficiencies\n∙ Hiring prioritization on critical skills deficiencies", "large": "∙ Cross-training program on critical skills deficiencies\n∙ Hiring prioritization on critical skills deficiencies", "enterprise": "∙ Cross-training program on critical skills deficiencies\n∙ Hiring prioritization on critical skills deficiencies" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Human Resources Security", "crosswalks": { "general-cobit-2019": [ "APO07.03" ], "emea-eu-nis2-annex-2024": [ "4.2.4(c)" ], "emea-esp-ccn-stic-825-2023": [ "8.2.5 [MP.PER.5]" ] } }, { "control_id": "HRS-13.4", "title": "Perform Succession Planning", "family": "HRS", "description": "Mechanisms exist to perform succession planning for vital security, compliance and resilience roles.", "scf_question": "Does the organization perform succession planning for vital security, compliance and resilience roles?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.\n▪ The HR department, in conjunction with IT and/or cybersecurity personnel, evaluates the business-critical cybersecurity and data protection skills needed to support the organization's mission and identify gaps that exist.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform succession planning for vital security, compliance and resilience roles.", "4": "Human Resources Security (HRS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ Vital staff succession plans", "large": "∙ Vital staff succession plans", "enterprise": "∙ Vital staff succession plans" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Human Resources Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4-POF4" ], "general-cobit-2019": [ "APO07.03" ], "general-shared-assessments-sig-2025": [ "K.1" ], "emea-esp-ccn-stic-825-2023": [ "8.2.5 [MP.PER.5]" ] } }, { "control_id": "HRS-14", "title": "Identifying Authorized Work Locations", "family": "HRS", "description": "Mechanisms exist to identify and document authorized working locations, including:\n(1) Designated on-premises, organization-controlled work locations; and\n(2) Other off-premises locations not under organization-control (e.g., work from home).", "scf_question": "Does the organization identity and document authorized working locations, including:\n(1) Designated on-premises, organization-controlled work locations; and\n(2) Other off-premises locations not under organization-control (e.g., work from home)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and document authorized working locations, including:\n(1) Designated on-premises, organization-controlled work locations; and\n(2) Other off-premises locations not under organization-control (e.g., work from home).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ Vital staff succession plans", "large": "∙ Vital staff succession plans", "enterprise": "∙ Vital staff succession plans" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "emea-gbr-def-stan-05-138-2024": [ "2311" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2311" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2311" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2311" ] } }, { "control_id": "HRS-14.1", "title": "Communicating Authorized Work Locations", "family": "HRS", "description": "Mechanisms exist to communicate authorized work locations to organizational personnel.", "scf_question": "Does the organization communicate authorized work locations to organizational personnel?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to communicate authorized work locations to organizational personnel.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ Vital staff succession plans", "large": "∙ Vital staff succession plans", "enterprise": "∙ Vital staff succession plans" }, "risks": [ "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "emea-gbr-def-stan-05-138-2024": [ "2311" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2311" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2311" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2311" ] } }, { "control_id": "HRS-15", "title": "Reporting Suspicious Activities", "family": "HRS", "description": "Mechanisms exist to enable personnel to report suspicious activities and/or behavior without fear of reprisal or other negative consequences (e.g., whistleblower protections).", "scf_question": "Does the organization enable personnel to report suspicious activities and/or behavior without fear of reprisal or other negative consequences (e.g., whistleblower protections)?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Human Resources Security (HRS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with HRS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Personnel management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ The Human Resources (HR) department provides guidance on secure HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.", "2": "Human Resources Security (HRS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Personnel management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Personnel management is decentralized at a localized/regionalized function, where there are non-standardized methods to govern personnel matters across the organization.\n▪ Localized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization.", "3": "Human Resources Security (HRS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with HRS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with HRS domain capabilities are well-documented and kept current by process owners.\n▪ A Human Resources (HR) team, or similar function, is appropriately staffed and supported to implement and maintain HRS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of human resources security operations (e.g., personnel management software solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with HRS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enable personnel to report suspicious activities and/or behavior without fear of reprisal or other negative consequences (e.g., whistleblower protections).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Employee security policy acknowledgment\n∙ Background check for sensitive roles", "small": "∙ Security awareness policy\n∙ Background checks\n∙ Security onboarding checklist", "medium": "∙ HR security program\n∙ Background checks for all staff\n∙ Security onboarding training", "large": "∙ Enterprise HR security program\n∙ Background screening service\n∙ Automated offboarding workflows", "enterprise": "∙ Enterprise HR security framework\n∙ Background screening platform\n∙ Integrated HR/IAM offboarding\n∙ Continuous monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Human Resources Security", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "GV-2.1-005" ], "emea-eu-nis2-annex-2024": [ "3.3.1" ], "emea-gbr-def-stan-05-138-2024": [ "2703" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2703" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2703" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2703" ], "apac-jpn-ismap": [ "7.2.1.7" ] } }, { "control_id": "IAC-01", "title": "Identity & Access Management (IAM)", "family": "IAC", "description": "Mechanisms exist to facilitate the implementation of identification and access management controls.", "scf_question": "Does the organization facilitate the implementation of identification and access management controls?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-01", "E-IAM-05", "E-IAM-12", "E-MON-11" ], "pptdf": "Technology", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.\n▪ Active Directory (AD), or a similar technologies, are used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific Technology Assets, Applications, Services and/or Data (TAASD).", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.\n▪ IAM restricts the assignment of privileged accounts to entity-defined personnel and/or roles (privilege assignment requires management approval).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of identification and access management controls.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Strong password policy\n∙ MFA for key accounts", "small": "∙ Password manager\n∙ MFA on all accounts\n∙ Identity policy", "medium": "∙ Identity & Access Management (IAM) program", "large": "∙ Identity & Access Management (IAM) program", "enterprise": "∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.1", "S7.1-POF2", "S7.1-POF3", "S7.1-POF6", "S7.1-POF7", "S7.1-POF8" ], "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF3", "CC6.1-POF7", "CC6.1-POF8", "CC6.1-POF9", "CC6.6", "CC6.6-POF2", "CC6.6-POF3" ], "general-cis-csc-8-1": [ "4.7", "5.0", "5.6", "6.0", "6.6" ], "general-cis-csc-8-1-ig1": [ "4.7" ], "general-cis-csc-8-1-ig2": [ "4.7", "5.6", "6.6" ], "general-cis-csc-8-1-ig3": [ "4.7", "5.6", "6.6" ], "general-cobit-2019": [ "DSS06.03" ], "general-csa-cmm-4-1-0": [ "IAM-01", "IAM-02" ], "general-csa-iot-2": [ "IAM-17" ], "general-govramp": [ "AC-01", "IA-01" ], "general-govramp-low": [ "AC-01", "IA-01" ], "general-govramp-low-plus": [ "AC-01", "IA-01" ], "general-govramp-mod": [ "AC-01", "IA-01" ], "general-govramp-high": [ "AC-01", "IA-01" ], "general-iec-tr-60601-4-5-2021": [ "4.2" ], "general-iec-62443-2-1-2024": [ "USER 1.1" ], "general-iec-62443-4-2-2019": [ "CR 1.3" ], "general-iso-27002-2022": [ "5.15", "5.18" ], "general-iso-27017-2015": [ "9.1.1", "9.1.2" ], "general-iso-27018-2025": [ "5.15", "5.16(a)", "5.18" ], "general-mpa-csbp-5-3-1": [ "TS-1.6", "TS-1.8" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(a)" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P", "PR.AC-P1" ], "general-nist-800-53-r4": [ "AC-1", "IA-1" ], "general-nist-800-53-r5-2": [ "AC-01", "IA-01" ], "general-nist-800-53-r5-2-privacy": [ "AC-01", "IA-01" ], "general-nist-800-53-r5-2-low": [ "AC-01", "IA-01" ], "general-nist-800-66-r2": [ "164.308(a)(3)", "164.308(a)(4)", "164.310(a)", "164.312(a)" ], "general-nist-800-82-r3": [ "AC-01", "IA-01" ], "general-nist-800-82-r3-low": [ "AC-01", "IA-01" ], "general-nist-800-82-r3-mod": [ "AC-01", "IA-01" ], "general-nist-800-82-r3-high": [ "AC-01", "IA-01" ], "general-nist-800-161-r1": [ "AC-1", "IA-1" ], "general-nist-800-161-r1-cscrm": [ "AC-1", "IA-1" ], "general-nist-800-161-r1-flowdown": [ "AC-1" ], "general-nist-800-161-r1-level-1": [ "AC-1", "IA-1" ], "general-nist-800-161-r1-level-2": [ "AC-1", "IA-1" ], "general-nist-800-161-r1-level-3": [ "AC-1", "IA-1" ], "general-nist-800-171-r2": [ "3.1.1", "NFO - AC-1", "NFO - IA-1" ], "general-nist-800-171-r3": [ "03.01.01.a", "03.01.18.b", "03.05.01.a", "03.05.05.a", "03.05.12.e" ], "general-nist-800-207": [ "NIST Tenet 6" ], "general-nist-csf-2-0": [ "PR.AA", "PR.AA-05" ], "general-owasp-top-10-2025": [ "A01:2025", "A07:2025" ], "general-pci-dss-4-0-1": [ "7.1", "7.2", "7.2.1", "7.3", "7.3.1", "7.3.2", "7.3.3", "8.1", "8.2", "8.3.3", "8.3.8", "8.5.1", "8.6.1", "A3.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.3", "8.3.8", "8.5.1", "8.6.1" ], "general-pci-dss-4-0-1-saq-c": [ "8.3.3", "8.3.8", "8.5.1", "8.6.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.1", "7.3.1", "7.3.2", "7.3.3", "8.3.3", "8.3.8", "8.5.1", "8.6.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.1", "7.3.1", "7.3.2", "7.3.3", "8.3.3", "8.3.8", "8.5.1", "8.6.1" ], "general-scf-dpmp-2025": [ "7.0" ], "general-swift-cscf-2025": [ "4.1", "5.2" ], "general-tisax-6-0-3": [ "4.1.1" ], "general-ul-2900-2-2-2016": [ "8.5", "8.7" ], "usa-federal-dow-cert-rmm-1-2": [ "AM:SG1", "AM:GG1.GP1", "AM:GG2", "AM:GG2.GP2", "ID:SG1", "ID:SG1.SP1", "ID:SG1.SP2", "ID:SG1.SP3", "ID:SG2", "ID:SG2.SP1", "ID:SG2.SP2", "ID:SG2.SP3", "ID:SG2.SP4", "ID:GG1.GP1", "ID:GG2", "ID:GG2.GP2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DA.ACONT", "3.PEP.ID.EIAMA", "3.PEP.NE.ACONT", "3.PEP.SE.ACONT", "3.PEP.WE.ACONT" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.E", "2.L" ], "usa-federal-fbi-cjis-6-0": [ "AC-1", "IA-1" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-2a", "ACCESS-2c", "ACCESS-2f", "ARCHITECTURE-3a" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.I" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.1" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.1.1", "1.2.4", "1.2.5", "1.5.2", "1.5.3", "1.5.4", "1.9" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(i)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(d)", "11.10(g)", "11.100(a)" ], "usa-federal-gsa-fedramp-5-low": [ "AC-01", "IA-01" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-01", "IA-01" ], "usa-federal-gsa-fedramp-5-high": [ "AC-01", "IA-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-01", "IA-01" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(1)", "314.4(c)(1)(i)", "314.4(c)(1)(ii)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(i)", "164.308(a)(4)(i)", "164.308(a)(4)(ii)(B)", "164.310(a)(2)(iii)", "164.312(a)(1)", "164.530(c)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(i)", "164.308(a)(4)(i)", "164.308(a)(4)(ii)(B)", "164.310(a)(2)(iii)", "164.312(a)(1)" ], "usa-federal-irs-1075-2021": [ "AC-1", "AC-2(CE-7)", "AC-2(CE-7).a", "AC-2(CE-7).b", "AC-2(CE-7).c", "AC-2(CE-7).d", "IA-1" ], "usa-federal-cms-marse-2-0": [ "AC-1", "IA-1" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.2", "CIP-003-8 1.2.3", "CIP-004-7 R4", "CIP-004-7 4.1.1", "CIP-004-7 R6", "CIP-007-6 5.1" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.C" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(1)", "7123(c)(3)", "7123(c)(3)(C)" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(1)", "17.04(2)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.3(d)", "500.7(a)(1)", "500.7(b)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-01", "IA-01" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-01", "IA-01" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-01", "IA-01" ], "usa-state-vt-act-171-2018": [ "2447(c)(1)" ], "emea-eu-dora-2023": [ "Article 9.4(d)" ], "emea-eu-nis2-2022": [ "Article 21.2(i)", "Article 21.2(j)" ], "emea-eu-nis2-annex-2024": [ "11.1.1", "11.1.2(a)", "11.1.2(b)", "11.1.2(c)", "11.1.3", "11.3.1", "11.5.1", "11.5.2(c)", "11.6.4" ], "emea-us-psd2-2015": [ "4" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "6.1", "6.2" ], "emea-deu-c5-2020": [ "IDM-01", "PSS-05", "PSS-09" ], "emea-isr-cmo-1-0": [ "4.1", "4.8", "4.34", "4.37", "12.15", "12.28", "12.29" ], "emea-sau-cscc-1-2019": [ "2-2", "2-2-1-5" ], "emea-sau-ecc-1-2018": [ "2-2-1", "2-2-2", "2-2-4" ], "emea-sau-otcc-1-2022": [ "2-2", "2-2-1" ], "emea-sau-sacs-002-2022": [ "TPC-10" ], "emea-sau-sama-csf-1-2017": [ "3.3.5" ], "emea-zaf-popia-2013": [ "19", "20" ], "emea-esp-boe-a-2022-7191": [ "Article 18" ], "emea-esp-decree-311-2022": [ "18" ], "emea-esp-ccn-stic-825-2023": [ "7.2.2 [OP.ACC.2]", "7.2.4 [OP.ACC.4]" ], "emea-gbr-caf-4-0": [ "B2", "B2.d" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "2" ], "emea-gbr-def-stan-05-138-2024": [ "2200", "2208", "2210" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2200", "2210" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2200", "2208", "2210" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2200", "2208", "2210" ], "apac-aus-ism-2024-june": [ "ISM-1146", "ISM-1546" ], "apac-chn-cybersecurity-law-2017": [ "Article 40" ], "apac-ind-sebi-2024": [ "PR.AA.S1", "PR.AA.S6", "PR.AA.S15" ], "apac-jpn-ismap": [ "5.1.1.9", "9", "9.1", "9.1.1", "9.1.1.1", "9.1.1.2", "9.1.1.3", "9.1.1.4", "9.1.1.5", "9.1.1.6", "9.1.1.7", "9.1.1.8", "9.1.1.9", "9.1.1.10", "9.1.1.11", "9.1.1.12", "9.1.1.13", "9.1.1.14", "9.1.1.15", "9.4.1.8.PB" ], "apac-nzl-ism-3-9": [ "16.1.31.C.01" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.1" ], "apac-sgp-mas-trm-2021": [ "9.1.2", "9.1.3", "9.1.8" ], "americas-bmu-mba-coc-2020": [ "6.6" ], "amaericas-can-osfi-self-assessment": [ "4.22", "4.24" ], "americas-can-osfi-b13-2022": [ "3.2.7" ], "americas-can-itsp-10-171-2025": [ "03.01.01.A", "03.01.18.B", "03.05.01.A", "03.05.05.A", "03.05.12.E" ] } }, { "control_id": "IAC-01.1", "title": "Retain Access Records", "family": "IAC", "description": "Mechanisms exist to retain a record of personnel accountability to ensure there is a record of all access granted to an individual (system and application-wise), who provided the authorization, when the authorization was granted and when the access was last reviewed.", "scf_question": "Does the organization retain a record of personnel accountability to ensure there is a record of all access granted to an individual (system and application-wise), who provided the authorization, when the authorization was granted and when the access was last reviewed?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to retain a record of personnel accountability to ensure there is a record of all access granted to an individual (system and application-wise), who provided the authorization, when the authorization was granted and when the access was last reviewed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Retain access logs per backup/log retention policy", "small": "∙ Access log retention policy\n∙ Store logs for minimum retention period", "medium": "∙ Formal access records retention policy\n∙ Centralized log storage", "large": "∙ Enterprise log management system\n∙ Defined retention periods per compliance requirement", "enterprise": "∙ Enterprise SIEM/log management platform (e.g., Splunk, IBM QRadar)\n∙ Immutable log storage\n∙ Compliance-driven retention schedules" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-mpa-csbp-5-3-1": [ "TS-1.8" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.6(b)" ], "emea-gbr-def-stan-05-138-2024": [ "1503" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1503" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1503" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1503" ], "apac-aus-ism-2024-june": [ "ISM-0407" ] } }, { "control_id": "IAC-01.2", "title": "Authenticate, Authorize and Audit (AAA)", "family": "IAC", "description": "Mechanisms exist to strictly govern the use of Authenticate, Authorize and Audit (AAA) solutions, both on-premises and those hosted by an External Service Provider (ESP).", "scf_question": "Does the organization strictly govern the use of Authenticate, Authorize and Audit (AAA) solutions, both on-premises and those hosted by an External Service Provider (ESP)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-06" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.\n▪ IAM restricts the assignment of privileged accounts to entity-defined personnel and/or roles (privilege assignment requires management approval).\n▪ LAC and RBAC enforcements limit the ability of non-administrators from making unauthorized configuration changes to TAAS.\n▪ IAM proactively governs account management of individual, group, system, application, guest and temporary accounts.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to strictly govern the use of Authenticate, Authorize and Audit (AAA) solutions, both on-premises and those hosted by an External Service Provider (ESP).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1-POF3", "CC6.1-POF4", "CC6.6", "CC6.6-POF2", "CC6.6-POF3" ], "general-cis-csc-8-1": [ "5.6", "6.6", "12.5" ], "general-cis-csc-8-1-ig2": [ "5.6", "6.6", "12.5" ], "general-cis-csc-8-1-ig3": [ "5.6", "6.6", "12.5" ], "general-csa-iot-2": [ "CLS-09" ], "general-govramp": [ "IA-04", "IA-04(04)" ], "general-govramp-core": [ "IA-04", "IA-04(04)" ], "general-govramp-low": [ "IA-04" ], "general-govramp-low-plus": [ "IA-04" ], "general-govramp-mod": [ "IA-04", "IA-04(04)" ], "general-govramp-high": [ "IA-04", "IA-04(04)" ], "general-iec-62443-2-1-2024": [ "USER 1.4", "USER 1.6", "USER 1.7" ], "general-iec-62443-3-3-2013": [ "SR 1.1 RE 1", "SR 1.5(h)", "SR 1.5(i)", "SR 1.5(j)", "SR 1.5(k)" ], "general-iso-27018-2025": [ "5.16(a)" ], "general-mpa-csbp-5-3-1": [ "TS-1.6", "TS-1.7", "TS-1.8" ], "general-nist-800-53-r5-2": [ "IA-04", "IA-04(04)" ], "general-nist-800-53-r5-2-privacy": [ "IA-04", "IA-04(04)" ], "general-nist-800-53-r5-2-low": [ "IA-04" ], "general-nist-800-53-r5-2-mod": [ "IA-04(04)" ], "general-nist-800-82-r3": [ "IA-04", "IA-04(04)" ], "general-nist-800-82-r3-low": [ "IA-04" ], "general-nist-800-82-r3-mod": [ "IA-04", "IA-04(04)" ], "general-nist-800-82-r3-high": [ "IA-04", "IA-04(04)" ], "general-nist-800-161-r1": [ "IA-4" ], "general-nist-800-161-r1-cscrm": [ "IA-4" ], "general-nist-800-161-r1-flowdown": [ "IA-4" ], "general-nist-800-161-r1-level-2": [ "IA-4" ], "general-nist-800-161-r1-level-3": [ "IA-4" ], "general-nist-800-171-r3": [ "03.05.01.a", "03.05.02", "03.05.05.d", "03.05.07.a", "03.05.07.b", "03.05.07.c", "03.05.07.d", "03.05.07.e", "03.05.12.d", "03.05.12.f", "03.07.05.a" ], "general-nist-800-171a-r3": [ "A.03.01.01.d.01", "A.03.01.01.d.02", "A.03.01.16.b", "A.03.05.01.a[01]", "A.03.05.01.a[02]" ], "general-nist-800-172": [ "3.5.2e" ], "general-nist-800-207": [ "NIST Tenet 2", "NIST Tenet 3", "NIST Tenet 4", "NIST Tenet 6" ], "general-nist-csf-2-0": [ "PR.AA", "PR.AA-03", "PR.AA-04", "PR.AA-05" ], "general-scf-dpmp-2025": [ "7.1" ], "general-sparta": [ "CM0031" ], "general-ul-2900-2-2-2016": [ "8.6" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.EINVE", "3.UNI.SAUTH" ], "usa-federal-fbi-cjis-6-0": [ "IA-4", "IA-4(4)" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-1b" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.1.1", "1.2.1", "1.9", "1.9.1", "2.1.3", "2.1.4" ], "usa-federal-gsa-fedramp-5-low": [ "IA-04", "IA-04(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-04", "IA-04(04)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-04", "IA-04(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-04", "IA-04(04)" ], "usa-federal-irs-1075-2021": [ "IA-4", "IA-4(CE-4)", "IA-4(IRS-Defined)" ], "usa-federal-cms-marse-2-0": [ "AC-2-IS.3", "IA-4" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 5.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(1)(B)", "7123(c)(3)" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-04" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-04" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-04", "IA-04 (04)" ], "usa-state-vt-act-171-2018": [ "2447(c)(1)(A)", "2447(c)(1)(B)", "2447(c)(2)" ], "emea-eu-nis2-annex-2024": [ "11.3.2(a)", "11.4.2(c)", "11.6.1", "11.6.3" ], "emea-gbr-def-stan-05-138-2024": [ "2200", "2209", "2210", "2304" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2200", "2210", "2304" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2200", "2210", "2304" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2200", "2209", "2210", "2304" ], "apac-jpn-ismap": [ "9.4.2", "9.4.2.1", "9.4.2.2.B", "9.4.2.3", "9.4.2.4", "9.4.2.5", "9.4.2.6", "9.4.2.7", "9.4.2.8", "9.4.2.9", "9.4.2.10", "9.4.2.11", "9.4.2.12", "9.4.2.13", "9.4.2.14", "9.4.2.15", "9.4.2.16" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP39", "HML39" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP34" ], "americas-can-itsp-10-171-2025": [ "03.05.01.A", "03.05.02", "03.05.05.D", "03.05.07.A", "03.05.07.B", "03.05.07.C", "03.05.07.D", "03.05.07.E", "03.05.12.D", "03.05.12.F", "03.07.05.A" ] } }, { "control_id": "IAC-01.3", "title": "User & Service Account Inventories", "family": "IAC", "description": "Mechanisms exist to maintain a current list of authorized users and service accounts.", "scf_question": "Does the organization maintain a current list of authorized users and service accounts?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-04", "E-IAM-10", "E-IAM-11" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.\n▪ Active Directory (AD), or a similar technologies, are used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific Technology Assets, Applications, Services and/or Data (TAASD).", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a current list of authorized users and service accounts.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-03" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.1" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 5.2" ], "emea-eu-nis2-annex-2024": [ "11.2.2(e)" ], "emea-gbr-def-stan-05-138-2024": [ "2217" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2217" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2217" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2217" ] } }, { "control_id": "IAC-02", "title": "Identification & Authentication for Organizational Users", "family": "IAC", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "scf_question": "Does the organization uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-05", "E-IAM-06", "E-IAM-13" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.\n▪ Active Directory (AD), or a similar technologies, are used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific Technology Assets, Applications, Services and/or Data (TAASD).", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF3", "CC6.1-POF4", "CC6.1-POF8" ], "general-cis-csc-8-1": [ "5.5", "5.6", "6.7", "12.5" ], "general-cis-csc-8-1-ig2": [ "5.5", "5.6", "6.7", "12.5" ], "general-cis-csc-8-1-ig3": [ "5.5", "5.6", "6.7", "12.5" ], "general-csa-cmm-4-1-0": [ "IAM-13" ], "general-govramp": [ "IA-02" ], "general-govramp-core": [ "IA-02" ], "general-govramp-low": [ "IA-02" ], "general-govramp-low-plus": [ "IA-02" ], "general-govramp-mod": [ "IA-02" ], "general-govramp-high": [ "IA-02" ], "general-iec-62443-2-1-2024": [ "USER 1.1" ], "general-iec-62443-3-3-2013": [ "SR 1.1", "SR 1.1 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 1.1" ], "general-iso-27002-2022": [ "5.15" ], "general-iso-27017-2015": [ "9.1.1" ], "general-iso-27018-2025": [ "5.15" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1021", "T1021.001", "T1021.002", "T1021.003", "T1021.004", "T1021.005", "T1021.006", "T1021.007", "T1021.008", "T1036.007", "T1036.010", "T1040", "T1047", "T1053", "T1053.002", "T1053.003", "T1053.005", "T1053.006", "T1053.007", "T1055", "T1055.008", "T1056.003", "T1059", "T1059.001", "T1059.008", "T1059.009", "T1072", "T1078", "T1078.002", "T1078.003", "T1078.004", "T1087.004", "T1098", "T1098.001", "T1098.002", "T1098.003", "T1098.004", "T1098.007", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1111", "T1114", "T1114.002", "T1133", "T1134", "T1134.001", "T1134.002", "T1134.003", "T1136", "T1136.001", "T1136.002", "T1136.003", "T1185", "T1190", "T1197", "T1210", "T1212", "T1213", "T1213.001", "T1213.002", "T1213.003", "T1213.004", "T1213.005", "T1218", "T1218.007", "T1222", "T1222.001", "T1222.002", "T1484", "T1489", "T1495", "T1505", "T1505.002", "T1505.004", "T1525", "T1528", "T1530", "T1537", "T1538", "T1539", "T1542", "T1542.001", "T1542.003", "T1542.005", "T1543", "T1543.001", "T1543.002", "T1543.003", "T1543.004", "T1543.005", "T1546.003", "T1547.004", "T1547.006", "T1547.009", "T1547.012", "T1547.013", "T1548", "T1548.002", "T1548.003", "T1550", "T1550.001", "T1550.002", "T1550.003", "T1552", "T1552.001", "T1552.002", "T1552.004", "T1552.006", "T1552.007", "T1555.005", "T1556", "T1556.001", "T1556.003", "T1556.004", "T1556.006", "T1556.007", "T1556.009", "T1558", "T1558.001", "T1558.002", "T1558.003", "T1558.004", "T1558.005", "T1559", "T1559.001", "T1562", "T1562.001", "T1562.002", "T1562.004", "T1562.006", "T1562.007", "T1562.008", "T1562.009", "T1563", "T1563.001", "T1563.002", "T1569", "T1569.001", "T1569.002", "T1574", "T1574.005", "T1574.010", "T1574.012", "T1578", "T1578.001", "T1578.002", "T1578.003", "T1580", "T1599", "T1599.001", "T1601", "T1601.001", "T1601.002", "T1610", "T1611", "T1613", "T1619", "T1621", "T1648", "T1649", "T1651" ], "general-mpa-csbp-5-3-1": [ "TS-1.6" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P6" ], "general-nist-800-53-r4": [ "IA-2" ], "general-nist-800-53-r5-2": [ "IA-02" ], "general-nist-800-53-r5-2-low": [ "IA-02" ], "general-nist-800-66-r2": [ "164.312(a)" ], "general-nist-800-82-r3": [ "IA-02" ], "general-nist-800-82-r3-low": [ "IA-02" ], "general-nist-800-82-r3-mod": [ "IA-02" ], "general-nist-800-82-r3-high": [ "IA-02" ], "general-nist-800-161-r1": [ "IA-2" ], "general-nist-800-161-r1-cscrm": [ "IA-2" ], "general-nist-800-161-r1-flowdown": [ "IA-2" ], "general-nist-800-161-r1-level-1": [ "IA-2" ], "general-nist-800-161-r1-level-2": [ "IA-2" ], "general-nist-800-161-r1-level-3": [ "IA-2" ], "general-nist-800-171-r2": [ "3.1.1", "3.5.1", "3.5.2" ], "general-nist-800-171-r3": [ "03.05.01.a", "03.05.05.d" ], "general-nist-800-171a": [ "3.5.1[a]", "3.5.1[b]", "3.5.1[c]", "3.5.2[a]", "3.5.2[b]", "3.5.2[c]" ], "general-nist-800-171a-r3": [ "A.03.05.01.a[03]", "A.03.05.05.d" ], "general-nist-800-207": [ "NIST Tenet 3" ], "general-nist-csf-2-0": [ "PR.AA-01", "PR.AA-03", "PR.AA-05" ], "general-pci-dss-4-0-1": [ "7.1", "7.2", "7.2.1", "7.3", "7.3.1", "7.3.2", "7.3.3", "8.1", "8.2", "8.3", "8.3.3", "8.3.9" ], "general-pci-dss-4-0-1-saq-a": [ "8.3.9" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.3", "8.3.9" ], "general-pci-dss-4-0-1-saq-c": [ "8.3.3", "8.3.9" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.1", "7.3.1", "7.3.2", "7.3.3", "8.3.3", "8.3.9" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.1", "7.3.1", "7.3.2", "7.3.3", "8.3.3", "8.3.9" ], "general-sparta": [ "CM0031" ], "general-tisax-6-0-3": [ "4.1.2", "4.1.3" ], "usa-federal-fbi-cjis-6-0": [ "IA-2" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.I", "IA.L1-B.1.V", "IA.L1-B.1.VI" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "IA.L1-B.1.V[a]", "IA.L1-B.1.V[c]", "IA.L1-B.1.VI[a]", "IA.L1-B.1.VI[b]", "IA.L1-B.1.VI[c]" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.1", "IAL2.-3.5.1", "IAL2.-3.5.2" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(i)", "52.204-21(b)(1)(v)", "52.204-21(b)(1)(vi)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(d)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-02" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-02" ], "usa-federal-gsa-fedramp-5-high": [ "IA-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-02" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(a)(2)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(a)(2)(i)" ], "usa-federal-cms-marse-2-0": [ "IA-2", "IA-2-IS.1", "IA-2-IS.2", "IA-2-IS.3" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(A)(i)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-02" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-02" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-02" ], "emea-eu-nis2-annex-2024": [ "11.5.2(a)" ], "emea-deu-c5-2020": [ "IDM-01", "PSS-05", "PSS-09" ], "emea-isr-cmo-1-0": [ "4.2", "4.31", "4.34" ], "emea-sau-ecc-1-2018": [ "2-2-3" ], "emea-sau-sacs-002-2022": [ "TPC-32" ], "emea-esp-boe-a-2022-7191": [ "Article 24.3" ], "emea-esp-decree-311-2022": [ "24.3" ], "emea-gbr-caf-4-0": [ "B2.a" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "2" ], "emea-gbr-def-stan-05-138-2024": [ "2218" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2218" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2218" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2218" ], "apac-aus-ism-2024-june": [ "ISM-0414", "ISM-0415", "ISM-1546" ], "apac-nzl-ism-3-9": [ "16.1.32.C.01" ], "apac-nzl-privacy-act-2020": [ "Principle 13", "P13-(1)", "P13-(2)", "P13-(2)(a)", "P13-(2)(b)", "P13-(3)", "P13-(4)(a)", "P13-(4)(b)", "P13-(5)" ], "americas-can-itsp-10-171-2025": [ "03.05.01.A" ] } }, { "control_id": "IAC-02.1", "title": "Group Authentication", "family": "IAC", "description": "Mechanisms exist to require individuals to be authenticated with an individual authenticator when a group authenticator is utilized.", "scf_question": "Does the organization require individuals to be authenticated with an individual authenticator when a group authenticator is utilized?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.\n▪ IAM proactively governs account management of individual, group, system, application, guest and temporary accounts.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require individuals to be authenticated with an individual authenticator when a group authenticator is utilized.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "IA-02(05)" ], "general-govramp-mod": [ "IA-02(05)" ], "general-govramp-high": [ "IA-02(05)" ], "general-nist-800-53-r4": [ "IA-2(5)" ], "general-nist-800-53-r5-2": [ "IA-02(05)" ], "general-nist-800-53-r5-2-high": [ "IA-02(05)" ], "general-nist-800-82-r3": [ "IA-02(05)" ], "general-nist-800-82-r3-high": [ "IA-02(05)" ], "general-owasp-top-10-2025": [ "A07:2025" ], "general-pci-dss-4-0-1": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-a": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.2" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-02(05)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-02(05)" ], "emea-isr-cmo-1-0": [ "4.34" ], "emea-sau-cscc-1-2019": [ "2-2-1-7" ], "apac-aus-ism-2024-june": [ "ISM-0415", "ISM-1619" ], "apac-nzl-ism-3-9": [ "16.1.33.C.01", "16.1.33.C.02", "16.1.34.C.01" ] } }, { "control_id": "IAC-02.2", "title": "Replay-Resistant Authentication", "family": "IAC", "description": "Automated mechanisms exist to employ replay-resistant authentication.", "scf_question": "Does the organization use automated mechanisms to employ replay-resistant authentication?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-AST-01", "E-IAM-05", "E-IAM-06" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically employ replay-resistant authentication.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "IA-02(08)" ], "general-govramp-mod": [ "IA-02(08)" ], "general-govramp-high": [ "IA-02(08)" ], "general-nist-800-53-r4": [ "IA-2(8)", "IA-2(9)" ], "general-nist-800-53-r5-2": [ "IA-02(08)" ], "general-nist-800-53-r5-2-low": [ "IA-02(08)" ], "general-nist-800-82-r3": [ "IA-02(08)" ], "general-nist-800-82-r3-low": [ "IA-02(08)" ], "general-nist-800-82-r3-mod": [ "IA-02(08)" ], "general-nist-800-82-r3-high": [ "IA-02(08)" ], "general-nist-800-171-r2": [ "3.5.4" ], "general-nist-800-171-r3": [ "03.05.04", "03.07.05.b" ], "general-nist-800-171a": [ "3.5.4" ], "general-nist-800-171a-r3": [ "A.03.05.04[01]", "A.03.05.04[02]", "A.03.07.05.b[02]" ], "general-nist-800-172": [ "3.5.1e" ], "general-nist-csf-2-0": [ "PR.AA-04" ], "general-owasp-top-10-2025": [ "A07:2025" ], "general-pci-dss-4-0-1": [ "8.5.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.5.1" ], "general-pci-dss-4-0-1-saq-c": [ "8.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.5.1" ], "usa-federal-fbi-cjis-6-0": [ "IA-2(8)" ], "usa-federal-dow-cmmc-2-level-2": [ "IAL2.-3.5.4" ], "usa-federal-dow-cmmc-2-level-3": [ "IA.L3-3.5.1E" ], "usa-federal-gsa-fedramp-5-low": [ "IA-02(08)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-02(08)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-02(08)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-02(08)" ], "usa-federal-irs-1075-2021": [ "IA-2(CE-8)" ], "usa-federal-cms-marse-2-0": [ "IA-2(8)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-02 (08)" ], "emea-isr-cmo-1-0": [ "4.31" ], "emea-gbr-def-stan-05-138-2024": [ "2215" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2215" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2215" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2215" ], "apac-aus-ism-2024-june": [ "ISM-1055", "ISM-1603" ], "americas-can-itsp-10-171-2025": [ "03.05.04", "03.07.05.B" ] } }, { "control_id": "IAC-02.3", "title": "Acceptance of PIV Credentials", "family": "IAC", "description": "Mechanisms exist to accept and electronically verify organizational Personal Identity Verification (PIV) credentials.", "scf_question": "Does the organization accept and electronically verify organizational Personal Identity Verification (PIV) credentials?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to accept and electronically verify organizational Personal Identity Verification (PIV) credentials.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "IA-02(12)" ], "general-govramp-mod": [ "IA-02(12)" ], "general-govramp-high": [ "IA-02(12)" ], "general-nist-800-53-r4": [ "IA-2(12)", "IA-8(5)" ], "general-nist-800-53-r5-2": [ "IA-02(12)", "IA-08(05)" ], "general-nist-800-53-r5-2-low": [ "IA-02(12)" ], "general-nist-800-82-r3": [ "IA-02(12)", "IA-08(05)" ], "general-nist-800-82-r3-low": [ "IA-02(12)" ], "general-nist-800-82-r3-mod": [ "IA-02(12)" ], "general-nist-800-82-r3-high": [ "IA-02(12)" ], "general-owasp-top-10-2025": [ "A07:2025" ], "usa-federal-fbi-cjis-6-0": [ "IA-2(12)" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.8.1" ], "usa-federal-gsa-fedramp-5-low": [ "IA-02(12)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-02(12)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-02(12)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-02(12)" ] } }, { "control_id": "IAC-02.4", "title": "Out-of-Band Authentication (OOBA)", "family": "IAC", "description": "Mechanisms exist to implement Out-of-Band Authentication (OOBA) under specific conditions.", "scf_question": "Does the organization implement Out-of-Band Authentication (OOBA) under specific conditions?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement Out-of-Band Authentication (OOBA) under specific conditions.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r4": [ "IA-2(13)" ], "general-nist-800-53-r5-2": [ "IA-02(13)" ], "general-nist-800-82-r3": [ "IA-02(13)" ], "general-nist-800-160-vol-2-r1": [ "IA-02(13)" ] } }, { "control_id": "IAC-03", "title": "Identification & Authentication for Non-Organizational Users", "family": "IAC", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third-party users and processes that provide services to the organization.", "scf_question": "Does the organization uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third-party users and processes that provide services to the organization?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-05", "E-IAM-06" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third-party users and processes that provide services to the organization.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF3", "CC6.1-POF4" ], "general-cis-csc-8-1": [ "12.5" ], "general-cis-csc-8-1-ig2": [ "12.5" ], "general-cis-csc-8-1-ig3": [ "12.5" ], "general-csa-cmm-4-1-0": [ "IAM-11", "IAM-13" ], "general-govramp": [ "IA-08" ], "general-govramp-core": [ "IA-08" ], "general-govramp-mod": [ "IA-08" ], "general-govramp-high": [ "IA-08" ], "general-iec-62443-2-1-2024": [ "USER 1.1" ], "general-iec-62443-3-3-2013": [ "SR 1.1", "SR 1.1 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 1.1", "CR 1.1(1)" ], "general-iso-27002-2022": [ "5.16" ], "general-iso-27018-2025": [ "5.16" ], "general-mitre-att&ck-16-1": [ "T1053", "T1053.007", "T1059", "T1059.001", "T1059.008", "T1087.004", "T1190", "T1210", "T1213", "T1213.001", "T1213.002", "T1213.004", "T1213.005", "T1528", "T1530", "T1537", "T1538", "T1542", "T1542.001", "T1542.003", "T1542.005", "T1547.006" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P6" ], "general-nist-800-53-r4": [ "IA-8" ], "general-nist-800-53-r5-2": [ "IA-08" ], "general-nist-800-53-r5-2-low": [ "IA-08" ], "general-nist-800-82-r3": [ "IA-08" ], "general-nist-800-82-r3-low": [ "IA-08" ], "general-nist-800-82-r3-mod": [ "IA-08" ], "general-nist-800-82-r3-high": [ "IA-08" ], "general-nist-800-161-r1": [ "IA-8" ], "general-nist-800-161-r1-cscrm": [ "IA-8" ], "general-nist-800-161-r1-level-2": [ "IA-8" ], "general-nist-800-161-r1-level-3": [ "IA-8" ], "general-nist-800-171-r3": [ "03.05.01.a" ], "general-nist-800-207": [ "NIST Tenet 3", "NIST Tenet 4" ], "general-nist-csf-2-0": [ "PR.AA-01", "PR.AA-03", "PR.AA-05" ], "general-owasp-top-10-2025": [ "A07:2025" ], "general-pci-dss-4-0-1": [ "7.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.1" ], "usa-federal-fbi-cjis-6-0": [ "IA-8" ], "usa-federal-gsa-fedramp-5-low": [ "IA-08" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-08" ], "usa-federal-gsa-fedramp-5-high": [ "IA-08" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-08" ], "usa-federal-irs-1075-2021": [ "IA-8", "IA-8(IRS-Defined)" ], "usa-federal-cms-marse-2-0": [ "IA-8", "IA-8-IS" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(A)(ii)", "7123(c)(3)(A)(iii)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-08" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-08" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-08" ], "emea-us-psd2-2015": [ "4" ], "emea-deu-c5-2020": [ "PSS-05", "PSS-09" ], "emea-isr-cmo-1-0": [ "4.2", "4.21" ], "emea-sau-ecc-1-2018": [ "2-2-3" ], "emea-esp-boe-a-2022-7191": [ "Article 24.3" ], "emea-esp-decree-311-2022": [ "24.3" ], "emea-gbr-caf-4-0": [ "B2.a" ], "apac-aus-ism-2024-june": [ "ISM-1583" ], "apac-nzl-privacy-act-2020": [ "Principle 13", "P13-(1)", "P13-(2)", "P13-(2)(a)", "P13-(2)(b)", "P13-(3)", "P13-(4)(a)", "P13-(4)(b)", "P13-(5)" ], "americas-can-itsp-10-171-2025": [ "03.05.01.A" ] } }, { "control_id": "IAC-03.1", "title": "Acceptance of PIV Credentials from Other Organizations", "family": "IAC", "description": "Mechanisms exist to accept and electronically verify Personal Identity Verification (PIV) credentials from third-parties.", "scf_question": "Does the organization accept and electronically verify Personal Identity Verification (PIV) credentials from third-parties?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to accept and electronically verify Personal Identity Verification (PIV) credentials from third-parties.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "IA-08(01)" ], "general-govramp-high": [ "IA-08(01)" ], "general-nist-800-53-r4": [ "IA-8(1)" ], "general-nist-800-53-r5-2": [ "IA-08(01)" ], "general-nist-800-53-r5-2-low": [ "IA-08(01)" ], "general-nist-800-82-r3": [ "IA-08(01)" ], "general-nist-800-82-r3-low": [ "IA-08(01)" ], "general-nist-800-82-r3-mod": [ "IA-08(01)" ], "general-nist-800-82-r3-high": [ "IA-08(01)" ], "general-owasp-top-10-2025": [ "A07:2025" ], "usa-federal-fbi-cjis-6-0": [ "IA-8(1)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-08(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-08(01)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-08(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-08(01)" ] } }, { "control_id": "IAC-03.2", "title": "Acceptance of Third-Party Credentials", "family": "IAC", "description": "Automated mechanisms exist to accept Federal Identity, Credential and Access Management (FICAM)-approved third-party credentials.", "scf_question": "Does the organization use automated mechanisms to accept Federal Identity, Credential and Access Management (FICAM)-approved third-party credentials?", "relative_weight": 2, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically accept Federal Identity, Credential and Access Management (FICAM)-approved third-party credentials.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "IA-08(02)" ], "general-govramp-high": [ "IA-08(02)" ], "general-nist-800-53-r4": [ "IA-8(2)" ], "general-nist-800-53-r5-2": [ "IA-08(02)" ], "general-nist-800-53-r5-2-low": [ "IA-08(02)" ], "general-nist-800-82-r3": [ "IA-08(02)" ], "general-nist-800-82-r3-low": [ "IA-08(02)" ], "general-nist-800-82-r3-mod": [ "IA-08(02)" ], "general-nist-800-82-r3-high": [ "IA-08(02)" ], "general-owasp-top-10-2025": [ "A07:2025" ], "general-pci-dss-4-0-1": [ "8.2.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.3" ], "usa-federal-fbi-cjis-6-0": [ "IA-8(2)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-08(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-08(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-08(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-08(02)" ], "usa-federal-irs-1075-2021": [ "IA-8(CE-2)", "IA-8(CE-2).a", "IA-8(CE-2).b" ], "emea-deu-c5-2020": [ "PSS-05", "PSS-09" ] } }, { "control_id": "IAC-03.3", "title": "Use of FICAM-Issued Profiles", "family": "IAC", "description": "Mechanisms exist to conform systems to Federal Identity, Credential and Access Management (FICAM)-issued profiles.", "scf_question": "Does the organization conform systems to Federal Identity, Credential and Access Management (FICAM)-issued profiles?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conform systems to Federal Identity, Credential and Access Management (FICAM)-issued profiles.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "IA-08(04)" ], "general-govramp-high": [ "IA-08(04)" ], "general-nist-800-53-r4": [ "IA-8(4)" ], "general-nist-800-53-r5-2": [ "IA-08(04)" ], "general-nist-800-53-r5-2-low": [ "IA-08(04)" ], "general-nist-800-82-r3": [ "IA-08(04)" ], "general-nist-800-82-r3-low": [ "IA-08(04)" ], "general-nist-800-82-r3-mod": [ "IA-08(04)" ], "general-nist-800-82-r3-high": [ "IA-08(04)" ], "usa-federal-fbi-cjis-6-0": [ "IA-8(4)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-08(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-08(04)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-08(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-08(04)" ], "usa-federal-irs-1075-2021": [ "IA-8(CE-4)" ] } }, { "control_id": "IAC-03.4", "title": "Disassociability", "family": "IAC", "description": "Mechanisms exist to disassociate user attributes or credential assertion relationships among individuals, credential service providers and relying parties.", "scf_question": "Does the organization disassociate user attributes or credential assertion relationships among individuals, credential service providers and relying parties?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to disassociate user attributes or credential assertion relationships among individuals, credential service providers and relying parties.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r5-2": [ "IA-08(06)" ], "general-nist-800-82-r3": [ "IA-08(06)" ] } }, { "control_id": "IAC-03.5", "title": "Acceptance of External Authenticators", "family": "IAC", "description": "Mechanisms exist to restrict the use of external authenticators to those that are National Institute of Standards and Technology (NIST)-compliant and maintain a list of accepted external authenticators.", "scf_question": "Does the organization restrict the use of external authenticators to those that are National Institute of Standards and Technology (NIST)-compliant and maintain a list of accepted external authenticators?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-05", "E-IAM-06" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict the use of external authenticators to those that are National Institute of Standards and Technology (NIST)-compliant and maintain a list of accepted external authenticators.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AM-3", "R-GV-1" ], "threats": [ "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r4": [ "IA-8(3)" ], "general-nist-csf-2-0": [ "PR.AA-04" ] } }, { "control_id": "IAC-04", "title": "Identification & Authentication for Devices", "family": "IAC", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) devices before establishing a connection using bidirectional authentication that is cryptographically- based and replay resistant.", "scf_question": "Does the organization uniquely identify and centrally Authenticate, Authorize and Audit (AAA) devices before establishing a connection using bidirectional authentication that is cryptographically- based and replay resistant?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-05", "E-IAM-06" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) devices before establishing a connection using bidirectional authentication that is cryptographically- based and replay resistant.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF3", "CC6.1-POF8" ], "general-cis-csc-8-1": [ "12.5" ], "general-cis-csc-8-1-ig2": [ "12.5" ], "general-cis-csc-8-1-ig3": [ "12.5" ], "general-csa-cmm-4-1-0": [ "DCS-09", "IAM-13" ], "general-csa-iot-2": [ "IAM-17" ], "general-govramp": [ "IA-03" ], "general-govramp-mod": [ "IA-03" ], "general-govramp-high": [ "IA-03" ], "general-iec-62443-2-1-2024": [ "USER 1.1", "USER 1.19" ], "general-iec-62443-3-3-2013": [ "SR 1.2", "SR 1.2 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 1.2", "CR 1.2(1)" ], "general-iso-27002-2022": [ "5.16" ], "general-iso-27018-2025": [ "5.16" ], "general-mitre-att&ck-16-1": [ "T1530", "T1537", "T1552", "T1552.005", "T1602", "T1602.001", "T1602.002", "T1621" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P6" ], "general-nist-800-53-r4": [ "IA-3", "IA-3(1)", "IA-3(4)" ], "general-nist-800-53-r5-2": [ "IA-03", "IA-03(01)", "IA-03(04)" ], "general-nist-800-53-r5-2-privacy": [ "IA-03(04)" ], "general-nist-800-53-r5-2-mod": [ "IA-03" ], "general-nist-800-82-r3": [ "IA-03", "IA-03(01)", "IA-03(04)" ], "general-nist-800-82-r3-low": [ "IA-03" ], "general-nist-800-82-r3-mod": [ "IA-03" ], "general-nist-800-82-r3-high": [ "IA-03" ], "general-nist-800-160-vol-2-r1": [ "IA-03(01)" ], "general-nist-800-161-r1": [ "IA-3" ], "general-nist-800-161-r1-level-1": [ "IA-3" ], "general-nist-800-161-r1-level-2": [ "IA-3" ], "general-nist-800-161-r1-level-3": [ "IA-3" ], "general-nist-800-171-r2": [ "3.5.1", "3.5.2" ], "general-nist-800-171-r3": [ "03.01.18.b", "03.05.02" ], "general-nist-800-171a-r3": [ "A.03.05.02.ODP[01]", "A.03.05.02[01]", "A.03.05.02[02]" ], "general-nist-800-172": [ "3.5.1e" ], "general-nist-800-207": [ "NIST Tenet 2", "NIST Tenet 3", "NIST Tenet 4" ], "general-nist-csf-2-0": [ "PR.AA-01", "PR.AA-03", "PR.AA-05" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.SIDEN" ], "usa-federal-fbi-cjis-6-0": [ "IA-3" ], "usa-federal-dow-cmmc-2-level-1": [ "IA.L1-B.1.V", "IA.L1-B.1.VI" ], "usa-federal-dow-cmmc-2-level-2": [ "IAL2.-3.5.1", "IAL2.-3.5.2" ], "usa-federal-dow-cmmc-2-level-3": [ "IA.L3-3.5.1E" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.1.2", "2.1.3", "2.1.4" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(v)", "52.204-21(b)(1)(vi)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-gsa-fedramp-5-low": [ "IA-03(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-03", "IA-03(04)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-03", "IA-03(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-03(04)" ], "usa-federal-irs-1075-2021": [ "IA-3", "IA-3(CE-1)" ], "usa-federal-cms-marse-2-0": [ "IA-3", "IA-3-IS.1" ], "usa-federal-nerc-cip-2024": [ "CIP-005-7 1.4" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-03" ], "emea-eu-nis2-annex-2024": [ "11.5.2(a)" ], "emea-us-psd2-2015": [ "25" ], "emea-deu-c5-2020": [ "PSS-05", "PSS-09" ], "emea-isr-cmo-1-0": [ "4.33" ], "emea-gbr-caf-4-0": [ "B2.b" ], "apac-aus-ism-2024-june": [ "ISM-1603" ], "americas-can-itsp-10-171-2025": [ "03.01.18.B", "03.05.02" ] } }, { "control_id": "IAC-04.1", "title": "Device Attestation", "family": "IAC", "description": "Mechanisms exist to ensure device identification and authentication is accurate by centrally-managing the joining of systems to the domain as part of the initial asset configuration management process.", "scf_question": "Does the organization ensure device identification and authentication is accurate by centrally-managing the joining of systems to the domain as part of the initial asset configuration management process?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure device identification and authentication is accurate by centrally-managing the joining of systems to the domain as part of the initial asset configuration management process.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r4": [ "IA-3(4)" ], "general-nist-800-53-r5-2": [ "IA-03(04)" ], "general-nist-800-53-r5-2-privacy": [ "IA-03(04)" ], "general-nist-800-82-r3": [ "IA-03(04)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-03(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-03(04)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-03(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-03(04)" ] } }, { "control_id": "IAC-04.2", "title": "Device Authorization Enforcement", "family": "IAC", "description": "Mechanisms exist to enforce cryptographic communications keys to prevent one key from being used to access multiple devices.", "scf_question": "Does the organization enforce cryptographic communications keys to prevent one key from being used to access multiple devices?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce cryptographic communications keys to prevent one key from being used to access multiple devices.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Policy requiring device authorization before network access", "small": "∙ Device authorization policy\n∙ Require known devices for network access", "medium": "∙ Device authorization enforcement\n∙ Certificate-based device auth or MDM enrollment", "large": "∙ NAC solution for device authorization (e.g., Cisco ISE, Aruba ClearPass)", "enterprise": "∙ Enterprise NAC platform (e.g., Cisco ISE, Aruba ClearPass, Forescout)\n∙ Certificate-based device authentication\n∙ Zero-trust device posture checking" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-8", "MT-9", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-iec-tr-60601-4-5-2021": [ "5.2 - CR 1.2 RE(1)" ] } }, { "control_id": "IAC-05", "title": "Identification & Authentication for Third-Party Technology Assets, Applications and/or Services (TAAS)", "family": "IAC", "description": "Mechanisms exist to identify and authenticate third-party Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization identify and authenticate third-party Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-05", "E-IAM-06" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and authenticate third-party Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF8" ], "general-cis-csc-8-1": [ "5.5" ], "general-cis-csc-8-1-ig2": [ "5.5" ], "general-cis-csc-8-1-ig3": [ "5.5" ], "general-csa-cmm-4-1-0": [ "IAM-13" ], "general-iec-62443-2-1-2024": [ "USER 1.1", "USER 1.6" ], "general-iec-62443-3-3-2013": [ "SR 1.2", "SR 1.2 RE 1" ], "general-iso-27002-2022": [ "5.16" ], "general-iso-27018-2025": [ "5.16" ], "general-mitre-att&ck-16-1": [ "T1036", "T1036.001", "T1036.005", "T1059", "T1059.001", "T1059.002", "T1213.003", "T1525", "T1546", "T1546.006", "T1546.013", "T1553", "T1553.004", "T1554", "T1562.006", "T1562.009", "T1566", "T1566.001", "T1566.002", "T1598", "T1598.002", "T1598.003" ], "general-nist-800-53-r4": [ "IA-9" ], "general-nist-800-53-r5-2": [ "IA-09" ], "general-nist-800-82-r3": [ "IA-09" ], "general-nist-800-161-r1": [ "IA-9" ], "general-nist-800-161-r1-flowdown": [ "IA-9" ], "general-nist-800-161-r1-level-2": [ "IA-9" ], "general-nist-800-161-r1-level-3": [ "IA-9" ], "general-nist-800-171-r3": [ "03.05.01.a", "03.05.02" ], "general-nist-800-207": [ "NIST Tenet 3", "NIST Tenet 4" ], "general-nist-csf-2-0": [ "PR.AA-01", "PR.AA-03", "PR.AA-05" ], "general-pci-dss-4-0-1": [ "8.2.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.3" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.SIDEN" ], "usa-federal-irs-1075-2021": [ "IA-9" ], "emea-us-psd2-2015": [ "4" ], "emea-deu-c5-2020": [ "PSS-05", "PSS-09" ], "emea-isr-cmo-1-0": [ "4.2" ], "emea-sau-ecc-1-2018": [ "2-2-3" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP49", "HML49" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP41" ], "apac-sgp-mas-trm-2021": [ "9.1.8" ], "americas-can-itsp-10-171-2025": [ "03.05.01.A", "03.05.02" ] } }, { "control_id": "IAC-05.1", "title": "Sharing Identification & Authentication Information", "family": "IAC", "description": "Mechanisms exist to ensure external service providers provide current and accurate information for any third-party user with access to the organization's data or assets.", "scf_question": "Does the organization ensure external service providers provide current and accurate information for any third-party user with access to its data or assets?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure external service providers provide current and accurate information for any third-party user with access to the organization's data or assets.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Policy prohibiting sharing of passwords or credentials", "small": "∙ No credential-sharing policy\n∙ User acknowledgment required", "medium": "∙ Formal policy prohibiting sharing of identification/authentication info\n∙ User training", "large": "∙ Technical controls preventing credential sharing\n∙ PAM for shared account management", "enterprise": "∙ Enterprise IAM/PAM with individual accountability\n∙ Shared account vaulting (CyberArk)\n∙ Technical enforcement of no credential sharing" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r4": [ "IA-9(1)" ], "general-pci-dss-4-0-1": [ "8.2.3", "8.6.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.6.1" ], "general-pci-dss-4-0-1-saq-c": [ "8.6.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.6.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.3", "8.6.1" ] } }, { "control_id": "IAC-05.2", "title": "Privileged Access by Non-Organizational Users", "family": "IAC", "description": "Mechanisms exist to prohibit privileged access by non-organizational users.", "scf_question": "Does the organization prohibit privileged access by non-organizational users?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit privileged access by non-organizational users.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Require separate accounts for non-organizational privileged users", "small": "∙ Separate privileged accounts for contractors/third parties", "medium": "∙ Formal policy for non-organizational privileged user access\n∙ Separate account management", "large": "∙ PAM solution for third-party privileged access management\n∙ Session recording", "enterprise": "∙ Enterprise PAM for third-party privileged access (e.g., BeyondTrust, CyberArk)\n∙ Just-in-time access\n∙ Session recording and monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-06(06)" ], "general-nist-800-82-r3": [ "AC-06(06)" ], "general-nist-800-160-vol-2-r1": [ "AC-06(06)" ], "general-nist-800-161-r1": [ "AC-6(6)" ], "general-nist-800-161-r1-level-2": [ "AC-6(6)" ], "general-nist-800-161-r1-level-3": [ "AC-6(6)" ], "general-nist-800-171-r3": [ "03.07.05.a" ], "general-nist-800-207": [ "NIST Tenet 4" ], "usa-federal-irs-1075-2021": [ "AC-6(CE-6)" ], "americas-can-itsp-10-171-2025": [ "03.07.05.A" ] } }, { "control_id": "IAC-06", "title": "Multi-Factor Authentication (MFA)", "family": "IAC", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "scf_question": "Does the organization use automated mechanisms to enforce Multi-Factor Authentication (MFA) for:\n (1) Remote network access; \n (2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n (3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.\n▪ TAAS are configured to use Multi-Fact or Authentication (MFA) to authenticate network access for privileged and non-privileged accounts.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.6-POF3" ], "general-cis-csc-8-1": [ "6.3", "6.4" ], "general-cis-csc-8-1-ig1": [ "6.3", "6.4" ], "general-cis-csc-8-1-ig2": [ "6.3", "6.4" ], "general-cis-csc-8-1-ig3": [ "6.3", "6.4" ], "general-csa-cmm-4-1-0": [ "IAM-13" ], "general-csa-iot-2": [ "CLS-11" ], "general-govramp": [ "IA-02(01)", "IA-02(02)" ], "general-govramp-core": [ "IA-02(01)" ], "general-govramp-low": [ "IA-02(01)" ], "general-govramp-low-plus": [ "IA-02(01)" ], "general-govramp-mod": [ "IA-02(01)", "IA-02(02)" ], "general-govramp-high": [ "IA-02(01)", "IA-02(02)" ], "general-iec-62443-2-1-2024": [ "USER 1.9" ], "general-iec-62443-3-3-2013": [ "SR 1.1 RE 2" ], "general-iec-62443-4-2-2019": [ "CR 1.1(2)" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.2" ], "general-mpa-csbp-5-3-1": [ "TS-1.6" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(g)" ], "general-nist-800-53-r4": [ "IA-2(11)" ], "general-nist-800-53-r5-2": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r5-2-privacy": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r5-2-low": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-low": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-mod": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-high": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-171-r2": [ "3.5.3", "3.7.5" ], "general-nist-800-171-r3": [ "03.05.03", "03.07.05.b" ], "general-nist-800-171a-r3": [ "A.03.05.03[01]", "A.03.05.03[02]", "A.03.07.05.b[01]" ], "general-nist-800-207": [ "NIST Tenet 6" ], "general-owasp-top-10-2025": [ "A07:2025" ], "general-pci-dss-4-0-1": [ "8.2.3", "8.4", "8.4.2", "8.4.3", "8.5.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.4.2", "8.4.3", "8.5.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "8.4.3" ], "general-pci-dss-4-0-1-saq-c": [ "8.4.2", "8.4.3", "8.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.4.2", "8.4.3", "8.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.3", "8.4.2", "8.4.3", "8.5.1" ], "general-scf-dpmp-2025": [ "7.1" ], "general-swift-cscf-2025": [ "4.2" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.c" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.MAUTH", "3.UNI.SAUTH" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.H" ], "usa-federal-fbi-cjis-6-0": [ "IA-2(1)", "IA-2(2)" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-1h", "ACCESS-1i" ], "usa-federal-dow-cmmc-2-level-2": [ "IAL2.-3.5.3", "MAL2.-3.7.5" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.3", "1.3.1", "1.3.3" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "1.1" ], "usa-federal-eo-14028": [ "4e(i)(C)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(5)" ], "usa-federal-irs-1075-2021": [ "3.3.1.k", "IA-2(CE-1)", "IA-2(CE-2)" ], "usa-federal-cms-marse-2-0": [ "IA-2(1)", "IA-2(2)", "IA-2(11)" ], "usa-federal-nerc-cip-2024": [ "CIP-005-7 2.3" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.C.2" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(1)(A)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.11(b)(1)", "500.12(a)", "500.12(a)(1)", "500.12(a)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-02(1)", "IA-02(2)" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-02 (01)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-02 (01)" ], "emea-eu-nis2-2022": [ "Article 21.2(j)" ], "emea-eu-nis2-annex-2024": [ "11.3.2(a)", "11.7.1" ], "emea-us-psd2-2015": [ "4" ], "emea-isr-cmo-1-0": [ "4.21", "4.32" ], "emea-sau-cscc-1-2019": [ "2-2-1-3", "2-2-1-4" ], "emea-sau-ecc-1-2018": [ "2-2-3-2", "2-4-3-2", "2-15-3-5" ], "emea-sau-sacs-002-2022": [ "TPC-4", "TPC-5", "TPC-37", "TPC-44", "TPC-45" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "2" ], "emea-gbr-def-stan-05-138-2024": [ "2201", "2305", "2512" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2305", "2512" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2201", "2305", "2512" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2201", "2305", "2512" ], "apac-aus-essential-8-2024": [ "ML1-P3", "ML2-P3", "ML3-P3" ], "apac-aus-ism-2024-june": [ "ISM-0974", "ISM-1173", "ISM-1401", "ISM-1504", "ISM-1505", "ISM-1559", "ISM-1560", "ISM-1561", "ISM-1679", "ISM-1680", "ISM-1681", "ISM-1682", "ISM-1683", "ISM-1685" ], "apac-ind-sebi-2024": [ "PR.AA.S7" ], "apac-nzl-ism-3-9": [ "16.7.34.C.01", "16.7.34.C.02", "16.7.35.C.01", "16.7.36.C.01", "23.3.19.C.01", "23.3.19.C.02" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.6(b)" ], "apac-sgp-mas-trm-2021": [ "9.1.5" ], "americas-can-osfi-b13-2022": [ "3.2.7" ], "americas-can-itsp-10-171-2025": [ "03.05.03", "03.07.05.B" ] } }, { "control_id": "IAC-06.1", "title": "Network Access to Privileged Accounts", "family": "IAC", "description": "Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for privileged accounts.", "scf_question": "Does the organization utilize Multi-Factor Authentication (MFA) to authenticate network access for privileged accounts?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize Multi-Factor Authentication (MFA) to authenticate network access for privileged accounts.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-cis-csc-8-1": [ "6.5" ], "general-cis-csc-8-1-ig1": [ "6.5" ], "general-cis-csc-8-1-ig2": [ "6.5" ], "general-cis-csc-8-1-ig3": [ "6.5" ], "general-govramp": [ "IA-02(01)", "IA-02(02)" ], "general-govramp-core": [ "IA-02(01)" ], "general-govramp-low": [ "IA-02(01)" ], "general-govramp-low-plus": [ "IA-02(01)" ], "general-govramp-mod": [ "IA-02(01)", "IA-02(02)" ], "general-govramp-high": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r4": [ "IA-2(1)", "IA-2(4)" ], "general-nist-800-53-r5-2": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r5-2-privacy": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r5-2-low": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-low": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-mod": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-high": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-171-r2": [ "3.5.3" ], "general-nist-800-171-r3": [ "03.05.03" ], "general-nist-800-171a": [ "3.5.3[a]", "3.5.3[c]" ], "general-owasp-top-10-2025": [ "A07:2025" ], "general-pci-dss-4-0-1": [ "8.4.1", "8.4.2", "8.4.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.4.1", "8.4.2", "8.4.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "8.4.3" ], "general-pci-dss-4-0-1-saq-c": [ "8.4.1", "8.4.2", "8.4.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.4.1", "8.4.2", "8.4.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.4.1", "8.4.2", "8.4.3" ], "usa-federal-fbi-cjis-6-0": [ "IA-2(1)", "IA-2(2)" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-1h" ], "usa-federal-dow-cmmc-2-level-2": [ "IAL2.-3.5.3" ], "usa-federal-gsa-fedramp-5-low": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-irs-1075-2021": [ "IA-2(CE-1)", "IA-2(CE-2)" ], "usa-federal-cms-marse-2-0": [ "IA-2(1)", "IA-2(2)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.12(a)(3)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-02(1)", "IA-02(2)" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-02 (01)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-02 (01)" ], "emea-isr-cmo-1-0": [ "4.29" ], "emea-sau-cscc-1-2019": [ "2-2-1-4" ], "emea-sau-sacs-002-2022": [ "TPC-5", "TPC-37" ], "apac-nzl-ism-3-9": [ "16.7.34.C.01", "16.7.34.C.02", "16.7.35.C.01", "16.7.36.C.01" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.6(a)" ], "americas-can-itsp-10-171-2025": [ "03.05.03" ] } }, { "control_id": "IAC-06.2", "title": "Network Access to Non-Privileged Accounts", "family": "IAC", "description": "Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for non-privileged accounts.", "scf_question": "Does the organization utilize Multi-Factor Authentication (MFA) to authenticate network access for non-privileged accounts?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize Multi-Factor Authentication (MFA) to authenticate network access for non-privileged accounts.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "IA-02(01)", "IA-02(02)" ], "general-govramp-core": [ "IA-02(01)" ], "general-govramp-low": [ "IA-02(01)" ], "general-govramp-low-plus": [ "IA-02(01)" ], "general-govramp-mod": [ "IA-02(01)", "IA-02(02)" ], "general-govramp-high": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r4": [ "IA-2(2)", "IA-2(4)" ], "general-nist-800-53-r5-2": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r5-2-privacy": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r5-2-low": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-low": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-mod": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-high": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-171-r2": [ "3.5.3" ], "general-nist-800-171-r3": [ "03.05.03" ], "general-nist-800-171a": [ "3.5.3[d]" ], "general-owasp-top-10-2025": [ "A07:2025" ], "general-pci-dss-4-0-1": [ "8.4.2", "8.4.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.4.2", "8.4.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "8.4.3" ], "general-pci-dss-4-0-1-saq-c": [ "8.4.2", "8.4.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.4.2", "8.4.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.4.2", "8.4.3" ], "usa-federal-fbi-cjis-6-0": [ "IA-2(1)", "IA-2(2)" ], "usa-federal-dow-cmmc-2-level-2": [ "IAL2.-3.5.3" ], "usa-federal-gsa-fedramp-5-low": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-irs-1075-2021": [ "IA-2(CE-1)", "IA-2(CE-2)" ], "usa-federal-cms-marse-2-0": [ "IA-2(1)", "IA-2(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-02(1)", "IA-02(2)" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-02 (01)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-02 (01)" ], "emea-sau-cscc-1-2019": [ "2-2-1-3" ], "emea-sau-sacs-002-2022": [ "TPC-5", "TPC-45" ], "apac-aus-essential-8-2024": [ "ML2-P3", "ML3-P3" ], "apac-nzl-ism-3-9": [ "16.7.34.C.01", "16.7.34.C.02", "16.7.35.C.01", "16.7.36.C.01" ], "americas-can-itsp-10-171-2025": [ "03.05.03" ] } }, { "control_id": "IAC-06.3", "title": "Local Access to Privileged Accounts", "family": "IAC", "description": "Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate local access for privileged accounts.", "scf_question": "Does the organization utilize Multi-Factor Authentication (MFA) to authenticate local access for privileged accounts?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize Multi-Factor Authentication (MFA) to authenticate local access for privileged accounts.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)\n∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "IA-02(01)", "IA-02(02)" ], "general-govramp-core": [ "IA-02(01)" ], "general-govramp-low": [ "IA-02(01)" ], "general-govramp-low-plus": [ "IA-02(01)" ], "general-govramp-mod": [ "IA-02(01)", "IA-02(02)" ], "general-govramp-high": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r4": [ "IA-2(3)" ], "general-nist-800-53-r5-2": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r5-2-privacy": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r5-2-low": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-low": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-mod": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-high": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-171-r2": [ "3.5.3" ], "general-nist-800-171-r3": [ "03.05.03" ], "general-nist-800-171a": [ "3.5.3[a]", "3.5.3[b]" ], "general-owasp-top-10-2025": [ "A07:2025" ], "general-pci-dss-4-0-1": [ "8.4.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.4.2" ], "general-pci-dss-4-0-1-saq-c": [ "8.4.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.4.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.4.2" ], "usa-federal-fbi-cjis-6-0": [ "IA-2(1)", "IA-2(2)" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-1h" ], "usa-federal-dow-cmmc-2-level-2": [ "IAL2.-3.5.3" ], "usa-federal-gsa-fedramp-5-low": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-irs-1075-2021": [ "IA-2(CE-1)", "IA-2(CE-2)" ], "usa-federal-cms-marse-2-0": [ "IA-2(1)", "IA-2(2)", "IA-2(3)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.12(a)(3)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-02(1)", "IA-02(2)" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-02 (01)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-02 (01)" ], "emea-isr-cmo-1-0": [ "4.30" ], "emea-sau-cscc-1-2019": [ "2-2-1-4" ], "emea-sau-sacs-002-2022": [ "TPC-37" ], "apac-aus-essential-8-2024": [ "ML2-P3", "ML3-P3" ], "apac-nzl-ism-3-9": [ "16.7.34.C.01", "16.7.34.C.02", "16.7.35.C.01", "16.7.36.C.01" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.6(a)" ], "americas-can-itsp-10-171-2025": [ "03.05.03" ] } }, { "control_id": "IAC-06.4", "title": "Out-of-Band Multi-Factor Authentication", "family": "IAC", "description": "Mechanisms exist to implement Multi-Factor Authentication (MFA) for access to privileged and non-privileged accounts such that one of the factors is independently provided by a device separate from the system being accessed.", "scf_question": "Does the organization implements Multi-Factor Authentication (MFA) for access to privileged and non-privileged accounts such that one of the factors is securely provided by a device separate from the system gaining access?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement Multi-Factor Authentication (MFA) for access to privileged and non-privileged accounts such that one of the factors is independently provided by a device separate from the system being accessed.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "small": "∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "medium": "∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "large": "∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)", "enterprise": "∙ Yubico (https://yubico.com)\n∙ Duo (https://duo.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "IA-02(01)", "IA-02(02)" ], "general-govramp-core": [ "IA-02(01)" ], "general-govramp-low": [ "IA-02(01)" ], "general-govramp-low-plus": [ "IA-02(01)" ], "general-govramp-mod": [ "IA-02(01)", "IA-02(02)" ], "general-govramp-high": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r4": [ "IA-2(6)", "IA-2(11)" ], "general-nist-800-53-r5-2": [ "IA-02(01)", "IA-02(02)", "IA-02(06)" ], "general-nist-800-53-r5-2-privacy": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r5-2-low": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3": [ "IA-02(01)", "IA-02(02)", "IA-02(06)" ], "general-nist-800-82-r3-low": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-mod": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-high": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-160-vol-2-r1": [ "IA-02(06)" ], "general-nist-800-171a-r3": [ "A.03.05.03[01]", "A.03.05.03[02]" ], "general-pci-dss-4-0-1": [ "8.4.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.4.2" ], "general-pci-dss-4-0-1-saq-c": [ "8.4.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.4.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.4.2" ], "usa-federal-fbi-cjis-6-0": [ "IA-2(1)", "IA-2(2)" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.3.2" ], "usa-federal-gsa-fedramp-5-low": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-02(01)", "IA-02(02)", "IA-02(06)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-02(01)", "IA-02(02)", "IA-02(06)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-irs-1075-2021": [ "IA-2(CE-1)", "IA-2(CE-2)", "IA-2(CE-6)", "IA-2(CE-6).a", "IA-2(CE-6).b" ], "usa-federal-cms-marse-2-0": [ "IA-2(1)", "IA-2(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-02(1)", "IA-02(2)" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-02 (01)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-02 (01)" ] } }, { "control_id": "IAC-06.5", "title": "Alternative Multi-Factor Authentication", "family": "IAC", "description": "Mechanisms exist to enable alternative Multi-Factor Authentication (MFA) tokens when the primary MFA solution is not able to be used.", "scf_question": "Does the organization enable alternative Multi-Factor Authentication (MFA) tokens when the primary MFA solution is not able to be used?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enable alternative Multi-Factor Authentication (MFA) tokens when the primary MFA solution is not able to be used.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document alternative MFA options (e.g., backup codes)", "small": "∙ Policy for alternative MFA methods when primary MFA is unavailable", "medium": "∙ Formal alternative MFA policy\n∙ Approved alternative authentication methods", "large": "∙ Enterprise IAM with multiple MFA options\n∙ Fallback authentication procedures", "enterprise": "∙ Enterprise IAM platform (e.g., Okta, Microsoft Entra)\n∙ Multiple MFA options\n∙ Fallback authentication workflows\n∙ Recovery procedures" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "1.9.3" ] } }, { "control_id": "IAC-07", "title": "User Provisioning & De-Provisioning", "family": "IAC", "description": "Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights.", "scf_question": "Does the organization utilize a formal user registration and de-registration process that governs the assignment of access rights?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-12", "E-HRS-18", "E-HRS-19" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.\n▪ IAM restricts the assignment of privileged accounts to entity-defined personnel and/or roles (privilege assignment requires management approval).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize a formal user registration and de-registration process that governs the assignment of access rights.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Documented process for adding/removing user access", "small": "∙ User provisioning and de-provisioning procedure\n∙ Timely removal of access on departure", "medium": "∙ Formal user lifecycle management process\n∙ Provisioning workflows\n∙ Timely de-provisioning", "large": "∙ Enterprise IAM with automated provisioning/de-provisioning (e.g., SailPoint, Saviynt)", "enterprise": "∙ Enterprise IGA platform (e.g., SailPoint, Saviynt, Microsoft Entra ID Governance)\n∙ Automated lifecycle management\n∙ Role-based access provisioning" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.2", "CC6.2-POF1", "CC6.2-POF3", "CC6.3-POF1", "CC6.3-POF2" ], "general-cis-csc-8-1": [ "6.1", "6.2" ], "general-cis-csc-8-1-ig1": [ "6.1", "6.2" ], "general-cis-csc-8-1-ig2": [ "6.1", "6.2" ], "general-cis-csc-8-1-ig3": [ "6.1", "6.2" ], "general-csa-cmm-4-1-0": [ "IAM-06", "IAM-07" ], "general-csa-iot-2": [ "IAM-08" ], "general-iec-62443-2-1-2024": [ "USER 1.2" ], "general-iso-27002-2022": [ "5.16", "5.18" ], "general-iso-27017-2015": [ "9.2.1", "9.2.2" ], "general-iso-27018-2025": [ "5.16", "5.18" ], "general-nist-800-53-r4": [ "IA-5(3)" ], "general-nist-800-53-r5-2": [ "IA-12(04)" ], "general-nist-800-53-r5-2-privacy": [ "IA-12(04)" ], "general-nist-800-53-r5-2-high": [ "IA-12(04)" ], "general-nist-800-66-r2": [ "164.308(a)(3)" ], "general-nist-800-82-r3": [ "IA-12(04)" ], "general-nist-800-82-r3-high": [ "IA-12(04)" ], "general-nist-800-171-r3": [ "03.01.01.g.01", "03.01.01.g.02", "03.01.01.g.03", "03.05.05.a", "03.09.02.a.01", "03.09.02.a.02" ], "general-nist-800-171a-r3": [ "A.03.01.01.b[01]", "A.03.01.01.b[02]", "A.03.01.01.b[03]", "A.03.01.01.b[04]", "A.03.01.01.b[05]", "A.03.05.05.a" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "7.2.3", "8.2.4", "8.3.5" ], "general-pci-dss-4-0-1-saq-a": [ "8.3.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "7.2.3", "8.2.4", "8.3.5" ], "general-pci-dss-4-0-1-saq-c": [ "7.2.3", "8.2.4", "8.3.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.3", "8.2.4", "8.3.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.3", "8.2.4", "8.3.5" ], "general-tisax-6-0-3": [ "4.1.3", "4.2.1", "8.2.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.D" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-1a", "ACCESS-1c", "ACCESS-1f", "ACCESS-2f", "ACCESS-2g" ], "usa-federal-gsa-fedramp-5-low": [ "IA-12(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-12(04)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-12(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-12(04)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(ii)(C)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(ii)(C)" ], "usa-federal-nerc-cip-2024": [ "CIP-004-7 6.1.1", "CIP-004-7 6.1.2", "CIP-004-7 6.3" ], "emea-eu-nis2-annex-2024": [ "11.2.1", "11.2.2(a)", "11.2.2(b)", "11.2.2(d)" ], "emea-deu-bsrit-2017": [ "6.4", "6.5", "6.6" ], "emea-deu-c5-2020": [ "IDM-01", "IDM-02", "PSS-09" ], "emea-esp-ccn-stic-825-2023": [ "7.2.1 [OP.ACC.1]" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "3" ], "emea-gbr-def-stan-05-138-2024": [ "2702" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2702" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2702" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2702" ], "apac-aus-ism-2024-june": [ "ISM-0430" ], "apac-jpn-ismap": [ "9.2.2", "9.2.2.2", "9.2.2.3", "9.2.2.4", "9.2.2.6", "9.2.2.8.PB", "9.2.6", "9.2.6.3" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP04", "HML04" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP04", "HSUP35" ], "apac-nzl-ism-3-9": [ "23.3.20.C.01" ], "americas-can-itsp-10-171-2025": [ "03.01.01.G.01", "03.01.01.G.02", "03.01.01.G.03", "03.05.05.A", "03.09.02.A.01", "03.09.02.A.02" ] } }, { "control_id": "IAC-07.1", "title": "Change of Roles & Duties", "family": "IAC", "description": "Mechanisms exist to revoke user access rights following changes in personnel roles and duties, if no longer necessary or permitted.", "scf_question": "Does the organization revoke user access rights following changes in personnel roles and duties, if no longer necessary or permitted?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-12", "E-HRS-19" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.\n▪ Active Directory (AD), or a similar technologies, are used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific Technology Assets, Applications, Services and/or Data (TAASD).", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to revoke user access rights following changes in personnel roles and duties, if no longer necessary or permitted.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Update access rights promptly when roles change", "small": "∙ Access change procedure for role changes\n∙ Notify IT/security of role changes", "medium": "∙ Formal access modification process for role changes\n∙ Timely access updates", "large": "∙ Enterprise IAM with role-change workflow integration with HR\n∙ Automated access adjustment", "enterprise": "∙ Enterprise IGA platform with HR integration\n∙ Automated role-change access adjustments\n∙ Access certification" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.2", "CC6.2-POF1", "CC6.2-POF2", "CC6.3-POF1", "CC6.3-POF2" ], "general-cobit-2019": [ "DSS06.03" ], "general-csa-cmm-4-1-0": [ "IAM-07" ], "general-iso-27002-2022": [ "5.18" ], "general-iso-27017-2015": [ "9.2.5" ], "general-iso-27018-2025": [ "5.18" ], "general-nist-800-66-r2": [ "164.308(a)(3)" ], "general-nist-800-171-r3": [ "03.01.01.g.01", "03.01.01.g.02", "03.01.01.g.03", "03.05.05.a", "03.09.02.b.02" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "7.2.3", "8.2.4", "8.2.5" ], "general-pci-dss-4-0-1-saq-a": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "7.2.3", "8.2.4", "8.2.5" ], "general-pci-dss-4-0-1-saq-c": [ "7.2.3", "8.2.4", "8.2.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.2.4", "8.2.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.3", "8.2.4", "8.2.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.3", "8.2.4", "8.2.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.D" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-2f", "ACCESS-2g", "ACCESS-2h" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(ii)(A)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(ii)(A)" ], "emea-eu-nis2-annex-2024": [ "1.2.6" ], "emea-deu-bsrit-2017": [ "6.4", "6.5", "6.6" ], "emea-deu-c5-2020": [ "PS-04", "PSS-08" ], "emea-sau-otcc-1-2022": [ "2-2-1-10" ], "apac-aus-ism-2024-june": [ "ISM-0430" ], "apac-chn-data-security-law-2021": [ "27" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP04", "HML04" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP04" ], "americas-can-itsp-10-171-2025": [ "03.01.01.G.01", "03.01.01.G.02", "03.01.01.G.03", "03.05.05.A", "03.09.02.B.02" ] } }, { "control_id": "IAC-07.2", "title": "Termination of Employment", "family": "IAC", "description": "Mechanisms exist to revoke user access rights in a timely manner, upon termination of employment or contract.", "scf_question": "Does the organization revoke user access rights in a timely manner, upon termination of employment or contract?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-19" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.\n▪ Active Directory (AD), or a similar technologies, are used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific Technology Assets, Applications, Services and/or Data (TAASD).", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to revoke user access rights in a timely manner, upon termination of employment or contract.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Revoke all access immediately upon employee termination", "small": "∙ Documented termination procedure with immediate access revocation", "medium": "∙ Formal termination checklist\n∙ Same-day access revocation process", "large": "∙ Enterprise automated offboarding workflow\n∙ HR-to-IAM integration for immediate access revocation", "enterprise": "∙ Enterprise IGA with automated offboarding\n∙ HR system integration\n∙ Immediate access revocation across all systems\n∙ Exit interview and access audit" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-07" ], "general-govramp": [ "AC-02" ], "general-govramp-core": [ "AC-02" ], "general-govramp-low": [ "AC-02" ], "general-govramp-low-plus": [ "AC-02" ], "general-govramp-mod": [ "AC-02" ], "general-govramp-high": [ "AC-02" ], "general-iso-27002-2022": [ "5.18" ], "general-iso-27017-2015": [ "9.2.5" ], "general-iso-27018-2025": [ "5.18" ], "general-nist-800-53-r4": [ "AC-2(10)" ], "general-nist-800-53-r5-2": [ "AC-02" ], "general-nist-800-53-r5-2-privacy": [ "AC-02" ], "general-nist-800-53-r5-2-low": [ "AC-02" ], "general-nist-800-66-r2": [ "164.308(a)(3)" ], "general-nist-800-82-r3": [ "AC-02" ], "general-nist-800-82-r3-low": [ "AC-02" ], "general-nist-800-82-r3-mod": [ "AC-02" ], "general-nist-800-82-r3-high": [ "AC-02" ], "general-nist-800-161-r1": [ "AC-2" ], "general-nist-800-161-r1-cscrm": [ "AC-2" ], "general-nist-800-161-r1-flowdown": [ "AC-2" ], "general-nist-800-161-r1-level-2": [ "AC-2" ], "general-nist-800-161-r1-level-3": [ "AC-2" ], "general-nist-800-171-r3": [ "03.09.02.a.01", "03.09.02.a.02" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "8.2.4", "8.2.5" ], "general-pci-dss-4-0-1-saq-a": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.4", "8.2.5" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.4", "8.2.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.2.4", "8.2.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.4", "8.2.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.4", "8.2.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.D" ], "usa-federal-fbi-cjis-6-0": [ "AC-2" ], "usa-federal-gsa-fedramp-5-low": [ "AC-02" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-02" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(ii)(C)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(ii)(C)" ], "usa-federal-irs-1075-2021": [ "AC-2" ], "usa-federal-cms-marse-2-0": [ "AC-2" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-02" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-02" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-02" ], "emea-eu-nis2-annex-2024": [ "10.3.1" ], "emea-deu-bsrit-2017": [ "6.4", "6.5", "6.6" ], "emea-sau-otcc-1-2022": [ "2-2-1-10", "2-2-1-11" ], "apac-aus-ism-2024-june": [ "ISM-0430" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP04", "HML04" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP04" ], "americas-can-itsp-10-171-2025": [ "03.09.02.A.01", "03.09.02.A.02" ] } }, { "control_id": "IAC-08", "title": "Role-Based Access Control (RBAC)", "family": "IAC", "description": "Mechanisms exist to enforce Role-Based Access Control (RBAC) for Technology Assets, Applications, Services and/or Data (TAASD) to restrict access to individuals assigned specific roles with legitimate business needs.", "scf_question": "Does the organization enforce Role-Based Access Control (RBAC) for Technology Assets, Applications, Services and/or Data (TAASD) to restrict access to individuals assigned specific roles with legitimate business needs?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-12", "E-IAM-02" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.\n▪ Active Directory (AD), or a similar technologies, are used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Logical Access Control (LAC) limits the ability of non-administrators from making unauthorized configuration changes to systems, applications and services.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.\n▪ IAM restricts the assignment of privileged accounts to entity-defined personnel and/or roles (privilege assignment requires management approval).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce Role-Based Access Control (RBAC) for TAASD to restrict access to individuals assigned specific roles with legitimate business needs.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role-Based Access Control (RBAC)", "small": "∙ Role-Based Access Control (RBAC)", "medium": "∙ Role-Based Access Control (RBAC)", "large": "∙ Role-Based Access Control (RBAC)", "enterprise": "∙ Role-Based Access Control (RBAC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.2-POF3", "CC6.1", "CC6.1-POF12", "CC6.1-POF13", "CC6.3", "CC6.3-POF3" ], "general-cis-csc-8-1": [ "3.3", "6.0", "6.8" ], "general-cis-csc-8-1-ig1": [ "3.3" ], "general-cis-csc-8-1-ig2": [ "3.3" ], "general-cis-csc-8-1-ig3": [ "3.3", "6.8" ], "general-cobit-2019": [ "DSS05.04" ], "general-csa-cmm-4-1-0": [ "IAM-09", "IAM-10" ], "general-csa-iot-2": [ "IAM-16", "MON-04" ], "general-govramp": [ "AC-02(07)" ], "general-govramp-core": [ "AC-02(07)" ], "general-govramp-low-plus": [ "AC-02(07)" ], "general-govramp-mod": [ "AC-02(07)" ], "general-govramp-high": [ "AC-02(07)" ], "general-iec-62443-2-1-2024": [ "USER 1.5" ], "general-iec-62443-3-3-2013": [ "SR 2.1 RE 2" ], "general-iec-62443-4-2-2019": [ "CR 2.1", "CR 2.1(1)", "CR 2.1(2)" ], "general-iso-27002-2022": [ "5.15", "8.3" ], "general-iso-27017-2015": [ "9.1.1", "9.1.2" ], "general-iso-27018-2025": [ "5.15", "8.3" ], "general-mpa-csbp-5-3-1": [ "TS-1.7", "TS-1.8", "TS-1.10" ], "general-nist-800-53-r4": [ "AC-2(7)" ], "general-nist-800-53-r5-2": [ "AC-02(07)" ], "general-nist-800-66-r2": [ "164.308(a)(3)", "164.308(a)(4)", "164.312(a)" ], "general-nist-800-82-r3": [ "AC-02(07)" ], "general-nist-800-171-r2": [ "3.1.1", "3.1.2", "3.1.3" ], "general-nist-800-171-r3": [ "03.01.01.c.01", "03.01.01.c.02", "03.01.01.c.03", "03.01.02", "03.01.05.b", "03.01.06.a", "03.01.12.a", "03.03.08.b", "03.04.05", "03.06.05.d", "03.07.06.a" ], "general-nist-800-171a": [ "3.1.3[c]" ], "general-nist-800-171a-r3": [ "A.03.01.01.c.02", "A.03.01.01.c.03", "A.03.01.05.ODP[01]", "A.03.01.05.ODP[02]", "A.03.01.05.b[01]", "A.03.01.05.b[02]", "A.03.04.05[04]", "A.03.06.05.d" ], "general-nist-800-172": [ "3.1.2e" ], "general-nist-800-207": [ "NIST Tenet 3", "NIST Tenet 4" ], "general-nist-csf-2-0": [ "PR.AA-05" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "1.3", "7.1", "7.2", "7.2.1", "7.2.2", "7.2.5", "7.3", "7.3.1", "7.3.2", "7.3.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "7.2.2", "7.2.5" ], "general-pci-dss-4-0-1-saq-b": [ "7.2.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "7.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "7.2.2", "7.2.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "7.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.1", "7.2.2", "7.2.5", "7.3.1", "7.3.2", "7.3.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.1", "7.2.2", "7.2.5", "7.3.1", "7.3.2", "7.3.3" ], "general-scf-dpmp-2025": [ "7.1" ], "general-swift-cscf-2025": [ "1.2", "5.1" ], "general-tisax-6-0-3": [ "4.2.1" ], "usa-federal-dow-cert-rmm-1-2": [ "AM:SG1.SP1" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.E", "2.L" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-1g", "ACCESS-2b", "ARCHITECTURE-3c" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.I", "AC.L1-B.1.II" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.1", "ACL2.-3.1.2", "ACL2.-3.1.3" ], "usa-federal-dow-cmmc-2-level-3": [ "AC.L3-3.1.2E" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.2" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(i)", "52.204-21(b)(1)(ii)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(d)" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02(07)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02(07)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(1)(ii)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)(ii)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.308(a)(4)(ii)(C)", "164.312(a)(1)", "164.514(d)(2)(i)(A)", "164.514(d)(2)(i)(B)", "164.514(d)(2)(ii)", "164.530(c)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.308(a)(4)(ii)(C)", "164.312(a)(1)" ], "usa-federal-irs-1075-2021": [ "2.D.6" ], "usa-federal-cms-marse-2-0": [ "AC-2(7)", "AC-2(7).a", "AC-2(7).b", "AC-2(7).c", "AC-2(7).d" ], "usa-federal-nerc-cip-2024": [ "CIP-004-7 4.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(A)", "7123(c)(3)(A)(i)", "7123(c)(3)(A)(ii)", "7123(c)(3)(A)(iii)", "7123(c)(3)(B)" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(2)(a)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(a)(1)" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-02 (07)" ], "usa-state-vt-act-171-2018": [ "2447(c)(2)(A)", "2447(c)(2)(B)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.2.(32)" ], "emea-eu-gdpr-2016": [ "Article 32.4" ], "emea-eu-nis2-annex-2024": [ "11.2.2(a)", "11.2.2(d)", "11.4.1" ], "emea-deu-bsrit-2017": [ "6.2" ], "emea-deu-c5-2020": [ "PSS-08", "PSS-11" ], "emea-isr-cmo-1-0": [ "4.2", "4.8", "4.9", "4.10", "4.11", "4.20", "12.28", "12.29" ], "emea-sau-cgiot-2024": [ "2-2-1" ], "emea-sau-ecc-1-2018": [ "2-2-3-3" ], "emea-sau-sacs-002-2022": [ "TPC-39" ], "emea-esp-boe-a-2022-7191": [ "Article 17" ], "emea-esp-decree-311-2022": [ "17" ], "emea-esp-ccn-stic-825-2023": [ "7.2.4 [OP.ACC.4]" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "3" ], "emea-gbr-def-stan-05-138-2024": [ "2200", "2206", "2422" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2200", "2206", "2422" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2200", "2206", "2422" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2200", "2206", "2422" ], "apac-aus-essential-8-2024": [ "ML1-P4", "ML2-P4", "ML3-P4" ], "apac-aus-ism-2024-june": [ "ISM-1746" ], "apac-chn-data-security-law-2021": [ "27" ], "apac-ind-sebi-2024": [ "PR.AA.S3" ], "apac-jpn-ismap": [ "8.1.2.5", "9.4", "9.4.1", "9.4.1.1", "9.4.1.2", "9.4.1.3", "9.4.1.4", "9.4.1.5", "9.4.1.6", "9.4.1.7" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP40", "HHSP42", "HML40", "HML42" ], "apac-nzl-hisf-microsmall-2023": [ "HMS07" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP04", "HSUP37" ], "apac-nzl-ism-3-9": [ "9.2.11.C.01", "9.2.11.C.02", "16.2.4.C.01", "16.2.5.C.01" ], "apac-sgp-mas-trm-2021": [ "9.1.7", "11.1.6" ], "americas-can-itsp-10-171-2025": [ "03.01.01.C.01", "03.01.01.C.02", "03.01.01.C.03", "03.01.02", "03.01.05.B", "03.01.06.A", "03.01.12.A", "03.03.08.B", "03.04.05", "03.06.05.D", "03.07.06.A" ] } }, { "control_id": "IAC-09", "title": "Identifier Management (User Names)", "family": "IAC", "description": "Mechanisms exist to govern naming standards for usernames and Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization govern naming standards for usernames and Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern naming standards for usernames and Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1" ], "general-cis-csc-8-1": [ "5.6" ], "general-cis-csc-8-1-ig2": [ "5.6" ], "general-cis-csc-8-1-ig3": [ "5.6" ], "general-csa-cmm-4-1-0": [ "IAM-12" ], "general-govramp": [ "IA-04" ], "general-govramp-core": [ "IA-04" ], "general-govramp-low": [ "IA-04" ], "general-govramp-low-plus": [ "IA-04" ], "general-govramp-mod": [ "IA-04" ], "general-govramp-high": [ "IA-04" ], "general-iec-62443-3-3-2013": [ "SR 1.4" ], "general-iec-62443-4-2-2019": [ "CR 1.4" ], "general-iso-27002-2022": [ "5.16" ], "general-iso-27018-2025": [ "5.16" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.005", "T1003.006", "T1021.001", "T1021.005", "T1053", "T1053.002", "T1053.005", "T1098.007", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1213", "T1213.001", "T1213.002", "T1213.004", "T1213.005", "T1528", "T1530", "T1537", "T1543", "T1547.006", "T1550.001", "T1552", "T1552.005", "T1562", "T1563", "T1578", "T1578.001", "T1578.002", "T1578.003", "T1602", "T1602.001", "T1602.002" ], "general-mpa-csbp-5-3-1": [ "TS-1.6" ], "general-nist-800-53-r4": [ "IA-4" ], "general-nist-800-53-r5-2": [ "IA-04" ], "general-nist-800-53-r5-2-privacy": [ "IA-04" ], "general-nist-800-53-r5-2-low": [ "IA-04" ], "general-nist-800-66-r2": [ "164.312(a)" ], "general-nist-800-82-r3": [ "IA-04" ], "general-nist-800-82-r3-low": [ "IA-04" ], "general-nist-800-82-r3-mod": [ "IA-04" ], "general-nist-800-82-r3-high": [ "IA-04" ], "general-nist-800-161-r1": [ "IA-4" ], "general-nist-800-161-r1-cscrm": [ "IA-4" ], "general-nist-800-161-r1-flowdown": [ "IA-4" ], "general-nist-800-161-r1-level-2": [ "IA-4" ], "general-nist-800-161-r1-level-3": [ "IA-4" ], "general-nist-800-171-r2": [ "3.5.5" ], "general-nist-800-171-r3": [ "03.05.05.b", "03.05.05.c", "03.05.05.d" ], "general-nist-800-171a": [ "3.5.5[a]", "3.5.5[b]" ], "general-nist-800-171a-r3": [ "A.03.05.05.ODP[01]", "A.03.05.05.b[01]", "A.03.05.05.b[02]", "A.03.05.05.c" ], "general-nist-800-207": [ "NIST Tenet 4" ], "general-owasp-top-10-2025": [ "A01:2025", "A07:2025" ], "general-pci-dss-4-0-1": [ "8.2", "8.2.1" ], "general-pci-dss-4-0-1-saq-a": [ "8.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.1" ], "usa-federal-fbi-cjis-6-0": [ "IA-4" ], "usa-federal-dow-cmmc-2-level-2": [ "IAL2.-3.5.5" ], "usa-federal-gsa-fedramp-5-low": [ "IA-04" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-04" ], "usa-federal-gsa-fedramp-5-high": [ "IA-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-04" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(a)(2)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(a)(2)(i)" ], "usa-federal-irs-1075-2021": [ "IA-4", "IA-4(IRS-Defined)" ], "usa-federal-cms-marse-2-0": [ "IA-4", "IA-4.a", "IA-4.b", "IA-4.c", "IA-4.d", "IA-4.e", "IA-4-IS.1", "IA-4-IS.2" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-04" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-04" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-04" ], "emea-deu-c5-2020": [ "IDM-01" ], "emea-isr-cmo-1-0": [ "12.15" ], "americas-can-itsp-10-171-2025": [ "03.05.05.B", "03.05.05.C", "03.05.05.D" ] } }, { "control_id": "IAC-09.1", "title": "User Identity (ID) Management", "family": "IAC", "description": "Mechanisms exist to ensure proper user identification management for non-consumer users and administrators.", "scf_question": "Does the organization ensure proper user identification management for non-consumer users and administrators?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure proper user identification management for non-consumer users and administrators.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1" ], "general-govramp": [ "IA-04(04)" ], "general-govramp-core": [ "IA-04(04)" ], "general-govramp-mod": [ "IA-04(04)" ], "general-govramp-high": [ "IA-04(04)" ], "general-iec-62443-3-3-2013": [ "SR 1.4" ], "general-iec-62443-4-2-2019": [ "CR 1.4" ], "general-iso-27002-2022": [ "5.16" ], "general-iso-27018-2025": [ "5.16" ], "general-mpa-csbp-5-3-1": [ "TS-1.6" ], "general-nist-800-53-r4": [ "IA-4(4)" ], "general-nist-800-53-r5-2": [ "IA-04(04)" ], "general-nist-800-53-r5-2-privacy": [ "IA-04(04)" ], "general-nist-800-53-r5-2-mod": [ "IA-04(04)" ], "general-nist-800-82-r3": [ "IA-04(04)" ], "general-nist-800-82-r3-mod": [ "IA-04(04)" ], "general-nist-800-82-r3-high": [ "IA-04(04)" ], "general-nist-800-171-r3": [ "03.05.05.b" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "8.2", "8.2.1" ], "general-pci-dss-4-0-1-saq-a": [ "8.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.1" ], "usa-federal-fbi-cjis-6-0": [ "IA-4(4)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-04(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-04(04)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-04(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-04(04)" ], "usa-federal-irs-1075-2021": [ "IA-4(CE-4)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-04 (04)" ], "emea-eu-nis2-annex-2024": [ "11.5.2(b)" ], "emea-isr-cmo-1-0": [ "12.15" ], "emea-sau-ecc-1-2018": [ "2-2-3-1" ], "americas-can-itsp-10-171-2025": [ "03.05.05.B" ] } }, { "control_id": "IAC-09.2", "title": "Identity User Status", "family": "IAC", "description": "Mechanisms exist to identify contractors and other third-party users through unique username characteristics.", "scf_question": "Does the organization identify contractors and other third-party users through unique username characteristics?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify contractors and other third-party users through unique username characteristics.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "IA-04(04)" ], "general-govramp-core": [ "IA-04(04)" ], "general-govramp-mod": [ "IA-04(04)" ], "general-govramp-high": [ "IA-04(04)" ], "general-nist-800-53-r4": [ "IA-4(4)" ], "general-nist-800-53-r5-2": [ "IA-04(04)" ], "general-nist-800-53-r5-2-privacy": [ "IA-04(04)" ], "general-nist-800-53-r5-2-mod": [ "IA-04(04)" ], "general-nist-800-82-r3": [ "IA-04(04)" ], "general-nist-800-82-r3-mod": [ "IA-04(04)" ], "general-nist-800-82-r3-high": [ "IA-04(04)" ], "general-nist-800-171-r3": [ "03.05.05.d" ], "general-nist-800-171a-r3": [ "A.03.05.05.ODP[02]", "A.03.05.05.d" ], "general-owasp-top-10-2025": [ "A01:2025" ], "usa-federal-fbi-cjis-6-0": [ "IA-4(4)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-04(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-04(04)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-04(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-04(04)" ], "usa-federal-irs-1075-2021": [ "IA-4(CE-4)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-04 (04)" ], "apac-nzl-privacy-act-2020": [ "Principle 13", "P13-(1)", "P13-(2)", "P13-(2)(a)", "P13-(2)(b)", "P13-(3)", "P13-(4)(a)", "P13-(4)(b)", "P13-(5)" ], "americas-can-itsp-10-171-2025": [ "03.05.05.D" ] } }, { "control_id": "IAC-09.3", "title": "Dynamic Management", "family": "IAC", "description": "Mechanisms exist to dynamically manage usernames and system identifiers.", "scf_question": "Does the organization dynamically manage usernames and system identifiers?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to dynamically manage usernames and system identifiers.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r4": [ "IA-4(5)", "IA-5(2)", "IA-5(10)" ], "general-nist-800-53-r5-2": [ "IA-04(05)", "IA-05(10)" ], "general-nist-800-82-r3": [ "IA-04(05)", "IA-05(10)" ], "general-owasp-top-10-2025": [ "A01:2025" ] } }, { "control_id": "IAC-09.4", "title": "Cross-Organization Management", "family": "IAC", "description": "Mechanisms exist to coordinate username identifiers with external organizations for cross-organization management of identifiers.", "scf_question": "Does the organization coordinate username identifiers with external organizations for cross-organization management of identifiers?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to coordinate username identifiers with external organizations for cross-organization management of identifiers.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-iso-27002-2022": [ "5.16" ], "general-iso-27018-2025": [ "5.16" ], "general-nist-800-53-r4": [ "IA-4(6)" ], "general-nist-800-53-r5-2": [ "IA-04(06)" ], "general-nist-800-82-r3": [ "IA-04(06)" ], "general-nist-800-161-r1": [ "IA-4(6)" ], "general-nist-800-161-r1-level-1": [ "IA-4(6)" ], "general-nist-800-161-r1-level-2": [ "IA-4(6)" ], "general-nist-800-161-r1-level-3": [ "IA-4(6)" ] } }, { "control_id": "IAC-09.5", "title": "Privileged Account Identifiers", "family": "IAC", "description": "Mechanisms exist to uniquely manage privileged accounts to identify the account as a privileged user or service.", "scf_question": "Does the organization uniquely manage privileged accounts to identify the account as a privileged user or service?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to uniquely manage privileged accounts to identify the account as a privileged user or service.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-09", "IAM-10", "IAM-11" ], "general-govramp": [ "IA-05(08)" ], "general-govramp-high": [ "IA-05(08)" ], "general-nist-800-53-r4": [ "IA-5(8)" ], "general-nist-800-53-r5-2": [ "IA-05(08)" ], "general-nist-800-53-r5-2-privacy": [ "IA-05(08)" ], "general-nist-800-82-r3": [ "IA-05(08)" ], "general-nist-800-171-r3": [ "03.01.07.b", "03.05.05.d" ], "general-nist-800-171a": [ "3.1.5[a]" ], "general-owasp-top-10-2025": [ "A01:2025" ], "usa-federal-gsa-fedramp-5-low": [ "IA-05(08)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-05(08)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-05(08)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-05(08)" ], "emea-deu-c5-2020": [ "IDM-02" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "3" ], "americas-can-itsp-10-171-2025": [ "03.01.07.B", "03.05.05.D" ] } }, { "control_id": "IAC-09.6", "title": "Pairwise Pseudonymous Identifiers (PPID)", "family": "IAC", "description": "Mechanisms exist to generate pairwise pseudonymous identifiers with no identifying information about a data subject to discourage activity tracking and profiling of the data subject.", "scf_question": "Does the organization generate pairwise pseudonymous identifiers with no identifying information about a data subject to discourage activity tracking and profiling of the data subject?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to generate pairwise pseudonymous identifiers with no identifying information about a data subject to discourage activity tracking and profiling of the data subject.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Use pseudonymous identifiers where required for privacy", "large": "∙ PPID implementation for applicable services\n∙ Privacy-preserving identity design", "enterprise": "∙ Enterprise PPID implementation (e.g., OpenID Connect pairwise identifiers)\n∙ Privacy-by-design identity framework" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-privacy-framework-1-0": [ "CT.DP-P3", "CT.DP-P5" ], "general-nist-800-53-r4": [ "DM-3(1)" ], "general-nist-800-53-r5-2": [ "IA-04(08)" ], "general-nist-800-82-r3": [ "IA-04(08)" ], "general-owasp-top-10-2025": [ "A01:2025" ], "emea-zaf-popia-2013": [ "6.1.b" ], "apac-aus-privacy-principles-2026": [ "APP 2" ], "apac-jpn-ppi-2020": [ "35-2(1)", "35-2(2)", "35-2(3)", "35-2(4)", "35-2(5)", "35-2(6)", "35-2(7)", "35-2(8)", "35-2(9)", "36(1)", "36(2)", "36(3)", "36(4)", "37", "38", "39" ] } }, { "control_id": "IAC-10", "title": "Authenticator Management", "family": "IAC", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "scf_question": "Does the organization:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1" ], "general-cis-csc-8-1": [ "5.2" ], "general-cis-csc-8-1-ig1": [ "5.2" ], "general-cis-csc-8-1-ig2": [ "5.2" ], "general-cis-csc-8-1-ig3": [ "5.2" ], "general-csa-cmm-4-1-0": [ "IAM-14", "IAM-15" ], "general-csa-iot-2": [ "IAM-18", "IAM-21" ], "general-govramp": [ "IA-05(01)" ], "general-govramp-core": [ "IA-05(01)" ], "general-govramp-low": [ "IA-05(01)" ], "general-govramp-low-plus": [ "IA-05(01)" ], "general-govramp-mod": [ "IA-05(01)" ], "general-govramp-high": [ "IA-05(01)" ], "general-iec-62443-2-1-2024": [ "USER 1.11" ], "general-iec-62443-4-2-2019": [ "CR 1.5", "CR 1.9" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.1", "3.5.3.2" ], "general-iso-27002-2022": [ "5.17", "5.18" ], "general-iso-27017-2015": [ "9.2.4", "9.4.3" ], "general-iso-27018-2025": [ "5.17", "5.18" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1021", "T1021.001", "T1021.004", "T1021.007", "T1021.008", "T1040", "T1072", "T1078", "T1078.002", "T1078.004", "T1098.001", "T1098.002", "T1098.003", "T1098.004", "T1098.006", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1111", "T1114", "T1114.002", "T1133", "T1136", "T1136.001", "T1136.002", "T1136.003", "T1212", "T1528", "T1530", "T1539", "T1550.003", "T1552", "T1552.001", "T1552.002", "T1552.004", "T1552.006", "T1555", "T1555.001", "T1555.002", "T1555.004", "T1555.005", "T1556", "T1556.001", "T1556.003", "T1556.004", "T1556.005", "T1556.009", "T1558", "T1558.001", "T1558.002", "T1558.003", "T1558.004", "T1558.005", "T1563.001", "T1599", "T1599.001", "T1601", "T1601.001", "T1601.002", "T1621", "T1649" ], "general-mpa-csbp-5-3-1": [ "TS-1.6" ], "general-nist-800-53-r4": [ "IA-5", "IA-5(4)" ], "general-nist-800-53-r5-2": [ "IA-05", "IA-05(01)" ], "general-nist-800-53-r5-2-privacy": [ "IA-05", "IA-05(01)" ], "general-nist-800-53-r5-2-low": [ "IA-05", "IA-05(01)" ], "general-nist-800-82-r3": [ "IA-05", "IA-05(01)" ], "general-nist-800-82-r3-low": [ "IA-05", "IA-05(01)" ], "general-nist-800-82-r3-mod": [ "IA-05", "IA-05(01)" ], "general-nist-800-82-r3-high": [ "IA-05", "IA-05(01)" ], "general-nist-800-161-r1": [ "IA-5" ], "general-nist-800-161-r1-cscrm": [ "IA-5" ], "general-nist-800-161-r1-flowdown": [ "IA-5" ], "general-nist-800-161-r1-level-2": [ "IA-5" ], "general-nist-800-161-r1-level-3": [ "IA-5" ], "general-nist-800-171-r2": [ "3.5.8", "3.5.9" ], "general-nist-800-171-r3": [ "03.05.07.a", "03.05.07.b", "03.05.07.c", "03.05.07.d", "03.05.07.e", "03.05.07.f", "03.05.12.a", "03.05.12.b", "03.05.12.c", "03.05.12.d", "03.05.12.e", "03.05.12.f" ], "general-nist-800-171a": [ "3.5.8[a]", "3.5.8[b]", "3.5.9" ], "general-nist-800-171a-r3": [ "A.03.05.12.ODP[01]", "A.03.05.12.ODP[02]", "A.03.05.12.a", "A.03.05.12.b", "A.03.05.12.c[01]", "A.03.05.12.c[02]", "A.03.05.12.c[03]", "A.03.05.12.c[04]", "A.03.05.12.c[05]", "A.03.05.12.c[06]", "A.03.05.12.d", "A.03.05.12.e", "A.03.05.12.f[01]", "A.03.05.12.f[02]" ], "general-pci-dss-4-0-1": [ "8.2.4", "8.3", "8.3.1", "8.3.3", "8.3.5", "8.3.7", "8.3.9", "8.3.10.1", "8.3.11", "8.6.3" ], "general-pci-dss-4-0-1-saq-a": [ "8.3.1", "8.3.5", "8.3.7", "8.3.9" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.4", "8.3.1", "8.3.3", "8.3.5", "8.3.7", "8.3.9", "8.3.11", "8.6.3" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.4", "8.3.1", "8.3.3", "8.3.5", "8.3.7", "8.3.9", "8.6.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.2.4", "8.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.4", "8.3.1", "8.3.3", "8.3.5", "8.3.7", "8.3.9", "8.3.11", "8.6.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.4", "8.3.1", "8.3.3", "8.3.5", "8.3.7", "8.3.9", "8.3.10.1", "8.3.11", "8.6.3" ], "general-swift-cscf-2025": [ "4.1", "5.4" ], "general-ul-2900-2-2-2016": [ "8.9" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.SMANA" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.B", "2.L" ], "usa-federal-fbi-cjis-6-0": [ "IA-5", "IA-5(1)" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-1b" ], "usa-federal-dow-cmmc-2-level-2": [ "IAL2.-3.5.8", "IAL2.-3.5.9" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.8.2" ], "usa-federal-gsa-fedramp-5-low": [ "IA-05", "IA-05(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-05", "IA-05(01)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-05", "IA-05(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-05", "IA-05(01)" ], "usa-federal-irs-1075-2021": [ "IA-5", "IA-5(CE-1).c", "IA-5(CE-1).d", "IA-5(CE-1).e", "IA-5(IRS-Defined)-1", "IA-5(IRS-Defined)-2", "IA-5(IRS-Defined)-2.a", "IA-5(IRS-Defined)-2.b", "IA-5(IRS-Defined)-2.c", "IA-5(IRS-Defined)-2.d" ], "usa-federal-cms-marse-2-0": [ "IA-5", "IA-5(1)" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 5.6" ], "usa-federal-nispom-2020": [ "§117.15(e)(5)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(1)(B)" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(1)(b)", "17.04(2)(b)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(b)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-05", "IA-05(1)" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-05", "IA-05 (01)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-05", "IA-05 (01)" ], "usa-state-vt-act-171-2018": [ "2447(c)(1)(A)(ii)" ], "emea-eu-nis2-annex-2024": [ "11.6.2(a)", "11.7.2" ], "emea-us-psd2-2015": [ "4" ], "emea-deu-c5-2020": [ "IDM-08" ], "emea-isr-cmo-1-0": [ "4.35", "12.15", "12.16" ], "emea-sau-cscc-1-2019": [ "2-2-1-6" ], "emea-sau-cgiot-2024": [ "2-2-2" ], "emea-sau-ecc-1-2018": [ "2-2-3-1" ], "emea-sau-otcc-1-2022": [ "2-2-1-8" ], "emea-sau-sacs-002-2022": [ "TPC-3" ], "emea-esp-ccn-stic-825-2023": [ "7.2.5 [OP.ACC.5]" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "2" ], "apac-aus-ism-2024-june": [ "ISM-1227", "ISM-1593", "ISM-1594", "ISM-1595" ], "apac-ind-sebi-2024": [ "PR.AA.S6" ], "apac-jpn-ismap": [ "9.2.4", "9.2.4.1", "9.2.4.3", "9.2.4.4", "9.2.4.5", "9.2.4.6", "9.2.4.7", "9.2.4.8" ], "apac-nzl-ism-3-9": [ "14.3.13.C.01", "14.3.13.C.02", "14.3.13.C.03", "16.1.40.C.01", "16.1.40.C.02", "16.1.41.C.01", "16.1.41.C.02", "16.1.41.C.03", "16.1.41.C.04", "16.1.42.C.01" ], "americas-can-itsp-10-171-2025": [ "03.05.07.A", "03.05.07.B", "03.05.07.C", "03.05.07.D", "03.05.07.E", "03.05.07.F", "03.05.12.A", "03.05.12.B", "03.05.12.C", "03.05.12.D", "03.05.12.E", "03.05.12.F" ] } }, { "control_id": "IAC-10.1", "title": "Password-Based Authentication", "family": "IAC", "description": "Mechanisms exist to enforce complexity, length and lifespan considerations to ensure strong criteria for password-based authentication.", "scf_question": "Does the organization enforce complexity, length and lifespan considerations to ensure strong criteria for password-based authentication?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce complexity, length and lifespan considerations to ensure strong criteria for password-based authentication.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.6-POF2" ], "general-cis-csc-8-1": [ "5.2" ], "general-cis-csc-8-1-ig1": [ "5.2" ], "general-cis-csc-8-1-ig2": [ "5.2" ], "general-cis-csc-8-1-ig3": [ "5.2" ], "general-csa-cmm-4-1-0": [ "IAM-13", "IAM-14", "IAM-15" ], "general-csa-iot-2": [ "IAM-18", "IAM-19", "IAM-21" ], "general-govramp": [ "IA-05(01)" ], "general-govramp-core": [ "IA-05(01)" ], "general-govramp-low": [ "IA-05(01)" ], "general-govramp-low-plus": [ "IA-05(01)" ], "general-govramp-mod": [ "IA-05(01)" ], "general-govramp-high": [ "IA-05(01)" ], "general-iec-62443-2-1-2024": [ "USER 1.11" ], "general-iec-62443-3-3-2013": [ "SR 1.7", "SR 1.7 RE 1", "SR 1.7 RE 2" ], "general-iec-62443-4-2-2019": [ "CR 1.5(c)", "CR 1.7", "CR 1.7(1)", "CR 1.7(2)" ], "general-iso-27002-2022": [ "5.17" ], "general-iso-27017-2015": [ "9.2.4", "9.4.3" ], "general-iso-27018-2025": [ "5.17" ], "general-mpa-csbp-5-3-1": [ "TS-1.6" ], "general-nist-800-53-r4": [ "IA-5(1)" ], "general-nist-800-53-r5-2": [ "IA-05(01)" ], "general-nist-800-53-r5-2-privacy": [ "IA-05(01)" ], "general-nist-800-53-r5-2-low": [ "IA-05(01)" ], "general-nist-800-82-r3": [ "IA-05(01)" ], "general-nist-800-82-r3-low": [ "IA-05(01)" ], "general-nist-800-82-r3-mod": [ "IA-05(01)" ], "general-nist-800-82-r3-high": [ "IA-05(01)" ], "general-nist-800-171-r2": [ "3.5.7" ], "general-nist-800-171-r3": [ "03.05.07.e", "03.05.07.f", "03.05.12.b", "03.05.12.c", "03.05.12.d", "03.05.12.e", "03.05.12.f" ], "general-nist-800-171a": [ "3.5.7[a]", "3.5.7[b]", "3.5.7[c]", "3.5.7[d]" ], "general-nist-800-171a-r3": [ "A.03.05.07.ODP[02]", "A.03.05.07.f" ], "general-owasp-top-10-2025": [ "A07:2025" ], "general-pci-dss-4-0-1": [ "8.3", "8.3.1", "8.3.3", "8.3.5", "8.3.6", "8.3.7", "8.3.9", "8.3.10.1", "8.6.3" ], "general-pci-dss-4-0-1-saq-a": [ "8.3.1", "8.3.5", "8.3.6", "8.3.7", "8.3.9" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.1", "8.3.3", "8.3.5", "8.3.6", "8.3.7", "8.3.9", "8.6.3" ], "general-pci-dss-4-0-1-saq-c": [ "8.3.1", "8.3.3", "8.3.5", "8.3.6", "8.3.7", "8.3.9", "8.6.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.3.1", "8.3.6" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.3.1", "8.3.3", "8.3.5", "8.3.6", "8.3.7", "8.3.9", "8.6.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.3.1", "8.3.3", "8.3.5", "8.3.6", "8.3.7", "8.3.9", "8.3.10.1", "8.6.3" ], "general-swift-cscf-2025": [ "4.1" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.B", "2.L" ], "usa-federal-fbi-cjis-6-0": [ "IA-5(1)" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-1b", "ACCESS-1d" ], "usa-federal-dow-cmmc-2-level-2": [ "IAL2.-3.5.7" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.8.1" ], "usa-federal-gsa-fedramp-5-low": [ "IA-05(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-05(01)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-05(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-05(01)" ], "usa-federal-irs-1075-2021": [ "IA-5(CE-1)", "IA-5(CE-1).f", "IA-5(CE-1).h", "IA-5(CE-1).h.1", "IA-5(CE-1).h.2", "IA-5(CE-1).h.3", "IA-5(CE-1).h.4", "IA-5(CE-1).h.5", "IA-5(CE-1).h.5.i", "IA-5(CE-1).h.5.ii", "IA-5(CE-1).h.6", "IA-5(CE-1).h.6.i", "IA-5(CE-1).h.6.ii", "IA-5(CE-1).h.7" ], "usa-federal-cms-marse-2-0": [ "IA-5(1)", "IA-5(1).a", "IA-5(1).b", "IA-5(1).c", "IA-5(1).d", "IA-5(1).d.1", "IA-5(1).d.2", "IA-5(1).d.3", "IA-5(1).e", "IA-5(1).f", "IA-5(1).g", "IA-5(1).h" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 5.5.1", "CIP-007-6 5.5.2" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(1)(B)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(b)", "500.7(c)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-05(1)" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-05 (01)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-05 (01)" ], "emea-us-psd2-2015": [ "4" ], "emea-deu-c5-2020": [ "IDM-09", "PSS-07" ], "emea-isr-cmo-1-0": [ "4.35", "12.15", "12.16" ], "emea-sau-cscc-1-2019": [ "2-2-1-5" ], "emea-sau-cgiot-2024": [ "2-2-2" ], "emea-sau-ecc-1-2018": [ "2-2-3-1" ], "emea-sau-otcc-1-2022": [ "2-2-1-8" ], "emea-sau-sacs-002-2022": [ "TPC-2" ], "emea-esp-ccn-stic-825-2023": [ "7.2.5 [OP.ACC.5]" ], "apac-aus-ism-2024-june": [ "ISM-0417", "ISM-0421", "ISM-0422", "ISM-1557", "ISM-1558", "ISM-1596", "ISM-1795" ], "apac-aus-cop-sitc-2020": [ "Principle 1" ], "apac-jpn-ismap": [ "9.3.1.4", "9.4.3", "9.4.3.1", "9.4.3.2", "9.4.3.3", "9.4.3.4", "9.4.3.5", "9.4.3.6", "9.4.3.7", "9.4.3.8", "9.4.3.9" ], "apac-nzl-ism-3-9": [ "16.1.35.C.01", "16.1.35.C.02", "16.1.42.C.01", "16.1.43.C.01" ], "apac-sgp-mas-trm-2021": [ "9.1.4" ], "americas-can-itsp-10-171-2025": [ "03.05.07.E", "03.05.07.F", "03.05.12.B", "03.05.12.C", "03.05.12.D", "03.05.12.E", "03.05.12.F" ] } }, { "control_id": "IAC-10.2", "title": "PKI-Based Authentication", "family": "IAC", "description": "Automated mechanisms exist to validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information for PKI-based authentication.", "scf_question": "Does the organization use automated mechanisms to validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information for PKI-based authentication?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information for PKI-based authentication.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-13", "IAM-14" ], "general-csa-iot-2": [ "CLS-01" ], "general-govramp": [ "IA-05(02)" ], "general-govramp-mod": [ "IA-05(02)" ], "general-govramp-high": [ "IA-05(02)" ], "general-iec-62443-3-3-2013": [ "SR 1.8", "SR 1.9(a)", "SR 1.9(b)", "SR 1.9(c)", "SR 1.9(d)", "SR 1.9(e)" ], "general-iec-62443-4-2-2019": [ "CR 1.9(a)", "CR 1.9(b)", "CR 1.9(c)" ], "general-nist-800-53-r4": [ "IA-5(2)" ], "general-nist-800-53-r5-2": [ "IA-05(02)" ], "general-nist-800-53-r5-2-privacy": [ "IA-05(02)" ], "general-nist-800-53-r5-2-mod": [ "IA-05(02)" ], "general-nist-800-82-r3": [ "IA-05(02)" ], "general-nist-800-82-r3-mod": [ "IA-05(02)" ], "general-nist-800-82-r3-high": [ "IA-05(02)" ], "general-owasp-top-10-2025": [ "A07:2025" ], "general-pci-dss-4-0-1": [ "8.3.1", "8.3.11" ], "general-pci-dss-4-0-1-saq-a": [ "8.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.1", "8.3.11" ], "general-pci-dss-4-0-1-saq-c": [ "8.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.3.1", "8.3.11" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.3.1", "8.3.11" ], "usa-federal-fbi-cjis-6-0": [ "IA-5(2)" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-1b" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.9", "1.9.1", "2.1.2" ], "usa-federal-gsa-fedramp-5-low": [ "IA-05(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-05(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-05(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-05(02)" ], "usa-federal-irs-1075-2021": [ "IA-5(CE-2)", "IA-5(CE-2).a", "IA-5(CE-2).a.1", "IA-5(CE-2).a.2", "IA-5(CE-2).b", "IA-5(CE-2).b.1", "IA-5(CE-2).b.2" ], "usa-federal-cms-marse-2-0": [ "IA-5(2)", "IA-5(2).a", "IA-5(2).b", "IA-5(2).c", "IA-5(2).d" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-05 (02)" ], "emea-deu-c5-2020": [ "IDM-09" ], "emea-isr-cmo-1-0": [ "12.15", "12.16" ] } }, { "control_id": "IAC-10.3", "title": "In-Person or Trusted Third-Party Registration", "family": "IAC", "description": "Mechanisms exist to conduct in-person or trusted third-party identify verification before user accounts for third-parties are created.", "scf_question": "Does the organization conduct in-person or trusted third-party identify verification before user accounts for third-parties are created?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct in-person or trusted third-party identify verification before user accounts for third-parties are created.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Verify identity in-person or via trusted third party for sensitive accounts", "small": "∙ In-person or trusted third-party identity proofing for high-assurance accounts", "medium": "∙ Formal identity proofing process for high-assurance accounts\n∙ NIST IAL2/IAL3 compliance", "large": "∙ Formal identity proofing program\n∙ Third-party identity verification service\n∙ NIST SP 800-63A compliance", "enterprise": "∙ Enterprise identity proofing solution (e.g., ID.me, Jumio)\n∙ NIST IAL3 compliance\n∙ Remote proofing capabilities" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r4": [ "IA-5(3)" ], "general-nist-800-53-r5-2": [ "IA-12(04)" ], "general-nist-800-53-r5-2-privacy": [ "IA-12(04)" ], "general-nist-800-53-r5-2-high": [ "IA-12(04)" ], "general-nist-800-82-r3": [ "IA-12(04)" ], "general-nist-800-82-r3-high": [ "IA-12(04)" ], "general-nist-800-171-r3": [ "03.05.12.a" ], "usa-federal-gsa-fedramp-5-low": [ "IA-12(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-12(04)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-12(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-12(04)" ], "usa-federal-cms-marse-2-0": [ "IA-5(3)" ], "americas-can-itsp-10-171-2025": [ "03.05.12.A" ] } }, { "control_id": "IAC-10.4", "title": "Automated Support For Password Strength", "family": "IAC", "description": "Automated mechanisms exist to determine if password authenticators are sufficiently strong enough to satisfy organization-defined password length and complexity requirements.", "scf_question": "Does the organization use automated mechanisms to determine if password authenticators are sufficiently strong enough to satisfy organization-defined password length and complexity requirements?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.\n▪ Password managers are not governed.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically determine if password authenticators are sufficiently strong enough to satisfy organization-defined password length and complexity requirements.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-15" ], "general-govramp": [ "IA-05(01)" ], "general-govramp-core": [ "IA-05(01)" ], "general-govramp-low": [ "IA-05(01)" ], "general-govramp-low-plus": [ "IA-05(01)" ], "general-govramp-mod": [ "IA-05(01)" ], "general-govramp-high": [ "IA-05(01)" ], "general-nist-800-53-r4": [ "IA-5(4)" ], "general-nist-800-53-r5-2": [ "IA-05(01)" ], "general-nist-800-53-r5-2-privacy": [ "IA-05(01)" ], "general-nist-800-53-r5-2-low": [ "IA-05(01)" ], "general-nist-800-82-r3": [ "IA-05(01)" ], "general-nist-800-82-r3-low": [ "IA-05(01)" ], "general-nist-800-82-r3-mod": [ "IA-05(01)" ], "general-nist-800-82-r3-high": [ "IA-05(01)" ], "general-nist-800-171-r3": [ "03.05.07.a", "03.05.07.b" ], "general-nist-800-171a-r3": [ "A.03.05.07.ODP[01]", "A.03.05.07.a[01]", "A.03.05.07.a[02]", "A.03.05.07.a[03]", "A.03.05.07.b" ], "general-owasp-top-10-2025": [ "A07:2025" ], "usa-federal-fbi-cjis-6-0": [ "IA-5(1)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-05(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-05(01)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-05(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-05(01)" ], "usa-federal-irs-1075-2021": [ "IA-5(CE-1).a", "IA-5(CE-1).b", "IA-5(CE-1).g" ], "usa-federal-cms-marse-2-0": [ "IA-5(1)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(c)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-05(1)" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-05 (01)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-05 (01)" ], "emea-us-psd2-2015": [ "19" ], "emea-deu-c5-2020": [ "PSS-07" ], "emea-gbr-def-stan-05-138-2024": [ "2213" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2213" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2213" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2213" ], "apac-nzl-ism-3-9": [ "16.1.41.C.01", "16.1.41.C.02", "16.1.41.C.03", "16.1.41.C.04" ], "americas-can-itsp-10-171-2025": [ "03.05.07.A", "03.05.07.B" ] } }, { "control_id": "IAC-10.5", "title": "Protection of Authenticators", "family": "IAC", "description": "Mechanisms exist to protect authenticators commensurate with the sensitivity of the information to which use of the authenticator permits access.", "scf_question": "Does the organization protect authenticators commensurate with the sensitivity of the information to which use of the authenticator permits access?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.\n▪ Password managers are not governed.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect authenticators commensurate with the sensitivity of the information to which use of the authenticator permits access.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Store passwords in a password manager\n∙ Never share passwords", "small": "∙ Password manager for credential storage\n∙ Policy for authenticator protection", "medium": "∙ Formal authenticator protection policy\n∙ Password manager deployment\n∙ Hardware token protection", "large": "∙ Enterprise password management (e.g., CyberArk, 1Password)\n∙ Hardware token management\n∙ PKI for certificate protection", "enterprise": "∙ Enterprise credential management platform (e.g., CyberArk, Thales)\n∙ HSM for cryptographic authenticator protection\n∙ Hardware token lifecycle management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-15" ], "general-govramp": [ "IA-05(06)" ], "general-govramp-mod": [ "IA-05(06)" ], "general-govramp-high": [ "IA-05(06)" ], "general-iec-62443-4-2-2019": [ "CR 1.5(d)" ], "general-iso-27002-2022": [ "5.17" ], "general-iso-27017-2015": [ "9.2.4", "9.3.1" ], "general-iso-27018-2025": [ "5.17" ], "general-nist-800-53-r4": [ "IA-5(6)" ], "general-nist-800-53-r5-2": [ "IA-05(06)" ], "general-nist-800-53-r5-2-privacy": [ "IA-05(06)" ], "general-nist-800-53-r5-2-mod": [ "IA-05(06)" ], "general-nist-800-82-r3": [ "IA-05(06)" ], "general-nist-800-82-r3-mod": [ "IA-05(06)" ], "general-nist-800-82-r3-high": [ "IA-05(06)" ], "general-nist-800-171-r2": [ "3.5.10" ], "general-nist-800-171-r3": [ "03.05.07.c", "03.05.07.d", "03.05.12.f" ], "general-nist-800-171a": [ "3.5.10[a]", "3.5.10[b]" ], "general-nist-800-171a-r3": [ "A.03.05.07.c", "A.03.05.07.d", "A.03.05.12.f[01]", "A.03.05.12.f[02]" ], "general-pci-dss-4-0-1": [ "8.3.11" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.11" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.3.11" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.3.11" ], "general-sparta": [ "CM0035" ], "general-swift-cscf-2025": [ "5.4" ], "general-tisax-6-0-3": [ "4.1.3" ], "general-ul-2900-2-2-2016": [ "8.10", "8.11" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.SMANA" ], "usa-federal-fbi-cjis-6-0": [ "IA-5(6)" ], "usa-federal-dow-cmmc-2-level-2": [ "IAL2.-3.5.10" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.300(d)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-05(06)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-05(06)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-05(06)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-05(06)" ], "usa-federal-irs-1075-2021": [ "IA-5(CE-6)" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(1)(c)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-05 (06)" ], "usa-state-vt-act-171-2018": [ "2447(c)(1)(A)(iii)" ], "emea-eu-nis2-annex-2024": [ "11.6.2(b)" ], "emea-us-psd2-2015": [ "19", "22" ], "emea-deu-c5-2020": [ "IDM-08", "PSS-07" ], "emea-isr-cmo-1-0": [ "4.37" ], "emea-sau-cscc-1-2019": [ "2-2-1-6" ], "emea-sau-sacs-002-2022": [ "TPC-3" ], "emea-esp-ccn-stic-825-2023": [ "7.2.5 [OP.ACC.5]" ], "apac-aus-ism-2024-june": [ "ISM-0418", "ISM-1402", "ISM-1590", "ISM-1597", "ISM-1686", "ISM-1749" ], "apac-jpn-ismap": [ "9.3", "9.3.1", "9.3.1.1", "9.3.1.2", "9.3.1.3", "9.3.1.5", "9.3.1.6", "9.3.1.7" ], "apac-nzl-ism-3-9": [ "16.1.36.C.01", "16.1.37.C.01", "16.1.38.C.01" ], "americas-can-itsp-10-171-2025": [ "03.05.07.C", "03.05.07.D", "03.05.12.F" ] } }, { "control_id": "IAC-10.6", "title": "No Embedded Unencrypted Static Authenticators", "family": "IAC", "description": "Mechanisms exist to ensure that unencrypted, static authenticators are not embedded in applications, scripts or stored on function keys.", "scf_question": "Does the organization ensure that unencrypted, static authenticators are not embedded in applications, scripts or stored on function keys?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that unencrypted, static authenticators are not embedded in applications, scripts or stored on function keys.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-15" ], "general-govramp": [ "IA-05(07)" ], "general-govramp-mod": [ "IA-05(07)" ], "general-govramp-high": [ "IA-05(07)" ], "general-nist-800-53-r4": [ "IA-5(7)" ], "general-nist-800-53-r5-2": [ "IA-05(07)" ], "general-nist-800-82-r3": [ "IA-05(07)" ], "general-nist-800-171-r3": [ "03.05.07.d" ], "general-owasp-top-10-2025": [ "A07:2025" ], "general-pci-dss-4-0-1": [ "8.6.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.6.2" ], "general-pci-dss-4-0-1-saq-c": [ "8.6.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.6.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.6.2" ], "general-swift-cscf-2025": [ "5.4" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-05(07)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-05(07)" ], "usa-federal-irs-1075-2021": [ "IA-5(CE-7)" ], "usa-federal-cms-marse-2-0": [ "IA-5(7)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-05 (07)" ], "emea-sau-sacs-002-2022": [ "TPC-62" ], "apac-nzl-ism-3-9": [ "16.1.36.C.01" ], "americas-can-itsp-10-171-2025": [ "03.05.07.D" ] } }, { "control_id": "IAC-10.7", "title": "Hardware Token-Based Authentication", "family": "IAC", "description": "Automated mechanisms exist to ensure organization-defined token quality requirements are satisfied for hardware token-based authentication.", "scf_question": "Does the organization use automated mechanisms to ensure organization-defined token quality requirements are satisfied for hardware token-based authentication?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically ensure organization-defined token quality requirements are satisfied for hardware token-based authentication.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "IA-02(01)", "IA-02(02)" ], "general-govramp-core": [ "IA-02(01)" ], "general-govramp-low": [ "IA-02(01)" ], "general-govramp-low-plus": [ "IA-02(01)" ], "general-govramp-mod": [ "IA-02(01)", "IA-02(02)" ], "general-govramp-high": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r4": [ "IA-5(11)" ], "general-nist-800-53-r5-2": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r5-2-privacy": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r5-2-low": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-low": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-mod": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-82-r3-high": [ "IA-02(01)", "IA-02(02)" ], "general-pci-dss-4-0-1": [ "8.3.11" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.11" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.3.11" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.3.11" ], "general-swift-cscf-2025": [ "5.2" ], "usa-federal-fbi-cjis-6-0": [ "IA-2(1)", "IA-2(2)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-02(01)", "IA-02(02)" ], "usa-federal-irs-1075-2021": [ "IA-2(CE-1)", "IA-2(CE-2)" ], "usa-federal-cms-marse-2-0": [ "IA-2(1)", "IA-2(2)", "IA-5(11)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-02(1)", "IA-02(2)" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-02 (01)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-02 (01)" ] } }, { "control_id": "IAC-10.8", "title": "Default Authenticators", "family": "IAC", "description": "Mechanisms exist to ensure default authenticators are changed as part of account creation or system installation.", "scf_question": "Does the organization ensure default authenticators are changed as part of account creation or system installation?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure default authenticators are changed as part of account creation or system installation.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1" ], "general-cis-csc-8-1": [ "4.7" ], "general-cis-csc-8-1-ig1": [ "4.7" ], "general-cis-csc-8-1-ig2": [ "4.7" ], "general-cis-csc-8-1-ig3": [ "4.7" ], "general-csa-cmm-4-1-0": [ "IAM-15" ], "general-csa-iot-2": [ "IAM-20" ], "general-govramp": [ "IA-05" ], "general-govramp-core": [ "IA-05" ], "general-govramp-low": [ "IA-05" ], "general-govramp-low-plus": [ "IA-05" ], "general-govramp-mod": [ "IA-05" ], "general-govramp-high": [ "IA-05" ], "general-iec-62443-4-2-2019": [ "CR 1.5(a)", "CR 1.5(b)" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.2" ], "general-iso-27002-2022": [ "5.17" ], "general-iso-27017-2015": [ "9.2.4" ], "general-iso-27018-2025": [ "5.17" ], "general-mpa-csbp-5-3-1": [ "TS-1.2" ], "general-nist-800-53-r4": [ "IA-5", "IA-5(5)" ], "general-nist-800-53-r5-2": [ "IA-05", "IA-05(05)" ], "general-nist-800-53-r5-2-privacy": [ "IA-05" ], "general-nist-800-53-r5-2-low": [ "IA-05" ], "general-nist-800-82-r3": [ "IA-05", "IA-05(05)" ], "general-nist-800-82-r3-low": [ "IA-05" ], "general-nist-800-82-r3-mod": [ "IA-05" ], "general-nist-800-82-r3-high": [ "IA-05" ], "general-nist-800-161-r1": [ "IA-5", "IA-5(5)" ], "general-nist-800-161-r1-cscrm": [ "IA-5" ], "general-nist-800-161-r1-flowdown": [ "IA-5" ], "general-nist-800-161-r1-level-2": [ "IA-5" ], "general-nist-800-161-r1-level-3": [ "IA-5", "IA-5(5)" ], "general-nist-800-171-r3": [ "03.05.07.e", "03.05.12.d" ], "general-owasp-top-10-2025": [ "A07:2025" ], "general-pci-dss-4-0-1": [ "2.2.2", "2.3.1", "6.5.2" ], "general-pci-dss-4-0-1-saq-a": [ "2.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "2.2.2", "6.5.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "2.2.2", "2.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.2", "2.3.1", "6.5.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.2.2", "2.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "2.2.2", "2.3.1", "6.5.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "2.2.2", "2.3.1", "6.5.2" ], "general-shared-assessments-sig-2025": [ "U.1.3" ], "general-tisax-6-0-3": [ "4.1.3" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.A" ], "usa-federal-fbi-cjis-6-0": [ "IA-5" ], "usa-federal-gsa-fedramp-5-low": [ "IA-05" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-05" ], "usa-federal-gsa-fedramp-5-high": [ "IA-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-05" ], "usa-federal-irs-1075-2021": [ "IA-5", "IA-5(CE-5)" ], "usa-federal-cms-marse-2-0": [ "IA-5" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 5.4" ], "usa-state-ca-sb327-2018": [ "1798.91.04(b)(2)" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(2)(b)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-05" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-05" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-05" ], "emea-sau-cgiot-2024": [ "2-2-2" ], "emea-sau-otcc-1-2022": [ "2-2-1-3" ], "emea-gbr-def-stan-05-138-2024": [ "2211" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2211" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2211" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2211" ], "apac-aus-ism-2024-june": [ "ISM-1304", "ISM-1806" ], "apac-aus-cop-sitc-2020": [ "Principle 1" ], "americas-can-itsp-10-171-2025": [ "03.05.07.E", "03.05.12.D" ] } }, { "control_id": "IAC-10.9", "title": "Multiple System Accounts", "family": "IAC", "description": "Mechanisms exist to implement security safeguards to manage the risk of compromise due to individuals having accounts on multiple Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization implement security safeguards to manage the risk of compromise due to individuals having accounts on multiple Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement security safeguards to manage the risk of compromise due to individuals having accounts on multiple Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Policy limiting and documenting multiple system accounts per user", "small": "∙ Policy controlling multiple account assignments per user", "medium": "∙ Formal multiple account management policy\n∙ Periodic review of multi-account assignments", "large": "∙ Enterprise IAM with multi-account visibility and management", "enterprise": "∙ Enterprise IGA platform with unified account view\n∙ Automated detection of excessive accounts\n∙ Access certification" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r4": [ "IA-5(8)" ], "general-nist-800-53-r5-2": [ "IA-05(08)" ], "general-nist-800-53-r5-2-privacy": [ "IA-05(08)" ], "general-nist-800-82-r3": [ "IA-05(08)" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.C" ], "usa-federal-gsa-fedramp-5-low": [ "IA-05(08)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-05(08)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-05(08)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-05(08)" ] } }, { "control_id": "IAC-10.10", "title": "Expiration of Cached Authenticators", "family": "IAC", "description": "Automated mechanisms exist to prohibit the use of cached authenticators after organization-defined time period.", "scf_question": "Does the organization use automated mechanisms to prohibit the use of cached authenticators after organization-defined time period?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically prohibit the use of cached authenticators after organization-defined time period.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Clear cached credentials on shared/public systems", "small": "∙ Policy requiring clearing of cached authenticators on shared systems", "medium": "∙ Formal cached authenticator expiration policy\n∙ Technical controls for cache expiry", "large": "∙ Enterprise endpoint policy for authenticator cache expiration (e.g., GPO)\n∙ Automated enforcement", "enterprise": "∙ Enterprise endpoint management with cached credential expiration policies (e.g., Microsoft Intune, JAMF)\n∙ Automated enforcement" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "IA-05(13)" ], "general-govramp-high": [ "IA-05(13)" ], "general-nist-800-53-r4": [ "IA-5(13)" ], "general-nist-800-53-r5-2": [ "IA-05(13)" ], "general-nist-800-82-r3": [ "IA-05(13)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-05(13)" ] } }, { "control_id": "IAC-10.11", "title": "Password Managers", "family": "IAC", "description": "Mechanisms exist to protect and store passwords via a password manager tool.", "scf_question": "Does the organization protect and store passwords via a password manager tool?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.\n▪ Password managers are provided, but decentralized and not actively governed.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect and store passwords via a password manager tool.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Keeper (https://keepersecurity.com)\n∙ LastPass (https://lastpass.com\n∙ 1Password (https://1password.com)", "small": "∙ Keeper (https://keepersecurity.com)\n∙ LastPass (https://lastpass.com\n∙ 1Password (https://1password.com)", "medium": "∙ Keeper (https://keepersecurity.com)\n∙ LastPass (https://lastpass.com\n∙ 1Password (https://1password.com)\n∙ Delinea Secret Server (https://delinea.com)\n∙ ManageEngine Enterprise Password Management (https://manageengine.com)\n∙ Securden (https://securden.com)\n∙ CyberArk (https://cyberark.com)", "large": "∙ Keeper (https://keepersecurity.com)\n∙ LastPass (https://lastpass.com\n∙ 1Password (https://1password.com)\n∙ Delinea Secret Server (https://delinea.com)\n∙ ManageEngine Enterprise Password Management (https://manageengine.com)\n∙ Securden (https://securden.com)\n∙ CyberArk (https://cyberark.com)", "enterprise": "∙ Keeper (https://keepersecurity.com)\n∙ LastPass (https://lastpass.com\n∙ 1Password (https://1password.com)\n∙ Delinea Secret Server (https://delinea.com)\n∙ ManageEngine Enterprise Password Management (https://manageengine.com)\n∙ Securden (https://securden.com)\n∙ CyberArk (https://cyberark.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-15" ], "general-iso-27002-2022": [ "5.17", "5.18" ], "general-iso-27017-2015": [ "9.2.4", "9.4.3" ], "general-iso-27018-2025": [ "5.17", "5.18" ], "general-nist-800-53-r5-2": [ "IA-05(18)" ], "general-nist-800-82-r3": [ "IA-05(18)" ], "general-nist-800-171-r3": [ "03.05.07.a", "03.05.07.b", "03.05.07.c", "03.05.07.d", "03.05.07.f" ], "general-nist-800-171a-r3": [ "A.03.05.07.ODP[01]", "A.03.05.07.a[01]", "A.03.05.07.a[02]", "A.03.05.07.a[03]", "A.03.05.07.b" ], "general-nist-800-172": [ "3.5.2e" ], "general-swift-cscf-2025": [ "5.4" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.SMANA" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.L" ], "emea-sau-cscc-1-2019": [ "2-2-1-6" ], "emea-sau-otcc-1-2022": [ "2-2-1-9" ], "emea-sau-sacs-002-2022": [ "TPC-3" ], "emea-esp-ccn-stic-825-2023": [ "7.2.5 [OP.ACC.5]" ], "emea-gbr-def-stan-05-138-2024": [ "2212" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2212" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2212" ], "apac-nzl-ism-3-9": [ "14.3.13.C.01", "14.3.13.C.02", "14.3.13.C.03" ], "americas-can-itsp-10-171-2025": [ "03.05.07.A", "03.05.07.B", "03.05.07.C", "03.05.07.D", "03.05.07.F" ] } }, { "control_id": "IAC-10.12", "title": "Biometric Authentication", "family": "IAC", "description": "Mechanisms exist to ensure biometric-based authentication satisfies organization-defined biometric quality requirements for false positives and false negatives.", "scf_question": "Does the organization ensure biometric-based authentication satisfies organization-defined biometric quality requirements for false positives and false negatives?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure biometric-based authentication satisfies organization-defined biometric quality requirements for false positives and false negatives.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Use fingerprint/face recognition on personal devices where available", "small": "∙ Biometric authentication policy for approved use cases", "medium": "∙ Formal biometric authentication policy\n∙ Approved biometric use cases and controls", "large": "∙ Enterprise biometric authentication deployment\n∙ Privacy and data protection controls for biometrics", "enterprise": "∙ Enterprise biometric authentication platform\n∙ Privacy-compliant biometric data handling\n∙ Fallback authentication mechanisms\n∙ BIPA/GDPR compliance" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r4": [ "IA-5(12)" ], "general-nist-800-53-r5-2": [ "IA-05(12)" ], "general-nist-800-82-r3": [ "IA-05(12)" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.9.2", "1.9.3" ], "usa-federal-irs-1075-2021": [ "IA-5(CE-12)" ] } }, { "control_id": "IAC-10.13", "title": "Events Requiring Authenticator Change", "family": "IAC", "description": "Mechanisms exist to change authentication credentials:\n(1) At predefined intervals; and/or\n(2) Upon suspicion of credential compromise.", "scf_question": "Does the organization change authentication credentials:\n(1) At predefined intervals; and/or\n(2) Upon suspicion of credential compromise?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to change authentication credentials:\n(1) At predefined intervals; and/or\n(2) Upon suspicion of credential compromise.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Change passwords when compromise is suspected", "small": "∙ Policy requiring authenticator change upon suspected compromise", "medium": "∙ Formal authenticator replacement triggers and procedures", "large": "∙ Enterprise process for forced authenticator change on compromise indicators\n∙ Automated triggering from SIEM", "enterprise": "∙ Enterprise IAM with automated authenticator reset workflows triggered by security events\n∙ SIEM/SOAR integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-iec-62443-2-1-2024": [ "USER 1.12" ], "emea-eu-nis2-annex-2024": [ "11.6.2(c)" ] } }, { "control_id": "IAC-10.14", "title": "Passkeys", "family": "IAC", "description": "Mechanisms exist to utilize passkeys, or equivalent cryptographic key pairing technologies, to authenticate users to Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization utilize passkeys, or equivalent cryptographic key pairing technologies, to authenticate users to Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.\n▪ Password managers are not governed.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize passkeys, or equivalent cryptographic key pairing technologies, to authenticate users to Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Use passkey if supported by the service", "small": "∙ Passkey/FIDO2 adoption policy and roadmap", "medium": "∙ Formal passkey implementation plan\n∙ FIDO2/WebAuthn for passwordless authentication", "large": "∙ Enterprise passkey deployment for high-assurance applications (FIDO2/WebAuthn)", "enterprise": "∙ Enterprise passwordless authentication program (FIDO2/WebAuthn)\n∙ Passkey management platform\n∙ Phishing-resistant MFA for all users" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(1)(B)" ] } }, { "control_id": "IAC-11", "title": "Authenticator Feedback", "family": "IAC", "description": "Mechanisms exist to obscure the feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.", "scf_question": "Does the organization obscure the feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to obscure the feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "IA-06" ], "general-govramp-low": [ "IA-06" ], "general-govramp-low-plus": [ "IA-06" ], "general-govramp-mod": [ "IA-06" ], "general-govramp-high": [ "IA-06" ], "general-iec-62443-2-1-2024": [ "USER 1.14" ], "general-iec-62443-3-3-2013": [ "SR 1.10" ], "general-iec-62443-4-2-2019": [ "CR 1.10" ], "general-mitre-att&ck-16-1": [ "T1021.001", "T1021.005", "T1530", "T1563", "T1578", "T1578.001", "T1578.002", "T1578.003" ], "general-nist-800-53-r4": [ "IA-6" ], "general-nist-800-53-r5-2": [ "IA-06" ], "general-nist-800-53-r5-2-low": [ "IA-06" ], "general-nist-800-82-r3": [ "IA-06" ], "general-nist-800-82-r3-low": [ "IA-06" ], "general-nist-800-82-r3-mod": [ "IA-06" ], "general-nist-800-82-r3-high": [ "IA-06" ], "general-nist-800-171-r2": [ "3.5.11" ], "general-nist-800-171-r3": [ "03.05.11" ], "general-nist-800-171a": [ "3.5.11" ], "general-nist-800-171a-r3": [ "A.03.05.11" ], "usa-federal-fbi-cjis-6-0": [ "IA-6" ], "usa-federal-dow-cmmc-2-level-2": [ "IAL2.-3.5.11" ], "usa-federal-gsa-fedramp-5-low": [ "IA-06" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-06" ], "usa-federal-gsa-fedramp-5-high": [ "IA-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-06" ], "usa-federal-irs-1075-2021": [ "IA-6" ], "usa-federal-cms-marse-2-0": [ "IA-6" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-06" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-06" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-06" ], "emea-isr-cmo-1-0": [ "4.36" ], "emea-gbr-def-stan-05-138-2024": [ "2419", "2420" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2419", "2420" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2419", "2420" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2419", "2420" ], "americas-can-itsp-10-171-2025": [ "03.05.11" ] } }, { "control_id": "IAC-12", "title": "Cryptographic Module Authentication", "family": "IAC", "description": "Mechanisms exist to ensure cryptographic modules adhere to applicable statutory, regulatory and contractual requirements for security strength.", "scf_question": "Does the organization ensure cryptographic modules adhere to applicable statutory, regulatory and contractual requirements for security strength?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure cryptographic modules adhere to applicable statutory, regulatory and contractual requirements for security strength.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use strong encryption for authentication systems (HTTPS/TLS)", "small": "∙ Cryptographic module standards for authentication systems", "medium": "∙ Formal cryptographic authentication policy\n∙ FIPS 140-2 validated modules where required", "large": "∙ FIPS 140-2 validated cryptographic modules for authentication", "enterprise": "∙ FIPS 140-2/140-3 validated cryptographic modules (e.g., HSM, FIPS-compliant libraries)\n∙ Enterprise crypto standards" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-iot-2": [ "IAM-22" ], "general-govramp": [ "IA-07" ], "general-govramp-low": [ "IA-07" ], "general-govramp-low-plus": [ "IA-07" ], "general-govramp-mod": [ "IA-07" ], "general-govramp-high": [ "IA-07" ], "general-mitre-att&ck-16-1": [ "T1195.003", "T1495", "T1542", "T1542.001", "T1542.003", "T1542.004", "T1542.005", "T1553", "T1553.006", "T1601", "T1601.001", "T1601.002" ], "general-nist-800-53-r4": [ "IA-7" ], "general-nist-800-53-r5-2": [ "IA-07" ], "general-nist-800-53-r5-2-privacy": [ "IA-07" ], "general-nist-800-53-r5-2-low": [ "IA-07" ], "general-nist-800-82-r3": [ "IA-07" ], "general-nist-800-82-r3-low": [ "IA-07" ], "general-nist-800-82-r3-mod": [ "IA-07" ], "general-nist-800-82-r3-high": [ "IA-07" ], "general-pci-dss-4-0-1": [ "3.6.1.1", "3.6.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.6.1.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.6.1.1", "3.6.1.2" ], "usa-federal-fbi-cjis-6-0": [ "IA-7" ], "usa-federal-gsa-fedramp-5-low": [ "IA-07" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-07" ], "usa-federal-gsa-fedramp-5-high": [ "IA-07" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-07" ], "usa-federal-irs-1075-2021": [ "IA-7" ], "usa-federal-cms-marse-2-0": [ "IA-7" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-07" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-07" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-07" ], "emea-isr-cmo-1-0": [ "4.37" ] } }, { "control_id": "IAC-12.1", "title": "Hardware Security Modules (HSM)", "family": "IAC", "description": "Automated mechanisms exist to utilize Hardware Security Modules (HSM) to protect authenticators on which the component relies.", "scf_question": "Does the organization use automated mechanisms to utilize Hardware Security Modules (HSM) to protect authenticators on which the component relies?", "relative_weight": 3, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically utilize Hardware Security Modules (HSM) to protect authenticators on which the component relies.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ HSM for key protection in high-security authentication systems", "large": "∙ HSM deployment for authentication key protection (e.g., Thales Luna, AWS CloudHSM)", "enterprise": "∙ Enterprise HSM platform (e.g., Thales Luna, nCipher, AWS CloudHSM)\n∙ PKI integration\n∙ Centralized key management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-iec-62443-3-3-2013": [ "SR 1.5 RE 1", "SR 1.9 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 1.5(1)", "CR 1.9(1)", "CR 1.14(1)" ], "apac-nzl-ism-3-9": [ "17.10.12.C.01", "17.10.12.C.02", "17.10.12.C.03", "17.10.12.C.04" ] } }, { "control_id": "IAC-13", "title": "Adaptive Identification & Authentication", "family": "IAC", "description": "Mechanisms exist to allow individuals to utilize alternative methods of authentication under specific circumstances or situations.", "scf_question": "Does the organization allow individuals to utilize alternative methods of authentication under specific circumstances or situations?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to allow individuals to utilize alternative methods of authentication under specific circumstances or situations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Enable risk-based authentication, if supported", "small": "∙ Risk-based/adaptive MFA policy\n∙ Step-up authentication for high-risk actions", "medium": "∙ Adaptive authentication implementation\n∙ Risk scoring for authentication decisions", "large": "∙ Enterprise adaptive IAM platform (e.g., Okta Adaptive MFA, Microsoft Entra)\n∙ Risk-based conditional access", "enterprise": "∙ Enterprise adaptive identity platform (e.g., Okta, Microsoft Entra ID)\n∙ Continuous risk assessment\n∙ Machine learning-based risk scoring\n∙ Zero-trust access policies" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.6-POF3" ], "general-nist-800-53-r4": [ "IA-10" ], "general-nist-800-53-r5-2": [ "IA-10" ], "general-nist-800-82-r3": [ "IA-10" ], "general-nist-800-160-vol-2-r1": [ "IA-10" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.AAUTH", "3.PEP.IN.AACON" ] } }, { "control_id": "IAC-13.1", "title": "Single Sign-On (SSO) Transparent Authentication", "family": "IAC", "description": "Mechanisms exist to provide a transparent authentication (e.g., Single Sign-On (SSO)) capability to the organization's Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization provide a Single Sign-On (SSO) capability to its Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide a transparent authentication (e.g., Single Sign-On (SSO)) capability to the organization's Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Use SSO to simplify access to multiple systems", "small": "∙ SSO solution for key applications (e.g., Google SSO, Microsoft SSO)", "medium": "∙ Enterprise SSO implementation (e.g., Okta, Azure AD)\n∙ Transparent authentication", "large": "∙ Enterprise SSO platform (e.g., Okta, Microsoft Entra)\n∙ SAML/OIDC federation\n∙ Transparent auth for all apps", "enterprise": "∙ Enterprise SSO platform (e.g., Okta, Microsoft Entra ID)\n∙ Universal SSO for all applications\n∙ Federated identity management\n∙ Zero-trust continuous authentication" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-cis-csc-8-1": [ "6.7" ], "general-cis-csc-8-1-ig2": [ "6.7" ], "general-cis-csc-8-1-ig3": [ "6.7" ], "general-nist-800-53-r5-2": [ "IA-02(10)" ], "general-nist-800-82-r3": [ "IA-02(10)" ] } }, { "control_id": "IAC-13.2", "title": "Federated Credential Management", "family": "IAC", "description": "Mechanisms exist to federate credentials to allow cross-organization authentication of individuals and devices.", "scf_question": "Does the organization federate credentials to allow cross-organization authentication of individuals and devices?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to federate credentials to allow cross-organization authentication of individuals and devices.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-cis-csc-8-1": [ "6.7" ], "general-cis-csc-8-1-ig2": [ "6.7" ], "general-cis-csc-8-1-ig3": [ "6.7" ], "general-nist-800-53-r5-2": [ "IA-05(09)" ], "general-nist-800-82-r3": [ "IA-05(09)" ], "general-nist-800-161-r1": [ "IA-5(9)" ], "general-nist-800-161-r1-level-3": [ "IA-5(9)" ], "general-nist-800-207": [ "NIST Tenet 4" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.5", "1.5.1", "2.1.3", "2.1.4" ] } }, { "control_id": "IAC-13.3", "title": "Continuous Authentication", "family": "IAC", "description": "Automated mechanisms exist to enable continuous re-authentication through the lifecycle of entity interactions.", "scf_question": "Does the organization use automated mechanisms to enable continuous re-authentication through the lifecycle of entity interactions?", "relative_weight": 2, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically enable continuous re-authentication through the lifecycle of entity interactions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Enable session re-authentication for sensitive actions", "small": "∙ Step-up authentication policy for sensitive operations", "medium": "∙ Continuous authentication controls for sensitive systems\n∙ Step-up authentication", "large": "∙ Enterprise continuous authentication platform\n∙ Behavioral analytics for continuous identity validation", "enterprise": "∙ Enterprise continuous authentication platform (e.g., Okta, Microsoft Entra)\n∙ UEBA-based behavioral authentication\n∙ Zero-trust continuous verification" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.CAUTH" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.8", "1.8.4" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "1.0" ], "emea-eu-nis2-annex-2024": [ "11.7.1" ] } }, { "control_id": "IAC-14", "title": "Re-Authentication", "family": "IAC", "description": "Mechanisms exist to force users and devices to re-authenticate according to organization-defined circumstances that necessitate re-authentication.", "scf_question": "Does the organization force users and devices to re-authenticate according to organization-defined circumstances that necessitate re-authentication?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to force users and devices to re-authenticate according to organization-defined circumstances that necessitate re-authentication.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Identity & Access Management (IAM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1556.006", "T1556.007" ], "general-nist-800-53-r4": [ "IA-11" ], "general-nist-800-53-r5-2": [ "IA-11" ], "general-nist-800-53-r5-2-low": [ "IA-11" ], "general-nist-800-82-r3": [ "IA-11" ], "general-nist-800-82-r3-low": [ "IA-11" ], "general-nist-800-82-r3-mod": [ "IA-11" ], "general-nist-800-82-r3-high": [ "IA-11" ], "general-nist-800-171-r3": [ "03.05.01.b" ], "general-nist-800-171a-r3": [ "A.03.05.01.ODP[01]", "A.03.05.01.b" ], "general-owasp-top-10-2025": [ "A07:2025" ], "general-pci-dss-4-0-1": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.8" ], "general-ul-2900-2-2-2016": [ "8.8" ], "usa-federal-fbi-cjis-6-0": [ "IA-11" ], "usa-federal-gsa-fedramp-5-low": [ "IA-11" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-11" ], "usa-federal-gsa-fedramp-5-high": [ "IA-11" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-11" ], "usa-federal-irs-1075-2021": [ "IA-11" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-11" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-11" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-11" ], "americas-can-itsp-10-171-2025": [ "03.05.01.B" ] } }, { "control_id": "IAC-15", "title": "Account Management", "family": "IAC", "description": "Mechanisms exist to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.", "scf_question": "Does the organization proactively govern account management of individual, group, system, service, application, guest and temporary accounts?", "relative_weight": 10, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-IAM-07", "E-IAM-08" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1" ], "general-govramp": [ "AC-02" ], "general-govramp-core": [ "AC-02" ], "general-govramp-low": [ "AC-02" ], "general-govramp-low-plus": [ "AC-02" ], "general-govramp-mod": [ "AC-02" ], "general-govramp-high": [ "AC-02" ], "general-iec-62443-2-1-2024": [ "USER 1.2", "USER 1.3" ], "general-iec-62443-3-3-2013": [ "SR 1.3" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.1" ], "general-iso-27002-2022": [ "5.15", "5.16", "5.18" ], "general-iso-27017-2015": [ "9.1.1", "9.2.5", "9.2.6" ], "general-iso-27018-2025": [ "5.15", "5.16", "5.18" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1005", "T1020.001", "T1021", "T1021.001", "T1021.002", "T1021.003", "T1021.004", "T1021.005", "T1021.006", "T1021.007", "T1021.008", "T1025", "T1036", "T1036.003", "T1036.005", "T1036.010", "T1041", "T1047", "T1048", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1053", "T1053.002", "T1053.003", "T1053.005", "T1053.006", "T1053.007", "T1055", "T1055.008", "T1056.003", "T1059", "T1059.001", "T1059.002", "T1059.003", "T1059.004", "T1059.005", "T1059.006", "T1059.007", "T1059.008", "T1059.009", "T1059.010", "T1059.011", "T1068", "T1070", "T1070.001", "T1070.002", "T1070.003", "T1070.007", "T1070.008", "T1070.009", "T1072", "T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1087", "T1087.004", "T1098", "T1098.001", "T1098.002", "T1098.003", "T1098.005", "T1098.006", "T1098.007", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1134", "T1134.001", "T1134.002", "T1134.003", "T1136", "T1136.001", "T1136.002", "T1136.003", "T1185", "T1190", "T1195", "T1197", "T1210", "T1212", "T1213", "T1213.001", "T1213.002", "T1213.003", "T1213.004", "T1213.005", "T1218", "T1218.007", "T1218.015", "T1222", "T1222.001", "T1222.002", "T1484", "T1485.001", "T1489", "T1490", "T1495", "T1496.002", "T1505", "T1505.002", "T1505.003", "T1505.005", "T1525", "T1528", "T1530", "T1537", "T1538", "T1542", "T1542.001", "T1542.003", "T1542.005", "T1543", "T1543.001", "T1543.002", "T1543.003", "T1543.004", "T1543.005", "T1546", "T1546.003", "T1547.004", "T1547.006", "T1547.009", "T1547.012", "T1547.013", "T1548", "T1548.002", "T1548.003", "T1548.005", "T1548.006", "T1550", "T1550.002", "T1550.003", "T1552", "T1552.001", "T1552.002", "T1552.004", "T1552.006", "T1552.007", "T1553", "T1555.005", "T1555.006", "T1556", "T1556.001", "T1556.003", "T1556.004", "T1556.005", "T1556.006", "T1556.007", "T1556.009", "T1558", "T1558.001", "T1558.002", "T1558.003", "T1558.004", "T1558.005", "T1559", "T1559.001", "T1562", "T1562.001", "T1562.002", "T1562.004", "T1562.006", "T1562.007", "T1562.008", "T1562.009", "T1562.012", "T1563", "T1563.001", "T1563.002", "T1566.003", "T1567", "T1569", "T1569.001", "T1569.002", "T1574", "T1574.004", "T1574.005", "T1574.007", "T1574.008", "T1574.009", "T1574.010", "T1574.012", "T1578", "T1578.001", "T1578.002", "T1578.003", "T1578.005", "T1580", "T1585", "T1585.001", "T1585.002", "T1585.003", "T1586", "T1586.001", "T1586.002", "T1586.003", "T1599", "T1599.001", "T1601", "T1601.001", "T1601.002", "T1606", "T1606.001", "T1606.002", "T1609", "T1610", "T1611", "T1612", "T1613", "T1619", "T1621", "T1648", "T1651", "T1654" ], "general-nist-800-53-r4": [ "AC-2" ], "general-nist-800-53-r5-2": [ "AC-02" ], "general-nist-800-53-r5-2-privacy": [ "AC-02" ], "general-nist-800-53-r5-2-low": [ "AC-02" ], "general-nist-800-66-r2": [ "164.312(a)" ], "general-nist-800-82-r3": [ "AC-02" ], "general-nist-800-82-r3-low": [ "AC-02" ], "general-nist-800-82-r3-mod": [ "AC-02" ], "general-nist-800-82-r3-high": [ "AC-02" ], "general-nist-800-161-r1": [ "AC-2" ], "general-nist-800-161-r1-cscrm": [ "AC-2" ], "general-nist-800-161-r1-flowdown": [ "AC-2" ], "general-nist-800-161-r1-level-2": [ "AC-2" ], "general-nist-800-161-r1-level-3": [ "AC-2" ], "general-nist-800-171-r2": [ "3.1.2" ], "general-nist-800-171-r3": [ "03.01.01.a", "03.01.01.b", "03.01.01.c.01", "03.01.01.c.02", "03.01.01.d.01", "03.01.01.d.02", "03.01.01.e", "03.01.01.f.01", "03.01.01.f.03", "03.01.01.f.04", "03.01.01.f.05", "03.01.01.g.01", "03.01.01.g.02", "03.01.01.g.03", "03.01.02", "03.01.05.b", "03.01.05.c", "03.01.05.d" ], "general-nist-800-171a": [ "3.1.2[a]", "3.1.2[b]" ], "general-nist-800-171a-r3": [ "A.03.01.01.ODP[01]", "A.03.01.01.a[01]", "A.03.01.01.a[02]", "A.03.01.01.c.01", "A.03.01.01.e", "A.03.01.01.f.01", "A.03.01.01.f.02", "A.03.01.01.f.03", "A.03.01.01.f.04", "A.03.01.01.f.05", "A.03.01.01.g.01", "A.03.01.01.g.02", "A.03.01.01.g.03", "A.03.05.07.e" ], "general-pci-dss-4-0-1": [ "8.2.4", "8.3.10", "8.6", "8.6.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.4", "8.6.1" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.4", "8.6.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.4", "8.6.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.4", "8.3.10", "8.6.1" ], "usa-federal-fbi-cjis-6-0": [ "AC-2" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-2b" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.II" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "AC.L1-B.1.II[a]", "AC.L1-B.1.II[b]" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.2" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(ii)" ], "usa-federal-gsa-fedramp-5-low": [ "AC-02" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-02" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(a)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(a)(2)(ii)" ], "usa-federal-irs-1075-2021": [ "AC-2" ], "usa-federal-cms-marse-2-0": [ "AC-2", "AC-2.a", "AC-2.b", "AC-2.c", "AC-2.d", "AC-2.e", "AC-2.f", "AC-2.f.1", "AC-2.f.1(i)", "AC-2.f.1(ii)", "AC-2.f.1(iii)", "AC-2.f.2", "AC-2.f.3", "AC-2.f.3(i)", "AC-2.f.3(ii)", "AC-2.f.3(iii)", "AC-2.g", "AC-2-IS.1", "AC-2-IS.2", "AC-2-IS.4" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 5.3" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(1)(a)", "17.04(1)(d)", "17.04(2)(b)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-02", "IA-02-SID", "IA-08-SID" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-02" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-02" ], "usa-state-vt-act-171-2018": [ "2447(c)(1)(A)(i)", "2447(c)(1)(A)(iv)" ], "emea-eu-nis2-annex-2024": [ "11.2.2(c)", "11.5.2(c)" ], "emea-deu-bsrit-2017": [ "6.2" ], "emea-isr-cmo-1-0": [ "4.3", "4.4", "4.6" ], "emea-sau-cscc-1-2019": [ "2-2-1-7" ], "emea-sau-otcc-1-2022": [ "2-2-1-10" ], "emea-gbr-def-stan-05-138-2024": [ "2424" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2424" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2424" ], "apac-aus-ism-2024-june": [ "ISM-0441", "ISM-0443" ], "apac-ind-sebi-2024": [ "PR.AA.S1" ], "apac-jpn-ismap": [ "9.2", "9.2.1", "9.2.1.1", "9.2.1.2", "9.2.1.3", "9.2.1.4", "9.2.1.5", "9.2.1.6.PB", "9.2.4.9.PB" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP38", "HML38" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP33", "HSUP35" ], "americas-can-itsp-10-171-2025": [ "03.01.01.A", "03.01.01.B", "03.01.01.C.01", "03.01.01.C.02", "03.01.01.D.01", "03.01.01.D.02", "03.01.01.E", "03.01.01.F.01", "03.01.01.F.03", "03.01.01.F.04", "03.01.01.F.05", "03.01.01.G.01", "03.01.01.G.02", "03.01.01.G.03", "03.01.02", "03.01.05.B", "03.01.05.C", "03.01.05.D" ] } }, { "control_id": "IAC-15.1", "title": "Automated System Account Management (Directory Services)", "family": "IAC", "description": "Automated mechanisms exist to support the management of system accounts (e.g., directory services).", "scf_question": "Does the organization use automated mechanisms to support the management of system accounts?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically support the management of system accounts (e.g., directory services).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-cis-csc-8-1": [ "5.0", "5.6", "6.0" ], "general-cis-csc-8-1-ig2": [ "5.6" ], "general-cis-csc-8-1-ig3": [ "5.6" ], "general-govramp": [ "AC-02(01)" ], "general-govramp-core": [ "AC-02(01)" ], "general-govramp-low-plus": [ "AC-02(01)" ], "general-govramp-mod": [ "AC-02(01)" ], "general-govramp-high": [ "AC-02(01)" ], "general-iec-62443-2-1-2024": [ "USER 1.3", "USER 1.4", "USER 1.7", "USER 1.8", "USER 1.8(a)", "USER 1.8(b)", "USER 1.8(c)" ], "general-iec-62443-3-3-2013": [ "SR 1.3", "SR 1.3 RE 1" ], "general-iso-27002-2022": [ "5.18" ], "general-iso-27018-2025": [ "5.18" ], "general-nist-800-53-r4": [ "AC-2(1)" ], "general-nist-800-53-r5-2": [ "AC-02(01)" ], "general-nist-800-53-r5-2-mod": [ "AC-02(01)" ], "general-nist-800-82-r3": [ "AC-02(01)" ], "general-nist-800-82-r3-mod": [ "AC-02(01)" ], "general-nist-800-82-r3-high": [ "AC-02(01)" ], "general-nist-800-171-r2": [ "3.1.1", "3.5.1", "3.5.2" ], "general-nist-800-171-r3": [ "03.05.05.b", "03.05.05.c", "03.05.05.d", "03.05.07.c", "03.05.07.d", "03.05.07.e", "03.05.07.f", "03.05.12.d", "03.05.12.e", "03.05.12.f" ], "general-nist-800-207": [ "NIST Tenet 3", "NIST Tenet 4" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.EINVE" ], "usa-federal-fbi-cjis-6-0": [ "AC-2(1)" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.I", "IA.L1-B.1.V", "IA.L1-B.1.VI" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.1", "IAL2.-3.5.1", "IAL2.-3.5.2" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(i)", "52.204-21(b)(1)(v)", "52.204-21(b)(1)(vi)" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02(01)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02(01)" ], "usa-federal-irs-1075-2021": [ "AC-2(CE-1)" ], "usa-federal-cms-marse-2-0": [ "AC-2-IS.3", "AC-2(1)" ], "emea-gbr-def-stan-05-138-2024": [ "2209", "2218" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2218" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2218" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2209", "2218" ], "apac-aus-ism-2024-june": [ "ISM-1649" ], "apac-jpn-ismap": [ "9.2.2.5" ], "americas-can-itsp-10-171-2025": [ "03.05.05.B", "03.05.05.C", "03.05.05.D", "03.05.07.C", "03.05.07.D", "03.05.07.E", "03.05.07.F", "03.05.12.D", "03.05.12.E", "03.05.12.F" ] } }, { "control_id": "IAC-15.2", "title": "Removal of Temporary / Emergency Accounts", "family": "IAC", "description": "Automated mechanisms exist to disable or remove temporary and emergency accounts after an organization-defined time period for each type of account.", "scf_question": "Does the organization use automated mechanisms to disable or remove temporary and emergency accounts after an organization-defined time period for each type of account?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically disable or remove temporary and emergency accounts after an organization-defined time period for each type of account.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Remove temporary/emergency accounts when no longer needed", "small": "∙ Policy requiring prompt removal of temporary/emergency accounts", "medium": "∙ Formal temporary account lifecycle policy\n∙ Automated expiry for temporary accounts", "large": "∙ Enterprise IAM with automated temporary account expiration", "enterprise": "∙ Enterprise IGA platform with automated temporary account lifecycle management\n∙ Just-in-time access provisioning" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "AC-02(02)" ], "general-govramp-mod": [ "AC-02(02)" ], "general-govramp-high": [ "AC-02(02)" ], "general-iso-27002-2022": [ "5.18" ], "general-iso-27018-2025": [ "5.18" ], "general-nist-800-53-r4": [ "AC-2(2)" ], "general-nist-800-53-r5-2": [ "AC-02(02)" ], "general-nist-800-53-r5-2-mod": [ "AC-02(02)" ], "general-nist-800-66-r2": [ "164.312(a)" ], "general-nist-800-82-r3": [ "AC-02(02)" ], "general-nist-800-82-r3-mod": [ "AC-02(02)" ], "general-nist-800-82-r3-high": [ "AC-02(02)" ], "usa-federal-fbi-cjis-6-0": [ "AC-2(2)" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02(02)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02(02)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(a)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(a)(2)(ii)" ], "usa-federal-irs-1075-2021": [ "AC-2(CE-2)" ], "usa-federal-cms-marse-2-0": [ "AC-2(2)" ], "emea-deu-c5-2020": [ "IDM-04", "PSS-09" ], "emea-isr-cmo-1-0": [ "4.4" ] } }, { "control_id": "IAC-15.3", "title": "Disable Inactive Accounts", "family": "IAC", "description": "Automated mechanisms exist to disable inactive accounts after an organization-defined time period.", "scf_question": "Does the organization use automated mechanisms to disable inactive accounts after an organization-defined time period?", "relative_weight": 10, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically disable inactive accounts after an organization-defined time period.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Disable accounts after extended inactivity (e.g., 90 days)", "small": "∙ Policy for disabling inactive accounts\n∙ Regular review of inactive accounts", "medium": "∙ Automated inactive account detection and disabling\n∙ Defined inactivity threshold", "large": "∙ Enterprise IAM with automated inactive account detection and disabling", "enterprise": "∙ Enterprise IGA platform with automated account dormancy detection and disabling\n∙ SIEM integration for last login tracking" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.2-POF2" ], "general-cis-csc-8-1": [ "5.3" ], "general-cis-csc-8-1-ig1": [ "5.3" ], "general-cis-csc-8-1-ig2": [ "5.3" ], "general-cis-csc-8-1-ig3": [ "5.3" ], "general-govramp": [ "AC-02(03)" ], "general-govramp-mod": [ "AC-02(03)" ], "general-govramp-high": [ "AC-02(03)" ], "general-iso-27002-2022": [ "5.16" ], "general-iso-27018-2025": [ "5.16" ], "general-nist-800-53-r4": [ "AC-2(3)" ], "general-nist-800-53-r5-2": [ "AC-02(03)" ], "general-nist-800-53-r5-2-mod": [ "AC-02(03)" ], "general-nist-800-82-r3": [ "AC-02(03)" ], "general-nist-800-82-r3-mod": [ "AC-02(03)" ], "general-nist-800-82-r3-high": [ "AC-02(03)" ], "general-nist-800-171-r2": [ "3.5.6" ], "general-nist-800-171-r3": [ "03.01.01.f.02" ], "general-nist-800-171a": [ "3.5.6[a]", "3.5.6[b]" ], "general-nist-800-171a-r3": [ "A.03.01.01.f.02" ], "general-pci-dss-4-0-1": [ "8.2.6" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.6" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.6" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.6" ], "usa-federal-fbi-cjis-6-0": [ "AC-2(3)" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-1j" ], "usa-federal-dow-cmmc-2-level-2": [ "IAL2.-3.5.6" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02(03)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02(03)" ], "usa-federal-irs-1075-2021": [ "AC-2(CE-3)", "AC-2(CE-3).a", "AC-2(CE-3).b", "AC-2(CE-3).c", "AC-2(CE-3).d" ], "usa-federal-cms-marse-2-0": [ "AC-2(3)", "AC-2(3).a", "AC-2(3).b" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(a)(4)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-02(3)" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-02 (03)" ], "emea-deu-c5-2020": [ "IDM-03" ], "emea-isr-cmo-1-0": [ "4.5" ], "apac-aus-essential-8-2024": [ "ML2-P4", "ML3-P4" ], "apac-aus-ism-2024-june": [ "ISM-1404", "ISM-1648" ], "americas-can-itsp-10-171-2025": [ "03.01.01.F.02" ] } }, { "control_id": "IAC-15.4", "title": "Automated Audit Actions", "family": "IAC", "description": "Automated mechanisms exist to audit account creation, modification, enabling, disabling and removal actions and notify organization-defined personnel or roles.", "scf_question": "Does the organization use automated mechanisms to audit account creation, modification, enabling, disabling and removal actions and notify organization-defined personnel or roles?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically audit account creation, modification, enabling, disabling and removal actions and notify organization-defined personnel or roles.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "AC-02(04)" ], "general-govramp-mod": [ "AC-02(04)" ], "general-govramp-high": [ "AC-02(04)" ], "general-nist-800-53-r4": [ "AC-2(4)" ], "general-nist-800-53-r5-2": [ "AC-02(04)" ], "general-nist-800-53-r5-2-mod": [ "AC-02(04)" ], "general-nist-800-82-r3": [ "AC-02(04)" ], "general-nist-800-82-r3-mod": [ "AC-02(04)" ], "general-nist-800-82-r3-high": [ "AC-02(04)" ], "usa-federal-fbi-cjis-6-0": [ "AC-2(4)" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02(04)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02(04)" ], "usa-federal-irs-1075-2021": [ "AC-2(CE-4)" ], "usa-federal-cms-marse-2-0": [ "AC-2(4)" ] } }, { "control_id": "IAC-15.5", "title": "Restrictions on Shared Groups / Accounts", "family": "IAC", "description": "Mechanisms exist to authorize the use of shared/group accounts only under certain organization-defined conditions.", "scf_question": "Does the organization authorize the use of shared/group accounts only under certain organization-defined conditions?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-08" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to authorize the use of shared/group accounts only under certain organization-defined conditions.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Avoid shared accounts; use individual accounts where possible", "small": "∙ Policy restricting shared account usage\n∙ Individual accountability required", "medium": "∙ Formal shared account policy\n∙ Technical controls limiting shared account use", "large": "∙ PAM for shared account management with individual accountability (e.g., CyberArk)", "enterprise": "∙ Enterprise PAM platform (e.g., CyberArk, BeyondTrust)\n∙ Shared account vaulting with individual checkout\n∙ Full session recording" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "AC-02(09)" ], "general-govramp-mod": [ "AC-02(09)" ], "general-govramp-high": [ "AC-02(09)" ], "general-iec-62443-2-1-2024": [ "USER 1.12" ], "general-iso-27002-2022": [ "5.16" ], "general-iso-27018-2025": [ "5.16" ], "general-nist-800-53-r4": [ "AC-2(9)" ], "general-nist-800-53-r5-2": [ "AC-02(09)" ], "general-nist-800-82-r3": [ "AC-02(09)" ], "general-nist-800-171-r3": [ "03.01.01.c.01" ], "general-pci-dss-4-0-1": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-a": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.2" ], "general-tisax-6-0-3": [ "4.1.3" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02(09)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02(09)" ], "usa-federal-irs-1075-2021": [ "AC-2(CE-9)" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 5.3" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.C.4", "III.C.4.a", "III.C.4.b" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-02 (09)" ], "emea-eu-nis2-annex-2024": [ "11.5.3" ], "apac-nzl-ism-3-9": [ "16.1.33.C.01", "16.1.33.C.02", "16.1.34.C.01" ], "americas-can-itsp-10-171-2025": [ "03.01.01.C.01" ] } }, { "control_id": "IAC-15.6", "title": "Account Disabling for High Risk Individuals", "family": "IAC", "description": "Mechanisms exist to disable accounts immediately upon notification for users posing a significant risk to the organization.", "scf_question": "Does the organization disable accounts immediately upon notification for users posing a significant risk to the organization?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to disable accounts immediately upon notification for users posing a significant risk to the organization.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Disable accounts of users identified as high-risk immediately", "small": "∙ Procedure for immediate account disabling for high-risk individuals", "medium": "∙ Formal high-risk account disabling procedure\n∙ Security team notification protocol", "large": "∙ Enterprise IAM with ability to immediately disable accounts for high-risk individuals\n∙ SIEM/HR integration", "enterprise": "∙ Enterprise IAM/IGA with automated account disabling triggered by HR events or security alerts\n∙ SOAR integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-07" ], "general-govramp": [ "AC-02(13)" ], "general-govramp-high": [ "AC-02(13)" ], "general-nist-800-53-r4": [ "AC-2(13)" ], "general-nist-800-53-r5-2": [ "AC-02(13)" ], "general-nist-800-53-r5-2-privacy": [ "AC-02(13)" ], "general-nist-800-53-r5-2-mod": [ "AC-02(13)" ], "general-nist-800-82-r3": [ "AC-02(13)" ], "general-nist-800-82-r3-mod": [ "AC-02(13)" ], "general-nist-800-82-r3-high": [ "AC-02(13)" ], "general-nist-800-171-r3": [ "03.01.01.f.04", "03.01.01.f.05" ], "general-owasp-top-10-2025": [ "A01:2025" ], "usa-federal-fbi-cjis-6-0": [ "AC-2(13)" ], "usa-federal-gsa-fedramp-5-low": [ "AC-02(13)" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02(13)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02(13)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-02(13)" ], "usa-federal-irs-1075-2021": [ "AC-2(CE-13)" ], "apac-aus-ism-2024-june": [ "ISM-1591" ], "americas-can-itsp-10-171-2025": [ "03.01.01.F.04", "03.01.01.F.05" ] } }, { "control_id": "IAC-15.7", "title": "System Account Reviews", "family": "IAC", "description": "Mechanisms exist to review all system accounts and disable any account that cannot be associated with a business process and owner.", "scf_question": "Does the organization review all system accounts and disables any account that cannot be associated with a business process and owner?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-07" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.\n▪ IAM proactively governs account management of individual, group, system, application, guest and temporary accounts.\n▪ IAM inventories all privileged accounts and validates that each person with elevated privileges is authorized by the appropriate level of organizational management.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to review all system accounts and disable any account that cannot be associated with a business process and owner.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Periodic review of user accounts and access rights", "small": "∙ Annual user account review\n∙ Remove unused accounts and excess access", "medium": "∙ Formal periodic account review process\n∙ Quarterly access reviews", "large": "∙ Enterprise access certification program\n∙ Automated access review campaigns", "enterprise": "∙ Enterprise IGA platform (e.g., SailPoint, Saviynt)\n∙ Automated access certification campaigns\n∙ Manager-driven access reviews\n∙ Role mining and optimization" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.2-POF2", "CC6.2-POF3" ], "general-nist-800-171-r3": [ "03.01.01.e", "03.01.05.c" ], "general-nist-800-171a-r3": [ "A.03.01.01.a[01]", "A.03.01.01.a[02]", "A.03.01.01.b[01]", "A.03.01.01.b[02]", "A.03.01.01.b[03]", "A.03.01.01.b[04]", "A.03.01.01.b[05]", "A.03.01.01.c.01" ], "general-pci-dss-4-0-1": [ "8.6", "8.6.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.6.1" ], "general-pci-dss-4-0-1-saq-c": [ "8.6.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.6.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.6.1" ], "usa-federal-dow-cert-rmm-1-2": [ "AM:SG1.SP2" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(a)(4)" ], "emea-deu-bsrit-2017": [ "6.2" ], "emea-sau-cgiot-2024": [ "1-8-2" ], "emea-sau-otcc-1-2022": [ "2-2-1-2" ], "americas-can-itsp-10-171-2025": [ "03.01.01.E", "03.01.05.C" ] } }, { "control_id": "IAC-15.8", "title": "Usage Conditions", "family": "IAC", "description": "Automated mechanisms exist to enforce usage conditions for users and/or roles.", "scf_question": "Does the organization use automated mechanisms to enforce usage conditions for users and/or roles?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically enforce usage conditions for users and/or roles.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "AC-02(11)" ], "general-govramp-high": [ "AC-02(11)" ], "general-nist-800-53-r4": [ "AC-2(11)" ], "general-nist-800-53-r5-2": [ "AC-02(11)" ], "general-nist-800-53-r5-2-high": [ "AC-02(11)" ], "general-nist-800-82-r3": [ "AC-02(11)" ], "general-nist-800-82-r3-high": [ "AC-02(11)" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "2.0" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02(11)" ] } }, { "control_id": "IAC-15.9", "title": "Emergency Accounts", "family": "IAC", "description": "Mechanisms exist to establish and control \"emergency access only\" accounts.", "scf_question": "Does the organization establish and control \"emergency access only\" accounts?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish and control \"emergency access only\" accounts.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Maintain emergency break-glass account with controlled access", "small": "∙ Emergency account policy\n∙ Secure storage of break-glass credentials", "medium": "∙ Formal emergency account procedure\n∙ Secure credential storage\n∙ Usage logging", "large": "∙ Enterprise emergency account management\n∙ PAM-vaulted break-glass credentials\n∙ Audit trail for emergency access", "enterprise": "∙ Enterprise PAM with emergency access workflow (e.g., CyberArk)\n∙ Break-glass procedure\n∙ Dual control for emergency credential release\n∙ Automated alerting on emergency account use" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC8.1-POF13" ], "general-nist-800-66-r2": [ "164.312(a)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(a)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(a)(2)(ii)" ], "apac-aus-essential-8-2024": [ "ML2-P4", "ML3-P4" ], "apac-aus-ism-2024-june": [ "ISM-1610", "ISM-1611", "ISM-1612", "ISM-1613", "ISM-1614", "ISM-1615" ] } }, { "control_id": "IAC-16", "title": "Privileged Account Management (PAM)", "family": "IAC", "description": "Mechanisms exist to restrict and control privileged access rights for users and Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization restrict and control privileged access rights for users and Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 10, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-IAM-03" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.\n▪ IAM restricts the assignment of privileged accounts to entity-defined personnel and/or roles (privilege assignment requires management approval).\n▪ LAC and RBAC enforcements limit the ability of non-administrators from making unauthorized configuration changes to TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict and control privileged access rights for users and Technology Assets, Applications and/or Services (TAAS).", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Strong password policy\n∙ MFA for key accounts", "small": "∙ Password manager\n∙ MFA on all accounts\n∙ Identity policy", "medium": "∙ ManageEngine Enterprise Password Management (https://manageengine.com)\n∙ Securden (https://securden.com)\n∙ CyberArk (https://cyberark.com)", "large": "∙ ManageEngine Enterprise Password Management (https://manageengine.com)\n∙ Securden (https://securden.com)\n∙ CyberArk (https://cyberark.com)", "enterprise": "∙ ManageEngine Enterprise Password Management (https://manageengine.com)\n∙ Securden (https://securden.com)\n∙ CyberArk (https://cyberark.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1" ], "general-cis-csc-8-1": [ "2.7", "5.1", "5.4" ], "general-cis-csc-8-1-ig1": [ "5.1", "5.4" ], "general-cis-csc-8-1-ig2": [ "5.1", "5.4" ], "general-cis-csc-8-1-ig3": [ "2.7", "5.1", "5.4" ], "general-csa-cmm-4-1-0": [ "IAM-09", "IAM-10", "IAM-11" ], "general-csa-iot-2": [ "IAM-02", "IAM-04" ], "general-iso-27002-2022": [ "5.15", "5.18", "8.2" ], "general-iso-27017-2015": [ "9.1.1" ], "general-iso-27018-2025": [ "5.15", "5.18" ], "general-nist-800-171-r2": [ "3.1.5" ], "general-nist-800-171-r3": [ "03.01.06.a", "03.01.07.a", "03.01.07.b" ], "general-pci-dss-4-0-1": [ "7.2.3", "7.2.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "7.2.3", "7.2.5" ], "general-pci-dss-4-0-1-saq-c": [ "7.2.3", "7.2.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.3", "7.2.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.3", "7.2.5" ], "general-scf-dpmp-2025": [ "7.1" ], "general-swift-cscf-2025": [ "1.2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.E" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-1g", "ACCESS-1h", "ACCESS-2b" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.5" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.2.1", "1.2.2", "1.4", "1.4.1", "1.4.2", "1.4.3", "1.4.4" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "2.3", "2.4" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(B)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(a)(1)", "500.7(a)(3)", "500.7(c)(1)" ], "emea-eu-nis2-annex-2024": [ "11.6.2(f)" ], "emea-deu-c5-2020": [ "IDM-06" ], "emea-isr-cmo-1-0": [ "4.2" ], "emea-sau-cgiot-2024": [ "2-2-1" ], "emea-sau-ecc-1-2018": [ "2-2-3-4" ], "emea-sau-sacs-002-2022": [ "TPC-34" ], "emea-gbr-caf-4-0": [ "B2.c" ], "emea-gbr-def-stan-05-138-2024": [ "2424" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2424" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2424" ], "apac-aus-essential-8-2024": [ "ML1-P4", "ML2-P4", "ML3-P4" ], "apac-aus-ism-2024-june": [ "ISM-0445", "ISM-0446", "ISM-0447", "ISM-1175", "ISM-1380", "ISM-1507", "ISM-1508", "ISM-1509", "ISM-1620", "ISM-1648", "ISM-1649", "ISM-1650", "ISM-1687", "ISM-1688", "ISM-1689" ], "apac-ind-sebi-2024": [ "PR.AA.S11" ], "apac-jpn-ismap": [ "9.2.3", "9.2.3.2", "9.2.3.3", "9.2.3.4", "9.2.3.5", "9.2.3.6", "9.2.3.7", "9.2.3.8", "9.2.3.9", "9.2.3.10" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP41", "HML41" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP36" ], "apac-nzl-ism-3-9": [ "16.3.5.C.01", "16.3.5.C.02", "16.3.6.C.01", "16.3.6.C.02", "16.3.7.C.01", "16.4.30.C.01", "16.4.30.C.02", "16.4.30.C.03", "16.4.31.C.01", "16.4.31.C.02", "16.4.32.C.01", "16.4.32.C.02", "16.4.33.C.01", "16.4.34.C.01", "16.4.35.C.01", "16.4.35.C.02", "16.4.35.C.03", "16.4.36.C.01", "16.4.37.C.01" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.1" ], "apac-sgp-mas-trm-2021": [ "9.2.1" ], "amaericas-can-osfi-self-assessment": [ "4.23", "4.24" ], "americas-can-osfi-b13-2022": [ "3.2.7" ], "americas-can-itsp-10-171-2025": [ "03.01.06.A", "03.01.07.A", "03.01.07.B" ] } }, { "control_id": "IAC-16.1", "title": "Privileged Account Inventories", "family": "IAC", "description": "Mechanisms exist to inventory all privileged accounts and validate that each person with elevated privileges is authorized by the appropriate level of organizational management.", "scf_question": "Does the organization inventory all privileged accounts and validate that each person with elevated privileges is authorized by the appropriate level of organizational management?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-03" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to inventory all privileged accounts and validate that each person with elevated privileges is authorized by the appropriate level of organizational management.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-cis-csc-8-1": [ "5.1", "5.5" ], "general-cis-csc-8-1-ig1": [ "5.1" ], "general-cis-csc-8-1-ig2": [ "5.1", "5.5" ], "general-cis-csc-8-1-ig3": [ "5.1", "5.5" ], "general-csa-cmm-4-1-0": [ "IAM-03", "IAM-10", "IAM-11" ], "general-iso-27002-2022": [ "5.18", "8.2" ], "general-iso-27017-2015": [ "9.2.3" ], "general-iso-27018-2025": [ "5.18", "8.2" ], "general-nist-800-171-r2": [ "3.1.5" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "7.2.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "7.2.4" ], "general-pci-dss-4-0-1-saq-c": [ "7.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.4" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.EINVE" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.5" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(a)(4)" ], "emea-sau-sacs-002-2022": [ "TPC-34" ], "emea-gbr-def-stan-05-138-2024": [ "2424" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2424" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2424" ], "apac-nzl-ism-3-9": [ "16.4.34.C.01" ] } }, { "control_id": "IAC-16.2", "title": "Privileged Account Separation", "family": "IAC", "description": "Mechanisms exist to separate privileged accounts between infrastructure environments to reduce the risk of a compromise in one infrastructure environment from laterally affecting other infrastructure environments.", "scf_question": "Does the organization separate privileged accounts between infrastructure environments to reduce the risk of a compromise in one infrastructure environment from laterally affecting other infrastructure environments?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to separate privileged accounts between infrastructure environments to reduce the risk of a compromise in one infrastructure environment from laterally affecting other infrastructure environments.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use separate accounts for admin vs. regular daily tasks", "small": "∙ Separate privileged and standard accounts for all administrators", "medium": "∙ Formal privileged account separation policy\n∙ Dedicated admin accounts", "large": "∙ Enterprise privileged account management with dedicated admin accounts (e.g., CyberArk)", "enterprise": "∙ Enterprise PAM platform (e.g., CyberArk, BeyondTrust)\n∙ Dedicated privileged accounts\n∙ Separation of duties enforcement" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "apac-nzl-ism-3-9": [ "23.3.18.C.01" ] } }, { "control_id": "IAC-16.3", "title": "Privileged Command Execution", "family": "IAC", "description": "Mechanisms exist to ensure privilege change requests require additional levels of authentication.", "scf_question": "Does the organization ensure privilege change requests require additional levels of authentication?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure privilege change requests require additional levels of authentication.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Limit privileged commands to authorized admin accounts only", "small": "∙ Policy restricting privileged command execution to authorized accounts", "medium": "∙ Formal privileged command control policy\n∙ Technical enforcement via sudo/RBAC", "large": "∙ Enterprise PAM with privileged command controls\n∙ Command-level authorization", "enterprise": "∙ Enterprise PAM platform with command-level controls and auditing (e.g., CyberArk)\n∙ Just enough access (JEA)\n∙ Full session recording" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "1.8.3" ] } }, { "control_id": "IAC-16.4", "title": "Dedicated Privileged Account", "family": "IAC", "description": "Mechanisms exist to assign dedicated privileged user accounts to be used solely for duties requiring privileged access.", "scf_question": "Does the organization assign dedicated privileged user accounts to be used solely for duties requiring privileged access?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to assign dedicated privileged user accounts to be used solely for duties requiring privileged access.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Use separate dedicated admin account for privileged tasks", "small": "∙ Dedicated privileged account policy\n∙ No daily use of admin accounts", "medium": "∙ Formal dedicated privileged account policy\n∙ Separate admin credentials from daily-use accounts", "large": "∙ Enterprise PAM with dedicated privileged accounts (e.g., CyberArk, BeyondTrust)", "enterprise": "∙ Enterprise PAM platform with dedicated privileged accounts\n∙ Privileged access workstations (PAW)\n∙ Just-in-time access" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "apac-aus-essential-8-2024": [ "ML1-P4", "ML2-P4", "ML3-P4" ], "apac-aus-ism-2024-june": [ "ISM-0445" ] } }, { "control_id": "IAC-16.5", "title": "Manual Override", "family": "IAC", "description": "Mechanisms exist to enable a manual override of the current account privileges to enable the timely response to unusual conditions without terminating the current session and establishing a new session as a higher-privileged user.", "scf_question": "Does the organization enable a manual override of the current account privileges to enable the timely response to unusual conditions without terminating the current session and establishing a new session as a higher-privileged user?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enable a manual override of the current account privileges to enable the timely response to unusual conditions without terminating the current session and establishing a new session as a higher-privileged user.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document manual override procedures for automated systems", "small": "∙ Manual override policy and procedure for automated access controls", "medium": "∙ Formal manual override process with approval and audit trail", "large": "∙ Enterprise manual override process with dual authorization and logging", "enterprise": "∙ Enterprise PAM with manual override workflows\n∙ Dual control for override access\n∙ Automated audit trail for all overrides" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-BC-4", "R-EX-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4" ], "threats": [ "MT-2", "MT-8", "MT-9", "MT-14" ], "errata": "- new control (IEC 62443-4-2)", "family_name": "Identification & Authentication", "crosswalks": { "general-iec-62443-3-3-2013": [ "SR 2.1 RE 3" ], "general-iec-62443-4-2-2019": [ "CR 2.1(3)" ] } }, { "control_id": "IAC-17", "title": "Periodic Review of Account Privileges", "family": "IAC", "description": "Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary.", "scf_question": "Does the organization periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-12", "E-HRS-14", "E-IAM-01" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.\n▪ IAM inventories all privileged accounts and validates that each person with elevated privileges is authorized by the appropriate level of organizational management.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Annual review of user access rights", "small": "∙ Periodic (at least annual) review of all user account privileges", "medium": "∙ Formal quarterly/annual account privilege review process", "large": "∙ Enterprise access certification program with automated review campaigns", "enterprise": "∙ Enterprise IGA platform (e.g., SailPoint, Saviynt, IBM Security Verify)\n∙ Automated access certification\n∙ Continuous access review" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.2", "CC6.2-POF2", "CC6.2-POF3", "CC6.3-POF4" ], "general-csa-cmm-4-1-0": [ "IAM-08", "IAM-09", "IAM-10", "IAM-11" ], "general-csa-iot-2": [ "IAM-02" ], "general-govramp": [ "AC-06(07)" ], "general-govramp-high": [ "AC-06(07)" ], "general-iso-27002-2022": [ "5.15", "5.18", "8.2" ], "general-iso-27017-2015": [ "9.1.1", "9.2.3", "9.2.5", "9.2.6" ], "general-iso-27018-2025": [ "5.15", "5.18", "8.2" ], "general-mpa-csbp-5-3-1": [ "TS-1.7" ], "general-nist-800-53-r4": [ "AC-6(7)" ], "general-nist-800-53-r5-2": [ "AC-06(07)" ], "general-nist-800-53-r5-2-mod": [ "AC-06(07)" ], "general-nist-800-66-r2": [ "164.308(a)(3)" ], "general-nist-800-82-r3": [ "AC-06(07)" ], "general-nist-800-82-r3-mod": [ "AC-06(07)" ], "general-nist-800-82-r3-high": [ "AC-06(07)" ], "general-nist-800-160-vol-2-r1": [ "AC-06(07)" ], "general-nist-800-171-r3": [ "03.01.01.g.03", "03.01.05.c", "03.01.05.d", "03.10.01.c", "03.10.01.d" ], "general-nist-800-171a-r3": [ "A.03.01.05.ODP[03]", "A.03.01.05.c", "A.03.01.05.d" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "7.2.4", "7.2.5.1", "A3.4.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "7.2.4" ], "general-pci-dss-4-0-1-saq-c": [ "7.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.4", "7.2.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.4", "7.2.5.1" ], "general-tisax-6-0-3": [ "4.2.1" ], "usa-federal-dow-cert-rmm-1-2": [ "AM:SG1.SP3", "AM:SG1.SP4" ], "usa-federal-fbi-cjis-6-0": [ "AC-6(7)" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-1e", "ACCESS-2b", "ACCESS-2h" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.7.1" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(g)" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-06(07)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-06(07)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(ii)(B)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(ii)(B)" ], "usa-federal-irs-1075-2021": [ "AC-6(CE-7)", "AC-6(CE-7).a", "AC-6(CE-7).b" ], "usa-federal-nerc-cip-2024": [ "CIP-004-7 4.3", "CIP-004-7 6.2", "CIP-004-7 6.2.1", "CIP-004-7 6.2.2" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(a)(1)" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-06 (07)" ], "emea-eu-nis2-annex-2024": [ "11.2.3", "11.3.3", "11.5.4" ], "emea-deu-bsrit-2017": [ "6.2" ], "emea-deu-c5-2020": [ "IDM-05" ], "emea-isr-cmo-1-0": [ "4.3" ], "emea-sau-cgiot-2024": [ "1-8-2", "2-2-3" ], "emea-sau-ecc-1-2018": [ "1-9-5", "2-2-3-5" ], "emea-sau-otcc-1-2022": [ "2-2-1-10" ], "emea-sau-sacs-002-2022": [ "TPC-33", "TPC-34" ], "apac-aus-ism-2024-june": [ "ISM-0405", "ISM-1647", "ISM-1648", "ISM-1716" ], "apac-ind-sebi-2024": [ "PR.AA.S5" ], "apac-jpn-ismap": [ "9.2.2.7", "9.2.5", "9.2.5.1", "9.2.5.2", "9.2.5.3", "9.2.5.4", "9.2.5.5", "9.2.5.6" ], "apac-nzl-ism-3-9": [ "16.4.35.C.01", "16.4.35.C.02", "16.4.35.C.03" ], "apac-sgp-mas-trm-2021": [ "9.1.6" ], "americas-can-itsp-10-171-2025": [ "03.01.01.G.03", "03.01.05.C", "03.01.05.D", "03.10.01.C", "03.10.01.D" ] } }, { "control_id": "IAC-18", "title": "User Responsibilities for Account Management", "family": "IAC", "description": "Mechanisms exist to compel users to follow accepted practices in the use of authentication mechanisms (e.g., passwords, passphrases, physical or logical security tokens, smart cards, certificates, etc.).", "scf_question": "Does the organization compel users to follow accepted practices in the use of authentication mechanisms (e.g., passwords, passphrases, physical or logical security tokens, smart cards, certificates, etc.)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to compel users to follow accepted practices in the use of authentication mechanisms (e.g., passwords, passphrases, physical or logical security tokens, smart cards, certificates, etc.).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Educate users about their responsibility for account security", "small": "∙ User acceptable use policy covering account responsibilities", "medium": "∙ Formal user account responsibility policy\n∙ Annual user acknowledgment", "large": "∙ Enterprise acceptable use policy program\n∙ User training on account responsibilities", "enterprise": "∙ Enterprise security awareness program\n∙ User account responsibility training\n∙ Automated acknowledgment tracking" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-iso-27002-2022": [ "5.17" ], "general-iso-27017-2015": [ "9.2.4", "9.3.1" ], "general-iso-27018-2025": [ "5.17" ], "general-nist-800-53-r4": [ "IA-5(6)" ], "general-nist-800-53-r5-2": [ "IA-05(06)" ], "general-nist-800-53-r5-2-privacy": [ "IA-05(06)" ], "general-nist-800-53-r5-2-mod": [ "IA-05(06)" ], "general-nist-800-82-r3": [ "IA-05(06)" ], "general-nist-800-82-r3-mod": [ "IA-05(06)" ], "general-nist-800-82-r3-high": [ "IA-05(06)" ], "general-pci-dss-4-0-1": [ "8.3.11" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.11" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.3.11" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.3.11" ], "usa-federal-fbi-cjis-6-0": [ "IA-5(6)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-05(06)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-05(06)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-05(06)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-05(06)" ], "usa-federal-irs-1075-2021": [ "IA-5(CE-6)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-05 (06)" ], "emea-sau-cscc-1-2019": [ "2-2-2" ], "apac-aus-ism-2024-june": [ "ISM-0421", "ISM-0422" ], "apac-nzl-ism-3-9": [ "16.4.37.C.01" ] } }, { "control_id": "IAC-19", "title": "Credential Sharing", "family": "IAC", "description": "Mechanisms exist to prevent the sharing of generic IDs, passwords or other generic authentication methods.", "scf_question": "Does the organization prevent the sharing of generic IDs, passwords or other generic authentication methods?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent the sharing of generic IDs, passwords or other generic authentication methods.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Policy prohibiting sharing of credentials", "small": "∙ Credential sharing prohibition policy\n∙ User training", "medium": "∙ Formal credential sharing prohibition policy\n∙ Technical controls where possible", "large": "∙ Enterprise policy and technical controls prohibiting credential sharing\n∙ PAM for shared account management", "enterprise": "∙ Enterprise IAM/PAM with technical enforcement against credential sharing\n∙ Shared account vaulting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-iso-27002-2022": [ "5.18" ], "general-iso-27018-2025": [ "5.18" ], "general-pci-dss-4-0-1": [ "8.2.2", "8.6.1" ], "general-pci-dss-4-0-1-saq-a": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.2", "8.6.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.2", "8.6.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.2", "8.6.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.2", "8.6.1" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.C.4", "III.C.4.a", "III.C.4.b" ] } }, { "control_id": "IAC-20", "title": "Access Enforcement", "family": "IAC", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "scf_question": "Does the organization enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege?\"", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF4" ], "general-aicpa-tsc-2017": [ "CC6.1" ], "general-cobit-2019": [ "DSS05.04" ], "general-govramp": [ "AC-03", "AC-06" ], "general-govramp-core": [ "AC-06" ], "general-govramp-low": [ "AC-03" ], "general-govramp-low-plus": [ "AC-03", "AC-06" ], "general-govramp-mod": [ "AC-03", "AC-06" ], "general-govramp-high": [ "AC-03", "AC-06" ], "general-iec-62443-2-1-2024": [ "USER 2.1" ], "general-iec-62443-3-3-2013": [ "SR 2.1", "SR 2.1 RE 1" ], "general-iso-27002-2022": [ "5.18" ], "general-iso-27017-2015": [ "9.2.6" ], "general-iso-27018-2025": [ "5.18" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1005", "T1020.001", "T1021", "T1021.001", "T1021.002", "T1021.003", "T1021.004", "T1021.005", "T1021.006", "T1021.007", "T1021.008", "T1025", "T1027", "T1036", "T1036.003", "T1036.005", "T1036.010", "T1037", "T1037.002", "T1037.003", "T1037.004", "T1037.005", "T1041", "T1047", "T1048", "T1048.001", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1053", "T1053.002", "T1053.003", "T1053.005", "T1053.006", "T1053.007", "T1055", "T1055.008", "T1055.009", "T1056.003", "T1059", "T1059.001", "T1059.002", "T1059.003", "T1059.004", "T1059.005", "T1059.006", "T1059.007", "T1059.008", "T1059.009", "T1059.010", "T1059.011", "T1070", "T1070.001", "T1070.002", "T1070.003", "T1070.007", "T1070.008", "T1070.009", "T1071.004", "T1072", "T1078", "T1078.002", "T1078.003", "T1078.004", "T1080", "T1087.004", "T1090", "T1090.003", "T1091", "T1095", "T1098", "T1098.001", "T1098.002", "T1098.003", "T1098.004", "T1098.005", "T1098.006", "T1098.007", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1114", "T1114.002", "T1133", "T1134", "T1134.001", "T1134.002", "T1134.003", "T1134.005", "T1136", "T1136.001", "T1136.002", "T1136.003", "T1185", "T1187", "T1190", "T1195", "T1197", "T1199", "T1200", "T1205", "T1205.001", "T1210", "T1213", "T1213.001", "T1213.002", "T1213.003", "T1213.004", "T1213.005", "T1218", "T1218.002", "T1218.007", "T1218.012", "T1219", "T1222", "T1222.001", "T1222.002", "T1484", "T1485", "T1485.001", "T1486", "T1489", "T1490", "T1491", "T1491.001", "T1491.002", "T1495", "T1498", "T1498.001", "T1498.002", "T1499", "T1499.001", "T1499.002", "T1499.003", "T1499.004", "T1505", "T1505.002", "T1505.003", "T1505.004", "T1505.005", "T1525", "T1528", "T1530", "T1537", "T1538", "T1539", "T1542", "T1542.001", "T1542.003", "T1542.004", "T1542.005", "T1543", "T1543.001", "T1543.002", "T1543.003", "T1543.004", "T1543.005", "T1546", "T1546.003", "T1546.004", "T1546.013", "T1547.003", "T1547.004", "T1547.006", "T1547.007", "T1547.009", "T1547.012", "T1547.013", "T1548", "T1548.002", "T1548.003", "T1548.005", "T1548.006", "T1550", "T1550.002", "T1550.003", "T1552", "T1552.002", "T1552.005", "T1552.007", "T1553", "T1553.003", "T1555", "T1555.002", "T1555.005", "T1555.006", "T1556", "T1556.001", "T1556.003", "T1556.004", "T1556.006", "T1556.007", "T1556.008", "T1556.009", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1557.004", "T1558", "T1558.001", "T1558.002", "T1558.003", "T1558.004", "T1558.005", "T1559", "T1559.001", "T1561", "T1561.001", "T1561.002", "T1562", "T1562.001", "T1562.002", "T1562.004", "T1562.006", "T1562.007", "T1562.008", "T1562.009", "T1562.012", "T1563", "T1563.001", "T1563.002", "T1564.004", "T1565", "T1565.001", "T1565.003", "T1567", "T1569", "T1569.001", "T1569.002", "T1570", "T1572", "T1574", "T1574.004", "T1574.005", "T1574.007", "T1574.008", "T1574.009", "T1574.010", "T1574.012", "T1574.014", "T1578", "T1578.001", "T1578.002", "T1578.003", "T1578.005", "T1580", "T1599", "T1599.001", "T1601", "T1601.001", "T1601.002", "T1602", "T1602.001", "T1602.002", "T1606", "T1606.001", "T1606.002", "T1609", "T1610", "T1611", "T1612", "T1613", "T1619", "T1622", "T1647", "T1648", "T1651", "T1654" ], "general-mpa-csbp-5-3-1": [ "TS-1.7" ], "general-nist-800-53-r4": [ "AC-3", "AC-6" ], "general-nist-800-53-r5-2": [ "AC-03", "AC-06" ], "general-nist-800-53-r5-2-privacy": [ "AC-03", "AC-06" ], "general-nist-800-53-r5-2-low": [ "AC-03" ], "general-nist-800-53-r5-2-mod": [ "AC-06" ], "general-nist-800-82-r3": [ "AC-03", "AC-06" ], "general-nist-800-82-r3-low": [ "AC-03" ], "general-nist-800-82-r3-mod": [ "AC-03", "AC-06" ], "general-nist-800-82-r3-high": [ "AC-03", "AC-06" ], "general-nist-800-160-vol-2-r1": [ "AC-06" ], "general-nist-800-161-r1": [ "AC-3", "AC-6" ], "general-nist-800-161-r1-cscrm": [ "AC-3" ], "general-nist-800-161-r1-flowdown": [ "AC-3" ], "general-nist-800-161-r1-level-2": [ "AC-3" ], "general-nist-800-161-r1-level-3": [ "AC-3" ], "general-nist-800-171-r2": [ "3.1.1" ], "general-nist-800-171-r3": [ "03.01.01.c.03", "03.01.01.d.01", "03.01.01.d.02", "03.01.02", "03.01.03", "03.01.04.b", "03.01.05.a", "03.01.05.b", "03.01.06.a", "03.09.02.b.02" ], "general-nist-800-171a": [ "3.1.1[a]", "3.1.1[b]", "3.1.1[c]", "3.1.1[d]", "3.1.1[e]", "3.1.1[f]" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "7.2.1", "7.2.2", "7.2.5", "7.2.6" ], "general-pci-dss-4-0-1-saq-a-ep": [ "7.2.2", "7.2.5" ], "general-pci-dss-4-0-1-saq-b": [ "7.2.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "7.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "7.2.2", "7.2.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "7.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.1", "7.2.2", "7.2.5", "7.2.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.1", "7.2.2", "7.2.5", "7.2.6" ], "general-swift-cscf-2025": [ "2.10", "5.1" ], "usa-federal-fbi-cjis-6-0": [ "AC-3", "AC-6" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-2d" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.I" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "AC.L1-B.1.I[a]", "AC.L1-B.1.I[b]", "AC.L1-B.1.Ic]", "AC.L1-B.1.I[d]", "AC.L1-B.1.I[e]", "AC.L1-B.1.I[f]", "IA.L1-B.1.V[b]" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.1" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(i)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(d)" ], "usa-federal-gsa-fedramp-5-low": [ "AC-03", "AC-06" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-03", "AC-06" ], "usa-federal-gsa-fedramp-5-high": [ "AC-03", "AC-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-03", "AC-06" ], "usa-federal-sro-finra": [ "248.30(a)(2)(iii)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(1)(i)" ], "usa-federal-irs-1075-2021": [ "AC-3", "AC-6" ], "usa-federal-cms-marse-2-0": [ "AC-3", "AC-6" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-03", "AC-06" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-03" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-03", "AC-06" ], "apac-ind-sebi-2024": [ "PR.AA.S15" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP10", "HHSP40", "HML10", "HML40" ], "apac-nzl-hisf-microsmall-2023": [ "HMS07" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP09" ], "americas-can-itsp-10-171-2025": [ "03.01.01.C.03", "03.01.01.D.01", "03.01.01.D.02", "03.01.02", "03.01.03", "03.01.04.B", "03.01.05.A", "03.01.05.B", "03.01.06.A", "03.09.02.B.02" ] } }, { "control_id": "IAC-20.1", "title": "Access To Sensitive / Regulated Data", "family": "IAC", "description": "Mechanisms exist to limit access to sensitive/regulated data to only those individuals whose job requires such access.", "scf_question": "Does the organization limit access to sensitive/regulated data to only those individuals whose job requires such access?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to limit access to sensitive/regulated data to only those individuals whose job requires such access.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1-POF12", "CC6.1-POF13" ], "general-csa-cmm-4-1-0": [ "DSP-17" ], "general-iso-27002-2022": [ "5.18" ], "general-iso-27018-2025": [ "5.18" ], "general-nist-800-171-r3": [ "03.01.01.c.03", "03.01.01.d.01", "03.01.01.d.02", "03.01.02", "03.01.03", "03.01.04.b", "03.01.05.a", "03.06.05.d", "03.10.01.a" ], "general-nist-800-171a-r3": [ "A.03.01.05.b[01]", "A.03.01.05.b[02]", "A.03.06.05.d" ], "general-nist-800-207": [ "NIST Tenet 3" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "7.2.1", "7.2.2", "7.2.5", "7.2.6" ], "general-pci-dss-4-0-1-saq-a-ep": [ "7.2.2", "7.2.5" ], "general-pci-dss-4-0-1-saq-b": [ "7.2.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "7.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "7.2.2", "7.2.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "7.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.1", "7.2.2", "7.2.5", "7.2.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.1", "7.2.2", "7.2.5", "7.2.6" ], "americas-can-itsp-10-171-2025": [ "03.01.01.C.03", "03.01.01.D.01", "03.01.01.D.02", "03.01.02", "03.01.03", "03.01.04.B", "03.01.05.A", "03.06.05.D", "03.10.01.A" ] } }, { "control_id": "IAC-20.2", "title": "Database Access", "family": "IAC", "description": "Mechanisms exist to restrict access to databases containing sensitive/regulated data to only necessary Technology Assets, Applications and/or Services (TAAS) or those individuals whose job requires such access.", "scf_question": "Does the organization restrict access to databases containing sensitive/regulated data to only necessary Technology Assets, Applications and/or Services (TAAS) or those individuals whose job requires such access?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict access to databases containing sensitive/regulated data to only necessary Technology Assets, Applications and/or Services (TAAS) or those individuals whose job requires such access.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Restrict database access to only authorized personnel", "small": "∙ Database access control policy\n∙ Named accounts for database access", "medium": "∙ Formal database access control policy\n∙ Least-privilege database accounts", "large": "∙ Enterprise database access control (e.g., Oracle DB Security, SQL Server RBAC)\n∙ PAM for DBA accounts", "enterprise": "∙ Enterprise database security platform (e.g., Imperva Data Security, IBM Guardium)\n∙ PAM for database access\n∙ Database activity monitoring (DAM)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-iso-27002-2022": [ "5.18" ], "general-iso-27018-2025": [ "5.18" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "7.2.6" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.6" ], "emea-sau-cscc-1-2019": [ "2-2-1-8" ] } }, { "control_id": "IAC-20.3", "title": "Use of Privileged Utility Programs", "family": "IAC", "description": "Mechanisms exist to restrict and tightly control utility programs that are capable of overriding system and application controls.", "scf_question": "Does the organization restrict and tightly control utility programs that are capable of overriding system and application controls?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict and tightly control utility programs that are capable of overriding system and application controls.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "small": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "medium": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "large": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-iot-2": [ "IAM-04" ], "general-iso-27002-2022": [ "5.18", "8.18" ], "general-iso-27017-2015": [ "9.4.4" ], "general-iso-27018-2025": [ "5.18", "8.18" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "8.6", "8.6.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.6.1" ], "general-pci-dss-4-0-1-saq-c": [ "8.6.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.6.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.6.1" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(a)(5)" ], "emea-deu-c5-2020": [ "IDM-06" ], "apac-jpn-ismap": [ "9.4.4", "9.4.4.1", "9.4.4.2", "9.4.4.3", "9.4.4.4", "9.4.4.5", "9.4.4.6", "9.4.4.7", "9.4.4.8", "9.4.4.9", "9.4.4.10.P", "9.4.4.11.P" ] } }, { "control_id": "IAC-20.4", "title": "Dedicated Administrative Machines", "family": "IAC", "description": "Mechanisms exist to restrict executing administrative tasks or tasks requiring elevated access to a dedicated machine.", "scf_question": "Does the organization restrict executing administrative tasks or tasks requiring elevated access to a dedicated machine?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict executing administrative tasks or tasks requiring elevated access to a dedicated machine.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use a dedicated computer for sensitive admin tasks", "small": "∙ Policy recommending dedicated machines for administrative access", "medium": "∙ Formal privileged access workstation (PAW) policy\n∙ Dedicated admin endpoints", "large": "∙ Enterprise PAW deployment for privileged users\n∙ Hardened admin workstations", "enterprise": "∙ Enterprise PAW program with hardened, managed workstations\n∙ No internet access from PAWs\n∙ Strict application whitelisting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-cis-csc-8-1": [ "12.8" ], "general-cis-csc-8-1-ig3": [ "12.8" ], "general-mpa-csbp-5-3-1": [ "TS-1.0" ], "general-swift-cscf-2025": [ "1.5", "2.6" ], "emea-eu-nis2-annex-2024": [ "6.7.2(e)", "11.3.2(d)", "11.4.2(a)" ], "emea-sau-cscc-1-2019": [ "2-3-1-4" ], "emea-sau-otcc-1-2022": [ "2-3-1-7" ], "apac-aus-essential-8-2024": [ "ML3-P4" ] } }, { "control_id": "IAC-20.5", "title": "Dual Authorization for Privileged Commands", "family": "IAC", "description": "Automated mechanisms exist to enforce dual authorization for privileged commands.", "scf_question": "Does the organization use automated mechanisms to enforce dual authorization for privileged commands?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically enforce dual authorization for privileged commands.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Require manager approval before executing critical privileged commands", "small": "∙ Dual authorization policy for high-risk privileged commands", "medium": "∙ Formal dual authorization process for privileged commands\n∙ Approval workflow", "large": "∙ Enterprise PAM with dual-authorization workflow for privileged commands", "enterprise": "∙ Enterprise PAM platform with two-person integrity (2PI) for critical commands (e.g., CyberArk)\n∙ Automated approval workflow" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-iec-62443-2-1-2024": [ "USER 2.3", "USER 2.4" ], "general-iec-62443-3-3-2013": [ "SR 2.1 RE 4" ], "general-nist-800-53-r4": [ "AC-3(2)" ], "general-nist-800-53-r5-2": [ "AC-03(02)" ], "general-nist-800-53-r5-2-privacy": [ "AC-03(02)" ], "general-nist-800-82-r3": [ "AC-03(02)" ], "general-nist-800-160-vol-2-r1": [ "AC-03(02)" ], "general-nist-800-172": [ "3.1.1e" ], "usa-federal-gsa-fedramp-5-low": [ "AC-03(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-03(02)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-03(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-03(02)" ] } }, { "control_id": "IAC-20.6", "title": "Revocation of Access Authorizations", "family": "IAC", "description": "Mechanisms exist to revoke logical and physical access authorizations.", "scf_question": "Does the organization revoke logical and physical access authorizations?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.\n▪ IAM revokes user access rights in a timely manner, up on termination of employment or contract.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to revoke logical and physical access authorizations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Revoke access authorizations promptly when no longer needed", "small": "∙ Access revocation procedure\n∙ Prompt removal when authorization changes", "medium": "∙ Formal access revocation policy\n∙ Timely removal of authorizations", "large": "∙ Enterprise IAM with automated access revocation workflows", "enterprise": "∙ Enterprise IGA platform with automated access revocation\n∙ Event-driven revocation (HR termination, role change)\n∙ Access certification for ongoing validation" }, "risks": [ "R-AC-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-03(08)" ], "general-nist-800-82-r3": [ "AC-03(08)" ], "general-nist-800-161-r1": [ "AC-3(8)" ], "general-nist-800-161-r1-level-2": [ "AC-3(8)" ], "general-nist-800-161-r1-level-3": [ "AC-3(8)" ], "general-pci-dss-4-0-1": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-a": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.5" ], "usa-federal-nerc-cip-2024": [ "CIP-004-7 R5", "CIP-004-7 5.1", "CIP-004-7 5.2", "CIP-004-7 5.3", "CIP-013-2 1.2.3" ], "emea-eu-nis2-annex-2024": [ "11.2.2(a)", "11.2.2(b)" ], "apac-jpn-ismap": [ "9.2.6.1" ] } }, { "control_id": "IAC-20.7", "title": "Authorized System Accounts", "family": "IAC", "description": "Mechanisms exist to define and document the types of accounts allowed and prohibited on Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization define and document the types of accounts allowed and prohibited on Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define and document the types of accounts allowed and prohibited on Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": {} }, { "control_id": "IAC-21", "title": "Least Privilege", "family": "IAC", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "scf_question": "Does the organization utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-02", "E-IAM-05", "E-IAM-06" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)", "small": "∙ Role Based Access Control (RBAC)", "medium": "∙ Role Based Access Control (RBAC)", "large": "∙ Role Based Access Control (RBAC)", "enterprise": "∙ Role Based Access Control (RBAC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.2-POF3", "CC6.1", "CC6.1-POF7", "CC6.1-POF12", "CC6.1-POF13" ], "general-cis-csc-8-1": [ "5.4" ], "general-cis-csc-8-1-ig1": [ "5.4" ], "general-cis-csc-8-1-ig2": [ "5.4" ], "general-cis-csc-8-1-ig3": [ "5.4" ], "general-csa-cmm-4-1-0": [ "IAM-05", "IAM-13" ], "general-csa-iot-2": [ "IAM-06" ], "general-govramp": [ "AC-06" ], "general-govramp-core": [ "AC-06" ], "general-govramp-low-plus": [ "AC-06" ], "general-govramp-mod": [ "AC-06" ], "general-govramp-high": [ "AC-06" ], "general-iec-tr-60601-4-5-2021": [ "4.4" ], "general-iso-27002-2022": [ "5.15", "5.18", "8.3", "8.12" ], "general-iso-27017-2015": [ "9.1.1", "9.1.2", "9.2.1", "9.2.2" ], "general-iso-27018-2025": [ "5.15", "5.18", "8.3", "8.12" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1005", "T1020.001", "T1021", "T1021.001", "T1021.002", "T1021.003", "T1021.004", "T1021.005", "T1021.006", "T1021.007", "T1021.008", "T1025", "T1036", "T1036.003", "T1036.005", "T1041", "T1047", "T1048", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1053", "T1053.002", "T1053.003", "T1053.005", "T1053.006", "T1053.007", "T1055", "T1055.001", "T1055.002", "T1055.003", "T1055.004", "T1055.005", "T1055.008", "T1055.009", "T1055.011", "T1055.012", "T1055.013", "T1055.014", "T1056.003", "T1059", "T1059.001", "T1059.002", "T1059.003", "T1059.004", "T1059.005", "T1059.006", "T1059.007", "T1059.008", "T1059.009", "T1059.010", "T1059.011", "T1068", "T1070", "T1070.001", "T1070.002", "T1070.003", "T1070.007", "T1070.008", "T1070.009", "T1072", "T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1087.004", "T1091", "T1098", "T1098.001", "T1098.002", "T1098.003", "T1098.004", "T1098.005", "T1098.006", "T1098.007", "T1106", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1112", "T1133", "T1134", "T1134.001", "T1134.002", "T1134.003", "T1134.005", "T1136", "T1136.001", "T1136.002", "T1136.003", "T1137", "T1137.001", "T1137.002", "T1137.003", "T1137.004", "T1137.005", "T1137.006", "T1176", "T1185", "T1189", "T1190", "T1195", "T1197", "T1199", "T1200", "T1203", "T1210", "T1211", "T1212", "T1213", "T1213.001", "T1213.002", "T1213.003", "T1213.004", "T1213.005", "T1218", "T1218.007", "T1218.015", "T1222", "T1222.001", "T1222.002", "T1484", "T1485", "T1485.001", "T1486", "T1489", "T1490", "T1491", "T1491.001", "T1491.002", "T1495", "T1505", "T1505.002", "T1505.003", "T1505.004", "T1505.005", "T1525", "T1528", "T1530", "T1537", "T1538", "T1539", "T1542", "T1542.001", "T1542.003", "T1542.004", "T1542.005", "T1543", "T1543.001", "T1543.002", "T1543.003", "T1543.004", "T1543.005", "T1546", "T1546.003", "T1546.004", "T1546.011", "T1546.013", "T1546.016", "T1547.003", "T1547.004", "T1547.006", "T1547.009", "T1547.012", "T1547.013", "T1548", "T1548.002", "T1548.003", "T1548.005", "T1548.006", "T1550", "T1550.002", "T1550.003", "T1552", "T1552.001", "T1552.002", "T1552.006", "T1552.007", "T1553", "T1553.003", "T1553.006", "T1555", "T1555.002", "T1555.006", "T1556", "T1556.001", "T1556.003", "T1556.004", "T1556.005", "T1556.006", "T1556.007", "T1556.008", "T1556.009", "T1558", "T1558.001", "T1558.002", "T1558.003", "T1558.005", "T1559", "T1559.001", "T1559.002", "T1561", "T1561.001", "T1561.002", "T1562", "T1562.001", "T1562.002", "T1562.004", "T1562.006", "T1562.007", "T1562.008", "T1562.009", "T1562.012", "T1563", "T1563.001", "T1563.002", "T1566.003", "T1567", "T1569", "T1569.001", "T1569.002", "T1574", "T1574.004", "T1574.005", "T1574.007", "T1574.008", "T1574.009", "T1574.010", "T1574.011", "T1574.012", "T1574.014", "T1578", "T1578.001", "T1578.002", "T1578.003", "T1578.005", "T1580", "T1599", "T1599.001", "T1601", "T1601.001", "T1601.002", "T1606", "T1606.001", "T1606.002", "T1609", "T1610", "T1611", "T1612", "T1613", "T1619", "T1621", "T1647", "T1648", "T1651", "T1654", "T1657" ], "general-mpa-csbp-5-3-1": [ "TS-1.7" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P4" ], "general-nist-800-53-r4": [ "AC-6" ], "general-nist-800-53-r5-2": [ "AC-06", "SA-08(14)" ], "general-nist-800-53-r5-2-privacy": [ "AC-06" ], "general-nist-800-53-r5-2-mod": [ "AC-06" ], "general-nist-800-66-r2": [ "164.308(a)(3)", "164.312(a)" ], "general-nist-800-82-r3": [ "AC-06", "SA-08(14)" ], "general-nist-800-82-r3-mod": [ "AC-06" ], "general-nist-800-82-r3-high": [ "AC-06" ], "general-nist-800-160-vol-2-r1": [ "AC-06" ], "general-nist-800-161-r1": [ "AC-6" ], "general-nist-800-171-r2": [ "3.1.5" ], "general-nist-800-171-r3": [ "03.01.01.c.03", "03.01.01.d.01", "03.01.01.d.02", "03.01.04.b", "03.01.05.a", "03.01.05.b", "03.01.06.a", "03.01.07.a", "03.03.08.a", "03.03.08.b", "03.04.05" ], "general-nist-800-171a": [ "3.1.5[b]", "3.1.5[c]", "3.1.5[d]" ], "general-nist-800-171a-r3": [ "A.03.01.02[02]", "A.03.01.05.a" ], "general-nist-800-207": [ "NIST Tenet 3" ], "general-nist-csf-2-0": [ "PR.AA-05", "PR.DS-10" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "1.3", "3.4", "3.4.2", "7.1", "7.2", "7.2.1", "7.2.2", "7.2.6", "7.3", "7.3.1", "7.3.2", "7.3.3", "8.6", "8.6.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "7.2.2", "8.6.1" ], "general-pci-dss-4-0-1-saq-b": [ "7.2.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "7.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "7.2.2", "8.6.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "7.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.4.2", "7.2.1", "7.2.2", "7.2.6", "7.3.1", "7.3.2", "7.3.3", "8.6.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.4.2", "7.2.1", "7.2.2", "7.2.6", "7.3.1", "7.3.2", "7.3.3", "8.6.1" ], "general-scf-dpmp-2025": [ "7.1" ], "general-sparta": [ "CM0039" ], "general-swift-cscf-2025": [ "1.2", "2.3", "2.10", "5.1" ], "general-tisax-6-0-3": [ "4.2.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.LPRIV" ], "usa-federal-fbi-cjis-6-0": [ "AC-6" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-1g", "ACCESS-2d", "ARCHITECTURE-3c" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.5" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.7", "4.7" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(d)" ], "usa-federal-gsa-fedramp-5-low": [ "AC-06" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-06" ], "usa-federal-gsa-fedramp-5-high": [ "AC-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-06" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(1)(i)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(i)", "164.312(a)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(i)", "164.312(a)(1)" ], "usa-federal-irs-1075-2021": [ "AC-6" ], "usa-federal-cms-marse-2-0": [ "AC-6", "AC-6-IS.1", "AC-6-IS.2", "AC-6-IS.3", "AC-6-IS.4" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(A)", "7123(c)(3)(A)(iii)", "7123(c)(3)(B)" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(2)(a)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.7(a)(1)", "500.7(a)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-06", "AC-06-SID" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-06" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 1.1(3)(e)" ], "emea-eu-dora-2023": [ "Article 9.4(c)" ], "emea-eu-nis2-annex-2024": [ "6.7.2(g)", "11.2.2(a)", "11.2.2(d)", "11.3.2(c)", "11.3.2(d)" ], "emea-deu-bsrit-2017": [ "6.2" ], "emea-deu-c5-2020": [ "IDM-07" ], "emea-isr-cmo-1-0": [ "4.10", "12.29" ], "emea-sau-cgiot-2024": [ "2-2-1" ], "emea-sau-otcc-1-2022": [ "2-3-1-4" ], "emea-esp-boe-a-2022-7191": [ "Article 17", "Article 20" ], "emea-esp-decree-311-2022": [ "17", "20" ], "emea-gbr-def-stan-05-138-2024": [ "2205", "2206" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2205", "2206" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2205", "2206" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2205", "2206" ], "apac-aus-essential-8-2024": [ "ML1-P4", "ML2-P4", "ML3-P4" ], "apac-aus-ism-2024-june": [ "ISM-0441", "ISM-0611", "ISM-1380", "ISM-1392", "ISM-1705", "ISM-1706", "ISM-1707", "ISM-1708" ], "apac-ind-sebi-2024": [ "PR.AA.S3" ], "apac-jpn-ismap": [ "9.1.2", "9.1.2.1", "9.1.2.2", "9.1.2.3", "9.1.2.4", "9.1.2.5", "9.1.2.6", "9.1.2.7", "9.1.2.8" ], "apac-nzl-ism-3-9": [ "16.2.4.C.01", "16.4.31.C.01", "16.4.31.C.02", "23.4.10.C.01" ], "apac-sgp-mas-trm-2021": [ "9.1.1" ], "americas-can-osfi-b13-2022": [ "3.2.7" ], "americas-can-itsp-10-171-2025": [ "03.01.01.C.03", "03.01.01.D.01", "03.01.01.D.02", "03.01.04.B", "03.01.05.A", "03.01.05.B", "03.01.06.A", "03.01.07.A", "03.03.08.A", "03.03.08.B", "03.04.05" ] } }, { "control_id": "IAC-21.1", "title": "Authorize Access to Security Functions", "family": "IAC", "description": "Mechanisms exist to limit access to security functions to explicitly-authorized privileged users.", "scf_question": "Does the organization limit access to security functions to explicitly-authorized privileged users?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to limit access to security functions to explicitly-authorized privileged users.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "small": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "medium": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "large": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-09" ], "general-govramp": [ "AC-06(01)" ], "general-govramp-mod": [ "AC-06(01)" ], "general-govramp-high": [ "AC-06(01)" ], "general-nist-800-53-r4": [ "AC-6(1)" ], "general-nist-800-53-r5-2": [ "AC-06(01)" ], "general-nist-800-53-r5-2-mod": [ "AC-06(01)" ], "general-nist-800-82-r3": [ "AC-06(01)" ], "general-nist-800-82-r3-mod": [ "AC-06(01)" ], "general-nist-800-82-r3-high": [ "AC-06(01)" ], "general-nist-800-160-vol-2-r1": [ "AC-06(01)" ], "general-nist-800-171-r2": [ "3.1.5" ], "general-owasp-top-10-2025": [ "A01:2025" ], "usa-federal-fbi-cjis-6-0": [ "AC-6(1)" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.5" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-06(01)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-06(01)" ], "usa-federal-irs-1075-2021": [ "AC-6(CE-1)", "AC-6(CE-1).a", "AC-6(CE-1).b" ], "usa-federal-cms-marse-2-0": [ "AC-6(1)", "AC-6(1).a", "AC-6(1).b", "AC-6(1).c", "AC-6(1).d", "AC-6(1).e", "AC-6(1)-IS.1" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-06 (01)" ] } }, { "control_id": "IAC-21.2", "title": "Non-Privileged Access for Non-Security Functions", "family": "IAC", "description": "Mechanisms exist to prohibit privileged users from using privileged accounts, while performing non-security functions.", "scf_question": "Does the organization prohibit privileged users from using privileged accounts, while performing non-security functions?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit privileged users from using privileged accounts, while performing non-security functions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use standard (non-admin) accounts for daily work", "small": "∙ Policy requiring non-privileged accounts for non-security functions", "medium": "∙ Formal least-privilege access policy\n∙ Standard accounts for daily activities", "large": "∙ Enterprise least-privilege enforcement\n∙ Automated detection of privilege misuse", "enterprise": "∙ Enterprise least-privilege access management\n∙ UEBA for privilege misuse detection\n∙ Just-in-time privilege elevation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-cis-csc-8-1": [ "5.4" ], "general-cis-csc-8-1-ig1": [ "5.4" ], "general-cis-csc-8-1-ig2": [ "5.4" ], "general-cis-csc-8-1-ig3": [ "5.4" ], "general-csa-iot-2": [ "IAM-04" ], "general-govramp": [ "AC-06(02)" ], "general-govramp-core": [ "AC-06(02)" ], "general-govramp-mod": [ "AC-06(02)" ], "general-govramp-high": [ "AC-06(02)" ], "general-nist-800-53-r4": [ "AC-6(2)" ], "general-nist-800-53-r5-2": [ "AC-06(02)" ], "general-nist-800-53-r5-2-mod": [ "AC-06(02)" ], "general-nist-800-82-r3": [ "AC-06(02)" ], "general-nist-800-82-r3-mod": [ "AC-06(02)" ], "general-nist-800-82-r3-high": [ "AC-06(02)" ], "general-nist-800-160-vol-2-r1": [ "AC-06(02)" ], "general-nist-800-171-r2": [ "3.1.6" ], "general-nist-800-171-r3": [ "03.01.06.b" ], "general-nist-800-171a": [ "3.1.6[a]", "3.1.6[b]" ], "general-nist-800-171a-r3": [ "A.03.01.06.b" ], "general-nist-800-207": [ "NIST Tenet 3" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-swift-cscf-2025": [ "1.2" ], "usa-federal-fbi-cjis-6-0": [ "AC-6(2)" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.6" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-06(02)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-06(02)" ], "usa-federal-irs-1075-2021": [ "AC-6(CE-2)", "AC-6(IRS-Defined)-1", "AC-6(IRS-Defined)-2" ], "usa-federal-cms-marse-2-0": [ "AC-6(2)", "AC-6(2).a", "AC-6(2).b", "AC-6(2).c", "AC-6(2).d", "AC-6(2).e", "AC-6(2)-IS.1" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-06 (02)" ], "apac-aus-essential-8-2024": [ "ML1-P4", "ML2-P4", "ML3-P4" ], "apac-aus-ism-2024-june": [ "ISM-1175" ], "americas-can-itsp-10-171-2025": [ "03.01.06.B" ] } }, { "control_id": "IAC-21.3", "title": "Management Approval For Privileged Accounts", "family": "IAC", "description": "Mechanisms exist to restrict the assignment of privileged accounts to management-approved personnel and/or roles.", "scf_question": "Does the organization restrict the assignment of privileged accounts to management-approved personnel and/or roles?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-09" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict the assignment of privileged accounts to management-approved personnel and/or roles.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "small": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "medium": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "large": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-09" ], "general-govramp": [ "AC-06(05)" ], "general-govramp-mod": [ "AC-06(05)" ], "general-govramp-high": [ "AC-06(05)" ], "general-iso-27002-2022": [ "5.18", "8.2" ], "general-iso-27017-2015": [ "9.2.3" ], "general-iso-27018-2025": [ "5.18", "8.2" ], "general-nist-800-53-r4": [ "AC-6(5)" ], "general-nist-800-53-r5-2": [ "AC-06(05)" ], "general-nist-800-53-r5-2-mod": [ "AC-06(05)" ], "general-nist-800-82-r3": [ "AC-06(05)" ], "general-nist-800-82-r3-mod": [ "AC-06(05)" ], "general-nist-800-82-r3-high": [ "AC-06(05)" ], "general-nist-800-160-vol-2-r1": [ "AC-06(05)" ], "general-nist-800-171-r2": [ "3.1.5" ], "general-nist-800-171-r3": [ "03.01.06.a", "03.01.07.a" ], "general-nist-800-171a-r3": [ "A.03.01.06.ODP[01]", "A.03.01.06.a" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "7.2.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "7.2.3" ], "general-pci-dss-4-0-1-saq-c": [ "7.2.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "7.2.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "7.2.3" ], "general-swift-cscf-2025": [ "1.2" ], "usa-federal-fbi-cjis-6-0": [ "AC-6(5)" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-2f", "ACCESS-2g" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.5" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-06(05)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-06(05)" ], "usa-federal-cms-marse-2-0": [ "AC-6(5)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(B)", "7123(c)(3)(C)" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-06 (05)" ], "emea-eu-nis2-annex-2024": [ "11.3.2(b)" ], "apac-aus-essential-8-2024": [ "ML1-P4", "ML2-P4", "ML3-P4" ], "americas-can-itsp-10-171-2025": [ "03.01.06.A", "03.01.07.A" ] } }, { "control_id": "IAC-21.4", "title": "Auditing Use of Privileged Functions", "family": "IAC", "description": "Mechanisms exist to audit the execution of privileged functions.", "scf_question": "Does the organization audit the execution of privileged functions?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.\n▪ IAM revokes user access rights following changes in personnel roles and duties, if no longer necessary or permitted.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to audit the execution of privileged functions.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Log and review privileged function usage periodically", "small": "∙ Audit logging of privileged function use\n∙ Periodic review of privilege activity logs", "medium": "∙ Formal privileged function audit logging policy\n∙ Regular audit log review", "large": "∙ Enterprise SIEM with privileged activity monitoring\n∙ Automated alerting for anomalous privileged use", "enterprise": "∙ Enterprise SIEM/PAM with continuous privileged function auditing (e.g., CyberArk, Splunk)\n∙ Automated anomaly detection" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-09" ], "general-govramp": [ "AC-06(09)" ], "general-govramp-mod": [ "AC-06(09)" ], "general-govramp-high": [ "AC-06(09)" ], "general-nist-800-53-r4": [ "AC-6(9)" ], "general-nist-800-53-r5-2": [ "AC-06(09)" ], "general-nist-800-53-r5-2-mod": [ "AC-06(09)" ], "general-nist-800-82-r3": [ "AC-06(09)" ], "general-nist-800-82-r3-mod": [ "AC-06(09)" ], "general-nist-800-82-r3-high": [ "AC-06(09)" ], "general-nist-800-171-r2": [ "3.1.7" ], "general-nist-800-171-r3": [ "03.01.07.b" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "10.2.1.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.2.1.2" ], "general-pci-dss-4-0-1-saq-c": [ "10.2.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.2.1.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.2.1.2" ], "usa-federal-fbi-cjis-6-0": [ "AC-6(9)" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.7" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-06(09)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-06(09)" ], "usa-federal-irs-1075-2021": [ "AC-6(CE-9)" ], "usa-federal-cms-marse-2-0": [ "AC-6(9)" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-06 (09)" ], "apac-ind-sebi-2024": [ "PR.AA.S11" ], "americas-can-itsp-10-171-2025": [ "03.01.07.B" ] } }, { "control_id": "IAC-21.5", "title": "Prohibit Non-Privileged Users from Executing Privileged Functions", "family": "IAC", "description": "Mechanisms exist to prevent non-privileged users from executing privileged functions to include disabling, circumventing or altering implemented security safeguards / countermeasures.", "scf_question": "Does the organization prevent non-privileged users from executing privileged functions to include disabling, circumventing or altering implemented security safeguards / countermeasures?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent non-privileged users from executing privileged functions to include disabling, circumventing or altering implemented security safeguards / countermeasures.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "small": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "medium": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "large": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Privileged Account Management (PAM)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-09" ], "general-govramp": [ "AC-06(10)" ], "general-govramp-core": [ "AC-06(10)" ], "general-govramp-mod": [ "AC-06(10)" ], "general-govramp-high": [ "AC-06(10)" ], "general-nist-800-53-r4": [ "AC-6(10)" ], "general-nist-800-53-r5-2": [ "AC-06(10)" ], "general-nist-800-53-r5-2-mod": [ "AC-06(10)" ], "general-nist-800-82-r3": [ "AC-06(10)" ], "general-nist-800-82-r3-mod": [ "AC-06(10)" ], "general-nist-800-82-r3-high": [ "AC-06(10)" ], "general-nist-800-160-vol-2-r1": [ "AC-06(10)" ], "general-nist-800-171-r2": [ "3.1.7" ], "general-nist-800-171-r3": [ "03.01.07.a" ], "general-nist-800-171a": [ "3.1.7[a]", "3.1.7[b]", "3.1.7[c]", "3.1.7[d]" ], "general-nist-800-171a-r3": [ "A.03.01.07.a" ], "general-owasp-top-10-2025": [ "A01:2025" ], "usa-federal-fbi-cjis-6-0": [ "AC-6(10)" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.7" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-06(10)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-06(10)" ], "usa-federal-irs-1075-2021": [ "AC-6(CE-10)" ], "usa-federal-cms-marse-2-0": [ "AC-6(10)" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-06 (10)" ], "emea-gbr-def-stan-05-138-2024": [ "2216" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2216" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2216" ], "apac-aus-ism-2024-june": [ "ISM-1592" ], "americas-can-itsp-10-171-2025": [ "03.01.07.A" ] } }, { "control_id": "IAC-21.6", "title": "Network Access to Privileged Commands", "family": "IAC", "description": "Mechanisms exist to authorize remote access to perform privileged commands on critical Technology Assets, Applications and/or Services (TAAS) or where sensitive/regulated data is stored, transmitted and/or processed only for compelling operational needs.", "scf_question": "Does the organization authorize remote access to perform privileged commands on critical Technology Assets, Applications and/or Services (TAAS) or where sensitive/regulated data is stored, transmitted and/or processed only for compelling operational needs?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to authorize remote access to perform privileged commands on critical Technology Assets, Applications and/or Services (TAAS) or where sensitive/regulated data is stored, transmitted and/or processed only for compelling operational needs.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Restrict network access for privileged commands to admin network", "small": "∙ Policy restricting privileged command execution over network to authorized paths", "medium": "∙ Formal privileged network access policy\n∙ Dedicated admin network or jump server", "large": "∙ Enterprise jump server/bastion host for privileged network access\n∙ PAM integration", "enterprise": "∙ Enterprise privileged remote access platform (e.g., BeyondTrust, CyberArk)\n∙ Just-in-time privileged network access\n∙ Session recording" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "AC-06(03)" ], "general-govramp-high": [ "AC-06(03)" ], "general-nist-800-53-r4": [ "AC-6(3)" ], "general-nist-800-53-r5-2": [ "AC-06(03)" ], "general-nist-800-53-r5-2-high": [ "AC-06(03)" ], "general-nist-800-82-r3": [ "AC-06(03)" ], "general-nist-800-160-vol-2-r1": [ "AC-06(03)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-06(03)" ] } }, { "control_id": "IAC-21.7", "title": "Privilege Levels for Code Execution", "family": "IAC", "description": "Automated mechanisms exist to prevent applications from executing at higher privilege levels than the user's privileges.", "scf_question": "Does the organization use automated mechanisms to prevent applications from executing at higher privilege levels than the user's privileges?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically prevent applications from executing at higher privilege levels than the user's privileges.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)", "small": "∙ Role Based Access Control (RBAC)", "medium": "∙ Role Based Access Control (RBAC)", "large": "∙ Role Based Access Control (RBAC)", "enterprise": "∙ Role Based Access Control (RBAC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "AC-06(08)" ], "general-govramp-high": [ "AC-06(08)" ], "general-nist-800-53-r4": [ "AC-6(8)" ], "general-nist-800-53-r5-2": [ "AC-06(08)" ], "general-nist-800-82-r3": [ "AC-06(08)" ], "general-nist-800-160-vol-2-r1": [ "AC-06(08)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-06(08)" ], "usa-federal-irs-1075-2021": [ "AC-6(CE-8)" ] } }, { "control_id": "IAC-22", "title": "Account Lockout", "family": "IAC", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "scf_question": "Does the organization enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "4": "Identification & Authentication (IAC) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-cis-csc-8-1": [ "4.1" ], "general-cis-csc-8-1-ig2": [ "4.1" ], "general-cis-csc-8-1-ig3": [ "4.1" ], "general-govramp": [ "AC-07" ], "general-govramp-low": [ "AC-07" ], "general-govramp-low-plus": [ "AC-07" ], "general-govramp-mod": [ "AC-07" ], "general-govramp-high": [ "AC-07" ], "general-iec-62443-2-1-2024": [ "USER 1.15" ], "general-iec-62443-3-3-2013": [ "SR 1.11" ], "general-iec-62443-4-2-2019": [ "CR 1.11", "CR 1.11(a)", "CR 1.11(b)" ], "general-iso-27002-2022": [ "8.1" ], "general-iso-27017-2015": [ "6.2.1" ], "general-iso-27018-2025": [ "8.1" ], "general-mitre-att&ck-16-1": [ "T1021", "T1021.001", "T1021.004", "T1078.002", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1133", "T1530", "T1556", "T1556.001", "T1556.003", "T1556.004" ], "general-nist-800-53-r4": [ "AC-7" ], "general-nist-800-53-r5-2": [ "AC-07" ], "general-nist-800-53-r5-2-low": [ "AC-07" ], "general-nist-800-82-r3": [ "AC-07" ], "general-nist-800-82-r3-low": [ "AC-07" ], "general-nist-800-82-r3-mod": [ "AC-07" ], "general-nist-800-82-r3-high": [ "AC-07" ], "general-nist-800-171-r2": [ "3.1.8" ], "general-nist-800-171-r3": [ "03.01.08.a", "03.01.08.b" ], "general-nist-800-171a": [ "3.1.8[a]", "3.1.8[b]" ], "general-nist-800-171a-r3": [ "A.03.01.08.ODP[01]", "A.03.01.08.ODP[02]", "A.03.01.08.ODP[03]", "A.03.01.08.ODP[04]", "A.03.01.08.a", "A.03.01.08.b" ], "general-pci-dss-4-0-1": [ "8.3.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.4" ], "general-pci-dss-4-0-1-saq-c": [ "8.3.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.3.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.3.4" ], "usa-federal-fbi-cjis-6-0": [ "AC-7" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.8" ], "usa-federal-gsa-fedramp-5-low": [ "AC-07" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-07" ], "usa-federal-gsa-fedramp-5-high": [ "AC-07" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-07" ], "usa-federal-irs-1075-2021": [ "AC-7" ], "usa-federal-cms-marse-2-0": [ "AC-7", "AC-7.a", "AC-7.b", "AC-7-IS.1" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 5.7" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(1)(e)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-07", "AC-07-SID.1", "AC-07-SID.2" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-07" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-07" ], "usa-state-vt-act-171-2018": [ "2447(c)(1)(A)(v)" ], "emea-eu-nis2-annex-2024": [ "11.6.2(d)" ], "emea-isr-cmo-1-0": [ "4.14" ], "emea-sau-cgiot-2024": [ "2-2-2" ], "emea-gbr-def-stan-05-138-2024": [ "2214" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2214" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2214" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2214" ], "apac-aus-ism-2024-june": [ "ISM-1403" ], "apac-nzl-ism-3-9": [ "16.1.46.C.01", "16.1.46.C.02" ], "americas-can-itsp-10-171-2025": [ "03.01.08.A", "03.01.08.B" ] } }, { "control_id": "IAC-23", "title": "Concurrent Session Control", "family": "IAC", "description": "Mechanisms exist to limit the number of concurrent sessions for each system account.", "scf_question": "Does the organization limit the number of concurrent sessions for each system account?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to limit the number of concurrent sessions for each system account.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "AC-10" ], "general-govramp-mod": [ "AC-10" ], "general-govramp-high": [ "AC-10" ], "general-iec-62443-2-1-2024": [ "USER 1.17" ], "general-iec-62443-3-3-2013": [ "SR 2.7" ], "general-iec-62443-4-2-2019": [ "CR 2.7" ], "general-mitre-att&ck-16-1": [ "T1137", "T1137.002", "T1185", "T1528" ], "general-nist-800-53-r4": [ "AC-10" ], "general-nist-800-53-r5-2": [ "AC-10" ], "general-nist-800-53-r5-2-high": [ "AC-10" ], "general-nist-800-82-r3": [ "AC-10" ], "general-nist-800-82-r3-high": [ "AC-10" ], "usa-federal-gsa-fedramp-5-high": [ "AC-10" ], "usa-federal-cms-marse-2-0": [ "AC-10" ], "emea-deu-c5-2020": [ "PSS-06" ], "emea-isr-cmo-1-0": [ "4.15" ] } }, { "control_id": "IAC-24", "title": "Session Lock", "family": "IAC", "description": "Mechanisms exist to initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods.", "scf_question": "Does the organization initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-cis-csc-8-1": [ "4.3" ], "general-cis-csc-8-1-ig1": [ "4.3" ], "general-cis-csc-8-1-ig2": [ "4.3" ], "general-cis-csc-8-1-ig3": [ "4.3" ], "general-csa-cmm-4-1-0": [ "UEM-06" ], "general-govramp": [ "AC-02(05)", "AC-11" ], "general-govramp-low-plus": [ "AC-11" ], "general-govramp-mod": [ "AC-02(05)", "AC-11" ], "general-govramp-high": [ "AC-02(05)", "AC-11" ], "general-iec-62443-2-1-2024": [ "USER 1.18" ], "general-iec-62443-3-3-2013": [ "SR 2.5" ], "general-iec-62443-4-2-2019": [ "CR 2.5", "CR 2.5(a)", "CR 2.5(b)" ], "general-mitre-att&ck-16-1": [ "T1021.001", "T1563.002" ], "general-nist-800-53-r4": [ "AC-2(5)", "AC-11" ], "general-nist-800-53-r5-2": [ "AC-02(05)", "AC-11" ], "general-nist-800-53-r5-2-mod": [ "AC-02(05)", "AC-11" ], "general-nist-800-82-r3": [ "AC-02(05)", "AC-11" ], "general-nist-800-82-r3-mod": [ "AC-02(05)", "AC-11" ], "general-nist-800-82-r3-high": [ "AC-02(05)", "AC-11" ], "general-nist-800-171-r2": [ "3.1.10" ], "general-nist-800-171-r3": [ "03.01.10.a", "03.01.10.b" ], "general-nist-800-171a": [ "3.1.10[a]", "3.1.10[b]", "3.1.10[c]" ], "general-nist-800-171a-r3": [ "A.03.01.10.ODP[01]", "A.03.01.10.ODP[02]", "A.03.01.10.a", "A.03.01.10.b" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.8" ], "usa-federal-fbi-cjis-6-0": [ "AC-2(5)", "AC-11" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.10" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02(05)", "AC-11" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02(05)", "AC-11" ], "usa-federal-irs-1075-2021": [ "AC-11" ], "usa-federal-cms-marse-2-0": [ "AC-11", "AC-11.a", "AC-11.b" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-02 (05)", "AC-11" ], "emea-deu-c5-2020": [ "PSS-06" ], "emea-isr-cmo-1-0": [ "4.16" ], "emea-sau-otcc-1-2022": [ "2-2-1-4" ], "emea-sau-sacs-002-2022": [ "TPC-2" ], "emea-gbr-def-stan-05-138-2024": [ "2408" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2408" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2408" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2408" ], "apac-aus-ism-2024-june": [ "ISM-0428" ], "apac-nzl-ism-3-9": [ "16.1.45.C.01", "16.1.45.C.02" ], "americas-can-itsp-10-171-2025": [ "03.01.10.A", "03.01.10.B" ] } }, { "control_id": "IAC-24.1", "title": "Pattern-Hiding Displays", "family": "IAC", "description": "Mechanisms exist to implement pattern-hiding displays to conceal information previously visible on the display during the session lock.", "scf_question": "Does the organization implement pattern-hiding displays to conceal information previously visible on the display during the session lock?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement pattern-hiding displays to conceal information previously visible on the display during the session lock.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-cmm-4-1-0": [ "UEM-06" ], "general-govramp": [ "AC-11(01)" ], "general-govramp-mod": [ "AC-11(01)" ], "general-govramp-high": [ "AC-11(01)" ], "general-nist-800-53-r4": [ "AC-11(1)" ], "general-nist-800-53-r5-2": [ "AC-11(01)" ], "general-nist-800-53-r5-2-mod": [ "AC-11(01)" ], "general-nist-800-82-r3": [ "AC-11(01)" ], "general-nist-800-82-r3-mod": [ "AC-11(01)" ], "general-nist-800-82-r3-high": [ "AC-11(01)" ], "general-nist-800-171-r2": [ "3.1.10" ], "general-nist-800-171-r3": [ "03.01.10.c" ], "general-nist-800-171a-r3": [ "A.03.01.10.c" ], "general-owasp-top-10-2025": [ "A01:2025" ], "usa-federal-fbi-cjis-6-0": [ "AC-11(1)" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.10" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-11(01)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-11(01)" ], "usa-federal-irs-1075-2021": [ "AC-11(CE-1)" ], "usa-federal-cms-marse-2-0": [ "AC-11(1)" ], "emea-sau-sacs-002-2022": [ "TPC-2" ], "americas-can-itsp-10-171-2025": [ "03.01.10.C" ] } }, { "control_id": "IAC-25", "title": "Session Termination", "family": "IAC", "description": "Automated mechanisms exist to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity.", "scf_question": "Does the organization use automated mechanisms to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "AC-12" ], "general-govramp-low-plus": [ "AC-12" ], "general-govramp-mod": [ "AC-12" ], "general-govramp-high": [ "AC-12" ], "general-iec-62443-3-3-2013": [ "SR 2.6" ], "general-mitre-att&ck-16-1": [ "T1021.001", "T1072", "T1185", "T1505.005", "T1563", "T1563.002" ], "general-nist-800-53-r4": [ "AC-12" ], "general-nist-800-53-r5-2": [ "AC-12" ], "general-nist-800-53-r5-2-mod": [ "AC-12" ], "general-nist-800-66-r2": [ "164.312(a)" ], "general-nist-800-82-r3": [ "AC-12" ], "general-nist-800-82-r3-mod": [ "AC-12" ], "general-nist-800-82-r3-high": [ "AC-12" ], "general-nist-800-160-vol-2-r1": [ "AC-12" ], "general-nist-800-171-r2": [ "3.1.11" ], "general-nist-800-171-r3": [ "03.01.01.h", "03.01.11", "03.07.05.c" ], "general-nist-800-171a": [ "3.1.11[a]", "3.1.11[b]" ], "general-nist-800-171a-r3": [ "A.03.01.01.ODP[05]", "A.03.01.01.ODP[06]", "A.03.01.01.h", "A.03.01.11.ODP[01]", "A.03.01.11", "A.03.07.05.c[01]" ], "general-owasp-top-10-2025": [ "A01:2025" ], "general-pci-dss-4-0-1": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.8" ], "general-shared-assessments-sig-2025": [ "U.1.4" ], "general-sparta": [ "CM0036" ], "usa-federal-fbi-cjis-6-0": [ "AC-12" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.11" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-12" ], "usa-federal-gsa-fedramp-5-high": [ "AC-12" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(a)(2)(iii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(a)(2)(iii)" ], "usa-federal-irs-1075-2021": [ "AC-12" ], "usa-federal-cms-marse-2-0": [ "AC-12" ], "usa-federal-nerc-cip-2024": [ "CIP-005-7 2.5", "CIP-005-7 3.2" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-12" ], "emea-eu-nis2-annex-2024": [ "11.6.2(e)" ], "emea-deu-c5-2020": [ "PSS-06" ], "emea-sau-otcc-1-2022": [ "2-2-1-4" ], "apac-aus-ism-2024-june": [ "ISM-0853" ], "apac-nzl-ism-3-9": [ "16.1.44.C.01" ], "americas-can-itsp-10-171-2025": [ "03.01.11", "03.07.05.C" ] } }, { "control_id": "IAC-25.1", "title": "User-Initiated Logouts / Message Displays", "family": "IAC", "description": "Mechanisms exist to provide a logout capability and display an explicit logout message to users indicating the reliable termination of the session.", "scf_question": "Does the organization provide a logout capability and display an explicit logout message to users indicating the reliable termination of the session?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide a logout capability and display an explicit logout message to users indicating the reliable termination of the session.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "AC-12(01)" ], "general-govramp-high": [ "AC-12(01)" ], "general-nist-800-53-r4": [ "AC-12(1)" ], "general-nist-800-53-r5-2": [ "AC-12(01)" ], "general-nist-800-82-r3": [ "AC-12(01)" ], "usa-federal-irs-1075-2021": [ "AC-12(CE-1)" ] } }, { "control_id": "IAC-26", "title": "Permitted Actions Without Identification or Authorization", "family": "IAC", "description": "Mechanisms exist to identify and document the supporting rationale for specific user actions that can be performed on a system without identification or authentication.", "scf_question": "Does the organization identify and document the supporting rationale for specific user actions that can be performed on a system without identification or authentication?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and document the supporting rationale for specific user actions that can be performed on a system without identification or authentication.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-govramp": [ "AC-14" ], "general-govramp-low": [ "AC-14" ], "general-govramp-low-plus": [ "AC-14" ], "general-govramp-mod": [ "AC-14" ], "general-govramp-high": [ "AC-14" ], "general-mitre-att&ck-16-1": [ "T1137.002" ], "general-nist-800-53-r4": [ "AC-14" ], "general-nist-800-53-r5-2": [ "AC-14" ], "general-nist-800-53-r5-2-low": [ "AC-14" ], "general-nist-800-82-r3": [ "AC-14" ], "general-nist-800-82-r3-low": [ "AC-14" ], "general-nist-800-82-r3-mod": [ "AC-14" ], "general-nist-800-82-r3-high": [ "AC-14" ], "general-owasp-top-10-2025": [ "A01:2025" ], "usa-federal-fbi-cjis-6-0": [ "AC-14" ], "usa-federal-gsa-fedramp-5-low": [ "AC-14" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-14" ], "usa-federal-gsa-fedramp-5-high": [ "AC-14" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-14" ], "usa-federal-irs-1075-2021": [ "AC-14" ], "usa-federal-cms-marse-2-0": [ "AC-14", "AC-14.a", "AC-14.b" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-14" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-14" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-14" ] } }, { "control_id": "IAC-27", "title": "Reference Monitor", "family": "IAC", "description": "Mechanisms exist to implement a reference monitor that is tamperproof, always-invoked, small enough to be subject to analysis / testing and the completeness of which can be assured.", "scf_question": "Does the organization implement a reference monitor that is tamperproof, always-invoked, small enough to be subject to analysis / testing and the completeness of which can be assured?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement a reference monitor that is tamperproof, always-invoked, small enough to be subject to analysis / testing and the completeness of which can be assured.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r4": [ "AC-25" ], "general-nist-800-53-r5-2": [ "AC-25" ], "general-nist-800-82-r3": [ "AC-25" ] } }, { "control_id": "IAC-28", "title": "Identity Proofing (Identity Verification)", "family": "IAC", "description": "Mechanisms exist to verify the identity of a user before issuing authenticators or modifying access permissions.", "scf_question": "Does the organization verify the identity of a user before issuing authenticators or modifying access permissions?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-02", "E-IAM-05", "E-IAM-06", "E-HRS-18" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to verify the identity of a user before issuing authenticators or modifying access permissions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Driver's license\n∙ Passport", "small": "∙ Driver's license\n∙ Passport", "medium": "∙ Driver's license\n∙ Passport", "large": "∙ Driver's license\n∙ Passport", "enterprise": "∙ Driver's license\n∙ Passport" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1078", "T1078.002", "T1078.003", "T1078.004" ], "general-nist-800-53-r5-2": [ "IA-12" ], "general-nist-800-53-r5-2-mod": [ "IA-12" ], "general-nist-800-66-r2": [ "164.312(d)" ], "general-nist-800-82-r3": [ "IA-12" ], "general-nist-800-82-r3-mod": [ "IA-12" ], "general-nist-800-82-r3-high": [ "IA-12" ], "general-nist-800-171-r3": [ "03.05.12.a", "03.05.12.c" ], "general-nist-csf-2-0": [ "PR.AA-02" ], "general-pci-dss-4-0-1": [ "8.3.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.3" ], "general-pci-dss-4-0-1-saq-c": [ "8.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.3.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.3.3" ], "usa-federal-fbi-cjis-6-0": [ "IA-12" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-1f" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.1.1" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.100(b)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-12" ], "usa-federal-gsa-fedramp-5-high": [ "IA-12" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(d)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(d)" ], "usa-federal-irs-1075-2021": [ "IA-12" ], "apac-jpn-ismap": [ "7.1.1.4" ], "americas-can-itsp-10-171-2025": [ "03.05.12.A", "03.05.12.C" ] } }, { "control_id": "IAC-28.1", "title": "Management Approval For New or Changed Accounts", "family": "IAC", "description": "Mechanisms exist to ensure management approvals are required for new accounts or changes in permissions to existing accounts.", "scf_question": "Does the organization ensure management approvals are required for new accounts or changes in permissions to existing accounts?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAM-09" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure management approvals are required for new accounts or changes in permissions to existing accounts.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Require manager approval before creating new user accounts", "small": "∙ Management approval process for new/changed accounts", "medium": "∙ Formal account management approval policy\n∙ Approval workflow for all account changes", "large": "∙ Enterprise IAM with management approval workflows for account creation", "enterprise": "∙ Enterprise IGA platform with approval workflow automation (e.g., SailPoint, Saviynt)\n∙ Role-based approval routing" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.2-POF1", "CC6.3-POF1" ], "general-nist-800-53-r4": [ "AC-24", "IA-4(2)" ], "general-nist-800-53-r5-2": [ "AC-24", "IA-12(01)" ], "general-nist-800-66-r2": [ "164.308(a)(3)" ], "general-nist-800-82-r3": [ "AC-24", "IA-12(01)" ], "general-nist-800-82-r3-high": [ "IA-12(01)" ], "general-nist-800-161-r1": [ "AC-24" ], "general-nist-800-161-r1-flowdown": [ "AC-24" ], "general-nist-800-161-r1-level-1": [ "AC-24" ], "general-nist-800-161-r1-level-2": [ "AC-24" ], "general-nist-800-161-r1-level-3": [ "AC-24" ], "general-nist-800-171-r3": [ "03.01.01.b", "03.05.05.a" ], "general-scf-dpmp-2025": [ "7.1" ], "general-tisax-6-0-3": [ "4.2.1" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-2f", "ACCESS-2g" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(3)(ii)(A)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(3)(ii)(A)" ], "usa-federal-irs-1075-2021": [ "IA-12(CE-1)" ], "usa-federal-nerc-cip-2024": [ "CIP-004-7 6.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(C)" ], "emea-eu-nis2-annex-2024": [ "11.2.2(c)" ], "emea-deu-c5-2020": [ "IDM-01", "IDM-02" ], "apac-aus-ism-2024-june": [ "ISM-0405" ], "apac-jpn-ismap": [ "9.2.2.1" ], "americas-can-itsp-10-171-2025": [ "03.01.01.B", "03.05.05.A" ] } }, { "control_id": "IAC-28.2", "title": "Identity Evidence", "family": "IAC", "description": "Mechanisms exist to require evidence of individual identification to be presented to the registration authority.", "scf_question": "Does the organization require evidence of individual identification to be presented to the registration authority?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.\n▪ IAM proactively governs account management of individual, group, system, application, guest and temporary accounts.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require evidence of individual identification to be presented to the registration authority.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Driver's license\n∙ Passport", "small": "∙ Driver's license\n∙ Passport", "medium": "∙ Driver's license\n∙ Passport", "large": "∙ Driver's license\n∙ Passport", "enterprise": "∙ Driver's license\n∙ Passport" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r5-2": [ "IA-12(02)" ], "general-nist-800-53-r5-2-mod": [ "IA-12(02)" ], "general-nist-800-66-r2": [ "164.312(d)" ], "general-nist-800-82-r3": [ "IA-12(02)" ], "general-nist-800-82-r3-mod": [ "IA-12(02)" ], "general-nist-800-82-r3-high": [ "IA-12(02)" ], "usa-federal-fbi-cjis-6-0": [ "IA-12(2)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-12(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-12(02)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(d)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(d)" ], "usa-federal-irs-1075-2021": [ "IA-12(CE-2)" ] } }, { "control_id": "IAC-28.3", "title": "Identity Evidence Validation & Verification", "family": "IAC", "description": "Mechanisms exist to require that the presented identity evidence be validated and verified through organizational-defined methods of validation and verification.", "scf_question": "Does the organization require that the presented identity evidence be validated and verified through organizational-defined methods of validation and verification?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require that the presented identity evidence be validated and verified through organizational-defined methods of validation and verification.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Employment verification\n∙ Credit check\n∙ Criminal history check\n∙ Education verification", "small": "∙ Employment verification\n∙ Credit check\n∙ Criminal history check\n∙ Education verification", "medium": "∙ Employment verification\n∙ Credit check\n∙ Criminal history check\n∙ Education verification", "large": "∙ Employment verification\n∙ Credit check\n∙ Criminal history check\n∙ Education verification", "enterprise": "∙ Employment verification\n∙ Credit check\n∙ Criminal history check\n∙ Education verification" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r5-2": [ "IA-12(03)" ], "general-nist-800-53-r5-2-mod": [ "IA-12(03)" ], "general-nist-800-66-r2": [ "164.312(d)" ], "general-nist-800-82-r3": [ "IA-12(03)" ], "general-nist-800-82-r3-mod": [ "IA-12(03)" ], "general-nist-800-82-r3-high": [ "IA-12(03)" ], "usa-federal-fbi-cjis-6-0": [ "IA-12(3)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-12(03)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-12(03)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(d)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(d)" ], "usa-federal-irs-1075-2021": [ "IA-12(CE-3)" ] } }, { "control_id": "IAC-28.4", "title": "In-Person Validation & Verification", "family": "IAC", "description": "Mechanisms exist to require that the validation and verification of identity evidence be conducted in person before a designated registration authority.", "scf_question": "Does the organization require that the validation and verification of identity evidence be conducted in person before a designated registration authority?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require that the validation and verification of identity evidence be conducted in person before a designated registration authority.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ In-person validation of government-issued photograph identification", "small": "∙ In-person validation of government-issued photograph identification", "medium": "∙ In-person validation of government-issued photograph identification", "large": "∙ In-person validation of government-issued photograph identification", "enterprise": "∙ In-person validation of government-issued photograph identification" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r4": [ "IA-5(3)" ], "general-nist-800-53-r5-2": [ "IA-12(04)" ], "general-nist-800-53-r5-2-privacy": [ "IA-12(04)" ], "general-nist-800-53-r5-2-high": [ "IA-12(04)" ], "general-nist-800-82-r3": [ "IA-12(04)" ], "general-nist-800-82-r3-high": [ "IA-12(04)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-12(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-12(04)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-12(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-12(04)" ] } }, { "control_id": "IAC-28.5", "title": "Address Confirmation", "family": "IAC", "description": "Mechanisms exist to require that a notice of proofing be delivered through an out-of-band channel to verify the user's address (physical or digital).", "scf_question": "Does the organization require that a notice of proofing be delivered through an out-of-band channel to verify the user's address (physical or digital)?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require that a notice of proofing be delivered through an out-of-band channel to verify the user's address (physical or digital).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Verify user address before sending confirmation communications", "small": "∙ Address confirmation procedure for account communications", "medium": "∙ Formal address confirmation policy for account-related communications", "large": "∙ Enterprise identity verification process for address confirmation", "enterprise": "∙ Enterprise identity proofing platform with address confirmation (e.g., Experian, LexisNexis)\n∙ Automated address verification" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-nist-800-53-r5-2": [ "IA-12(05)" ], "general-nist-800-53-r5-2-mod": [ "IA-12(05)" ], "general-nist-800-82-r3": [ "IA-12(05)" ], "general-nist-800-82-r3-mod": [ "IA-12(05)" ], "general-nist-800-82-r3-high": [ "IA-12(05)" ], "usa-federal-fbi-cjis-6-0": [ "IA-12(5)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-12(05)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-12(05)" ], "usa-federal-irs-1075-2021": [ "IA-12(CE-5)" ] } }, { "control_id": "IAC-29", "title": "Attribute-Based Access Control (ABAC)", "family": "IAC", "description": "Mechanisms exist to enforce Attribute-Based Access Control (ABAC) for policy-driven, dynamic authorizations that supports the secure sharing of information.", "scf_question": "Does the organization enforce Attribute-Based Access Control (ABAC) for policy-driven, dynamic authorizations that supports the secure sharing of information?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce Attribute-Based Access Control (ABAC) for policy-driven, dynamic authorizations that supports the secure sharing of information.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Active Directory (https://microsoft.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "general-csa-iot-2": [ "IAM-01" ], "general-mpa-csbp-5-3-1": [ "TS-1.8" ], "usa-federal-dow-zt-roadmap-1-1": [ "1.2", "1.2.1", "1.2.2", "1.2.3", "1.3.3", "1.4.2", "1.4.4", "1.6", "1.6.2", "1.6.3", "1.8", "1.8.4", "2.3.1", "2.3.2", "2.3.3", "2.3.5", "2.4.2" ] } }, { "control_id": "IAC-29.1", "title": "Real-Time Access Decisions", "family": "IAC", "description": "Automated mechanisms exist to utilize Machine Learning (ML) to make real-time access decisions based on advanced network analytics that leverages enterprise-wide data sources.", "scf_question": "Does the organization utilize Machine Learning (ML) to make real-time access decisions based on advanced network analytics that leverages enterprise-wide data sources?", "relative_weight": 3, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically utilize Machine Learning (ML) to make real-time access decisions based on advanced network analytics that leverages enterprise-wide data sources.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Real-time access decision capability in IAM system", "large": "∙ Enterprise IAM with real-time access decision engine (e.g., Okta, Microsoft Entra)", "enterprise": "∙ Enterprise zero-trust access policy engine (e.g., Palo Alto, Zscaler)\n∙ Real-time continuous access evaluation (CAE)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "5.2.5", "6.1.3" ] } }, { "control_id": "IAC-29.2", "title": "Access Profile Rules", "family": "IAC", "description": "Mechanisms exist to develop access profile rules for sensitive/regulated Technology Assets, Applications, Services and/or Data (TAASD) access based on User, Data, Network, Environment & Device attributes.", "scf_question": "Does the organization develop access profile rules for sensitive/regulated Technology Assets, Applications, Services and/or Data (TAASD) access based on User, Data, Network, Environment & Device attributes?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Identification & Authentication (IAC) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAC domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Identity & Access Management (IAM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.\n▪ IT and/or cybersecurity personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.\n▪ Configuration management and IAM functions collaborate to ensure Secure Baseline Configurations (SBC) enforce “least privileges” on TAAS.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop access profile rules for sensitive/regulated TAASD access based on User, Data, Network, Environment & Device attributes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Define access rules based on user role and job function", "small": "∙ Role-based access rules documented and implemented", "medium": "∙ Formal access profile rule policy\n∙ RBAC implementation with defined access profiles", "large": "∙ Enterprise RBAC with formal access profile definitions (e.g., SailPoint, Saviynt)", "enterprise": "∙ Enterprise IGA platform with comprehensive access profile rules\n∙ Automated policy enforcement\n∙ Continuous access validation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Identification & Authentication", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "6.1.2", "6.1.3", "6.1.4" ] } }, { "control_id": "IAC-30", "title": "Mutual Authentication (MA)", "family": "IAC", "description": "Mechanisms exist to enforce Mutual Authentication (MA) where both sides of a communications channel verify the identity of the other party through certificate exchange.", "scf_question": "Does the organization enforce Mutual Authentication (MA) where both sides of a communications channel verify the identity of the other party through certificate exchange?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Identification & Authentication (IAC) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Identity & Access Management (IAM)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines) to enforce Logical Access Control (LAC).\n▪ IAM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel to implement Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.\n▪ A directory services technology is used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific Technology Assets, Applications and/or Services (TAAS) that cannot be integrated into directory services.", "3": "Identification & Authentication (IAC) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAC domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAC domain capabilities are well-documented and kept current by process owners.\n▪ An Identity & Access Management (IAM) team, or similar function, is appropriately staffed and supported to implement and maintain IAC domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of IAM operations (e.g., directory services, Authenticate, Authorize and Audit (AAA) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAC domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce Mutual Authentication (MA) where both sides of a communications channel verify the identity of the other party through certificate exchange.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Use mutual TLS (mTLS) for critical system-to-system communications", "small": "∙ Mutual authentication policy for sensitive system communications", "medium": "∙ Formal mutual authentication standard\n∙ mTLS for critical services", "large": "∙ Enterprise mTLS implementation for service-to-service communication\n∙ Certificate management", "enterprise": "∙ Enterprise mTLS with PKI (e.g., Venafi, HashiCorp Vault)\n∙ Service mesh with mutual auth (e.g., Istio)\n∙ Automated certificate lifecycle management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-BC-4", "R-EX-7" ], "threats": [ "MT-2", "MT-8", "MT-9", "MT-14" ], "errata": "- new control (IEC 62443-2-1)", "family_name": "Identification & Authentication", "crosswalks": { "general-iec-62443-2-1-2024": [ "USER 1.10" ] } }, { "control_id": "IRO-01", "title": "Incident Response Operations", "family": "IRO", "description": "Mechanisms exist to implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity and data protection-related incidents.", "scf_question": "Does the organization implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity and data protection-related incidents?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-01" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Incident Response (IRO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IRO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Incident response-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ IT and/or cybersecurity personnel facilitate prompt response to suspected or confirmed security incidents, including timely notification to affected stakeholders.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity and data protection-related incidents.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Incident Response Plan (IRP)", "small": "∙ Incident Response Plan (IRP)", "medium": "∙ Integrated Incident Response Program (IIRP)", "large": "∙ Integrated Incident Response Program (IIRP)", "enterprise": "∙ Integrated Incident Response Program (IIRP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.3-POF3" ], "general-aicpa-tsc-2017": [ "A1.2-POF5", "CC2.2-POF3", "CC2.2-POF10", "CC7.3", "CC7.3-POF1", "CC7.4", "CC7.4-POF1", "CC7.4-POF2", "CC7.4-POF3", "CC7.4-POF4", "CC7.4-POF5", "CC7.4-POF6", "CC7.4-POF7", "CC7.4-POF8", "CC7.4-POF9", "CC7.4-POF10", "CC7.4-POF11", "CC7.4-POF12", "CC7.4-POF13" ], "general-bsi-200-1-1-0": [ "4.1.3" ], "general-cis-csc-8-1": [ "17.0", "17.5" ], "general-cis-csc-8-1-ig2": [ "17.5" ], "general-cis-csc-8-1-ig3": [ "17.5" ], "general-cobit-2019": [ "DSS02.01" ], "general-csa-cmm-4-1-0": [ "SEF-01" ], "general-csa-iot-2": [ "IMT-01" ], "general-govramp": [ "IR-01" ], "general-govramp-low": [ "IR-01" ], "general-govramp-low-plus": [ "IR-01" ], "general-govramp-mod": [ "IR-01" ], "general-govramp-high": [ "IR-01" ], "general-iec-62443-2-1-2024": [ "EVENT 1.8" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.4" ], "general-iso-21434-2021": [ "RQ-13-01", "RQ-13-01(a)", "RQ-13-01(b)", "RQ-13-01(c)", "RQ-13-01(d)", "RQ-13-01(e)", "RQ-13-01(f)", "RQ-13-01(g)" ], "general-iso-27002-2022": [ "5.24" ], "general-iso-27017-2015": [ "16.1.1" ], "general-iso-27018-2025": [ "5.24" ], "general-mpa-csbp-5-3-1": [ "OR-4.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(4)(c)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 6.2", "MANAGE 2.3", "MANAGE 2.4" ], "general-nist-800-53-r4": [ "IR-1" ], "general-nist-800-53-r5-2": [ "IR-01" ], "general-nist-800-53-r5-2-privacy": [ "IR-01" ], "general-nist-800-53-r5-2-low": [ "IR-01" ], "general-nist-800-66-r2": [ "164.308(a)(1)", "164.308(a)(6)", "164.308(a)(7)" ], "general-nist-800-82-r3": [ "IR-01" ], "general-nist-800-82-r3-low": [ "IR-01" ], "general-nist-800-82-r3-mod": [ "IR-01" ], "general-nist-800-82-r3-high": [ "IR-01" ], "general-nist-800-161-r1": [ "IR-1" ], "general-nist-800-161-r1-cscrm": [ "IR-1" ], "general-nist-800-161-r1-flowdown": [ "IR-1" ], "general-nist-800-161-r1-level-1": [ "IR-1" ], "general-nist-800-161-r1-level-2": [ "IR-1" ], "general-nist-800-161-r1-level-3": [ "IR-1" ], "general-nist-800-171-r2": [ "NFO - IR-1" ], "general-nist-800-171-r3": [ "03.06.01" ], "general-nist-800-171a": [ "3.6.1[a]", "3.6.1[b]", "3.6.1[c]", "3.6.1[d]", "3.6.1[e]", "3.6.1[f]" ], "general-nist-800-171a-r3": [ "A.03.06.01[01]" ], "general-nist-csf-2-0": [ "GV.SC-08", "DE.AE", "RS", "RS.MI" ], "general-pci-dss-4-0-1": [ "10.7", "10.7.1", "10.7.2", "10.7.3", "12.10", "A3.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.7.1", "10.7.2", "10.7.3" ], "general-scf-dpmp-2025": [ "8.0" ], "general-shared-assessments-sig-2025": [ "J.4" ], "general-swift-cscf-2025": [ "6.1", "6.2", "6.3", "7.1" ], "usa-federal-dow-cert-rmm-1-2": [ "IMC:SG1", "IMC:SG1.SP1", "IMC:SG1.SP2", "IMC:GG1.GP1", "IMC:GG2", "IMC:GG2.GP2" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.f" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.IRPIH" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.S", "5.A" ], "usa-federal-fbi-cjis-6-0": [ "5.20.5", "IR-1" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-1a" ], "usa-federal-eo-14028": [ "4e(i)(F)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(3)" ], "usa-federal-gsa-fedramp-5-low": [ "IR-01" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-01" ], "usa-federal-gsa-fedramp-5-high": [ "IR-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-01" ], "usa-federal-sro-finra": [ "248.30(a)(3)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(h)", "314.4(h)(1)", "314.4(h)(2)", "314.4(h)(3)", "314.4(h)(4)", "314.4(h)(5)", "314.4(h)(6)", "314.4(h)(7)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(1)(i)", "164.308(a)(6)(i)", "164.308(a)(7)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(1)(i)", "164.308(a)(6)(i)", "164.308(a)(7)(i)" ], "usa-federal-irs-1075-2021": [ "1.8.4", "IR-1" ], "usa-federal-cms-marse-2-0": [ "IR-1" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.5", "CIP-003-8 1.2.4", "CIP-008-6 1.1", "CIP-008-6 3.2" ], "usa-federal-nispom-2020": [ "§117.18(b)(2)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "Form 8-K Item 1.05(a)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.2.d" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(17)", "7123(c)(17)(B)" ], "usa-state-ca-sb1386-2002": [ "1798.29(a)" ], "usa-state-il-pipa-2006": [ "12(g)", "12(g)(i)", "12(g)(ii)", "12(g)(iii)", "12(g)(iv)", "12(g)(v)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(b)(4)", "500.3(n)", "500.16(a)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-01" ], "usa-state-tx-txramp-2-0-level-1": [ "IR-01" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-01" ], "emea-eu-eba-ict-srm-2025": [ "3.5.1(59)", "3.5.1(60)", "3.5.1(60)(a)", "3.5.1(60)(b)", "3.5.1(60)(c)", "3.5.1(60)(d)", "3.5.1(60)(d)(i)", "3.5.1(60)(d)(ii)", "3.5.1(60)(e)", "3.5.1(60)(f)", "3.5.1(60)(f)(i)", "3.5.1(60)(f)(ii)" ], "emea-eu-dora-2023": [ "Article 9.4(b)", "Article 14.1", "Article 14.2", "Article 14.3", "Article 17.1", "Article 17.2", "Article 17.3", "Article 17.3(a)", "Article 17.3(b)", "Article 17.3(c)", "Article 17.3(d)", "Article 17.3(e)", "Article 17.3(f)" ], "emea-eu-nis2-2022": [ "Article 21.2(b)", "Article 23.1" ], "emea-eu-nis2-annex-2024": [ "3.1.1", "3.2.1", "3.5.1", "4.3.1" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "4.7" ], "emea-deu-c5-2020": [ "SIM-01" ], "emea-isr-cmo-1-0": [ "24.1" ], "emea-sau-ecc-1-2018": [ "2-13-1", "2-13-2", "2-13-3", "2-13-3-2", "2-13-4" ], "emea-sau-otcc-1-2022": [ "2-12", "2-12-1", "2-12-2" ], "emea-sau-sacs-002-2022": [ "TPC-23", "TPC-88", "TPC-89" ], "emea-sau-sama-csf-1-2017": [ "3.3.15" ], "emea-zaf-popia-2013": [ "19.1", "19.3", "22" ], "emea-esp-boe-a-2022-7191": [ "Article 25.1" ], "emea-esp-decree-311-2022": [ "25.1" ], "emea-esp-ccn-stic-825-2023": [ "7.3.7 [OP.EXP.7]" ], "emea-uae-niaf-2023": [ "3.3", "3.3.2" ], "emea-gbr-caf-4-0": [ "D1" ], "emea-gbr-def-stan-05-138-2024": [ "3105", "4104" ], "emea-gbr-def-stan-05-138-l1-2024": [ "4104" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3105", "4104" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3105", "4104" ], "apac-aus-ism-2024-june": [ "ISM-0137", "ISM-0576", "ISM-1609", "ISM-1618" ], "apac-aus-ps-cps-230-2023": [ "32" ], "apac-aus-ps-cps-234-2019": [ "23", "24" ], "apac-ind-sebi-2024": [ "RS.MA.S1" ], "apac-jpn-ismap": [ "16", "16.1", "16.1.1.2", "16.1.1.4", "16.1.1.5", "16.1.1.6.P", "16.1.1.7.P", "16.1.1.8.P", "16.1.1.9.P", "16.1.1.10.P", "16.1.1.11.P", "16.1.1.12.P" ], "apac-nzl-ism-3-9": [ "7.1.7.C.01", "7.1.7.C.02", "7.1.7.C.03", "7.2.18.C.01" ], "apac-sgp-mas-trm-2021": [ "7.7.1", "7.7.2", "7.7.3(a)", "7.7.3(b)", "7.7.3(c)", "7.7.4", "7.7.5", "7.7.6", "7.7.7" ], "americas-bmu-mba-coc-2020": [ "6.1", "6.3", "6.4" ], "amaericas-can-osfi-self-assessment": [ "1.3", "5.1", "5.2", "5.3", "5.4", "5.5", "5.6", "5.7", "5.8" ], "americas-can-osfi-b13-2022": [ "2.7", "2.7.2", "3.3", "3.4.1" ], "americas-can-itsp-10-171-2025": [ "03.06.01" ] } }, { "control_id": "IRO-02", "title": "Incident Handling", "family": "IRO", "description": "Mechanisms exist to cover:\n(1) Preparation;\n(2) Automated event detection or manual incident report intake;\n(3) Analysis;\n(4) Containment;\n(5) Eradication; and\n(6) Recovery.", "scf_question": "Does the organization cover:\n (1) Preparation;\n (2) Automated event detection or manual incident report intake;\n (3) Analysis;\n (4) Containment;\n (5) Eradication; and\n (6) Recovery?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-03" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ IT and/or cybersecurity personnel facilitate prompt response to suspected or confirmed security incidents, including timely notification to affected stakeholders.\n▪ IT and/or cybersecurity personnel operate facilitate basic forensic investigations in the event of a suspected or confirmed security incident.\n▪ The IRP contains eDiscovery processes to support Federal Rules of Civil Procedure (FRCP) requirements for eDiscovery practices.\n▪ IT personnel support incident response operations by provisioning and deprovisioning incident responders with temporary emergency accounts.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to cover:\n(1) Preparation;\n(2) Automated event detection or manual incident report intake;\n(3) Analysis;\n(4) Containment;\n(5) Eradication; and\n(6) Recovery.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Incident Response Plan (IRP)", "small": "∙ Incident Response Plan (IRP)", "medium": "∙ Integrated Incident Response Program (IIRP)\n∙ ITIL 4 (https://axelos.com) ∙ Incident and problem management", "large": "∙ Integrated Incident Response Program (IIRP)\n∙ ITIL 4 (https://axelos.com) ∙ Incident and problem management", "enterprise": "∙ Integrated Incident Response Program (IIRP)\n∙ ITIL 4 (https://axelos.com) ∙ Incident and problem management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.3-POF3" ], "general-aicpa-tsc-2017": [ "A1.2-POF5", "CC2.2-POF3", "CC2.2-POF6", "CC2.2-POF10", "CC2.3-POF8", "CC7.3", "CC7.3-POF1", "CC7.3-POF3", "CC7.3-POF4", "CC7.3-POF5", "CC7.3-POF6", "CC7.3-POF7", "CC7.4", "CC7.4-POF1", "CC7.4-POF2", "CC7.4-POF3", "CC7.4-POF4", "CC7.4-POF5", "CC7.4-POF6", "CC7.4-POF7", "CC7.4-POF8", "CC7.4-POF9", "CC7.4-POF10", "CC7.4-POF11", "CC7.4-POF12", "CC7.4-POF13" ], "general-cis-csc-8-1": [ "2.3", "17.0", "17.1", "17.3", "17.4", "17.5", "17.6", "17.9" ], "general-cis-csc-8-1-ig1": [ "2.3", "17.1", "17.3" ], "general-cis-csc-8-1-ig2": [ "2.3", "17.1", "17.3", "17.4", "17.5", "17.6" ], "general-cis-csc-8-1-ig3": [ "2.3", "17.1", "17.3", "17.4", "17.5", "17.6", "17.9" ], "general-cobit-2019": [ "DSS02.01", "DSS02.02", "DSS02.03", "DSS02.04", "DSS02.05", "DSS02.06", "DSS03.02" ], "general-csa-cmm-4-1-0": [ "SEF-03", "SEF-06", "SEF-07" ], "general-csa-iot-2": [ "IAM-08", "IAM-09", "IMT-01", "MON-02" ], "general-govramp": [ "IR-04" ], "general-govramp-core": [ "IR-04" ], "general-govramp-low": [ "IR-04" ], "general-govramp-low-plus": [ "IR-04" ], "general-govramp-mod": [ "IR-04" ], "general-govramp-high": [ "IR-04" ], "general-iec-62443-2-1-2024": [ "EVENT 1.8" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.4" ], "general-iso-27002-2022": [ "5.24", "5.25", "5.26", "6.8" ], "general-iso-27017-2015": [ "16.1.3", "16.1.4", "16.1.5" ], "general-iso-27018-2025": [ "5.24", "5.25", "5.26", "6.8" ], "general-iso-42001-2023": [ "A.3.3" ], "general-mpa-csbp-5-3-1": [ "OR-4.0", "TS-1.4" ], "general-naic-insurance-data-security-model-law-668-2017": [ "5.A", "5.B(1)", "5.B(2)", "5.B(3)", "5.B(4)", "5.C", "5.D", "6.D(1)", "6.D(2)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 6.2", "MANAGE 2.3", "MANAGE 2.4" ], "general-nist-privacy-framework-1-0": [ "GV.MT-P5" ], "general-nist-800-53-r4": [ "IR-4" ], "general-nist-800-53-r5-2": [ "IR-04" ], "general-nist-800-53-r5-2-privacy": [ "IR-04" ], "general-nist-800-53-r5-2-low": [ "IR-04" ], "general-nist-800-66-r2": [ "164.308(a)(6)" ], "general-nist-800-82-r3": [ "IR-04" ], "general-nist-800-82-r3-low": [ "IR-04" ], "general-nist-800-82-r3-mod": [ "IR-04" ], "general-nist-800-82-r3-high": [ "IR-04" ], "general-nist-800-161-r1": [ "IR-4" ], "general-nist-800-171-r2": [ "3.6.1", "3.6.2" ], "general-nist-800-171-r3": [ "03.03.04.b", "03.06.01", "03.06.02.a", "03.06.02.b", "03.06.02.c", "03.06.02.d" ], "general-nist-800-171a": [ "3.6.1[a]", "3.6.1[b]", "3.6.1[c]", "3.6.1[d]", "3.6.1[e]", "3.6.1[f]", "3.6.1[g]", "3.6.2[a]", "3.6.2[b]", "3.6.2[c]", "3.6.2[d]", "3.6.2[e]", "3.6.2[f]" ], "general-nist-800-171a-r3": [ "A.03.06.01[02]", "A.03.06.01[03]", "A.03.06.01[04]", "A.03.06.01[05]", "A.03.06.01[06]", "A.03.06.02.b" ], "general-nist-csf-2-0": [ "GV.SC-08", "DE.AE", "DE.AE-02", "DE.AE-03", "DE.AE-04", "DE.AE-06", "DE.AE-08", "RS", "RS.MA", "RS.MA-01", "RS.MA-02", "RS.MA-04", "RS.AN", "RS.AN-06", "RS.CO", "RS.CO-02", "RS.CO-03", "RS.MI", "RS.MI-01", "RS.MI-02", "RC.RP-06" ], "general-pci-dss-4-0-1": [ "12.10", "12.10.5", "A3.3.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.10.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.10.5" ], "general-scf-dpmp-2025": [ "8.0", "8.1" ], "general-swift-cscf-2025": [ "6.1", "6.2", "6.3", "7.1" ], "general-tisax-6-0-3": [ "1.6.1", "1.6.2", "1.6.3", "9.6.2" ], "usa-federal-dow-cert-rmm-1-2": [ "IMC:SG2.SP4", "IMC:SG3", "IMC:SG3.SP1", "IMC:SG3.SP2", "IMC:SG4", "IMC:SG4.SP1", "IMC:SG4.SP2", "IMC:SG4.SP3", "IMC:SG4.SP4" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.IRPIH" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.S", "5.A" ], "usa-federal-fbi-cjis-6-0": [ "IR-4" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-1a", "RESPONSE-1b", "RESPONSE-1f", "RESPONSE-2a", "RESPONSE-2b", "RESPONSE-3b", "RESPONSE-3c", "RESPONSE-3e", "RESPONSE-3l" ], "usa-federal-dow-cmmc-2-level-2": [ "IRL2.-3.6.1", "IRL2.-3.6.2" ], "usa-federal-dow-zt-roadmap-1-1": [ "6.7.2" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(c)(1)(i)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(3)", "609.930(c)(3)(i)", "609.930(c)(3)(ii)", "609.930(c)(3)(iii)" ], "usa-federal-gsa-fedramp-5-low": [ "IR-04" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-04" ], "usa-federal-gsa-fedramp-5-high": [ "IR-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-04" ], "usa-federal-sro-finra": [ "248.30(a)(3)", "248.30(a)(3)(i)", "248.30(a)(3)(ii)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(h)", "314.4(h)(1)", "314.4(h)(2)", "314.4(h)(3)", "314.4(h)(4)", "314.4(h)(5)", "314.4(h)(6)", "314.4(h)(7)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(6)(ii)", "164.412", "164.412(a)", "164.412(b)", "164.530(f)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(6)(ii)" ], "usa-federal-irs-1075-2021": [ "IR-4" ], "usa-federal-cms-marse-2-0": [ "IR-4", "IR-4.a", "IR-4.b", "IR-4.c", "IR-4.d", "IR-4.e", "IR-4.f", "IR-4.g", "IR-4.h", "IR-4-IS", "SE-2", "SE-2.a", "SE-2.b", "SE-2.c" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 1.1", "CIP-008-6 1.2.1", "CIP-008-6 1.4" ], "usa-federal-sec-cybersecurity-rule-2023": [ "Form 8-K Item 1.05(a)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.2.d" ], "usa-state-ca-ccpa-cpra-2026": [ "7027(m)(2)", "7123(c)(17)(B)(i)" ], "usa-state-ca-sb1386-2002": [ "1798.29(a)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(a)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-04" ], "usa-state-tx-txramp-2-0-level-1": [ "IR-04" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-04" ], "emea-eu-eba-ict-srm-2025": [ "3.5.1(59)", "3.5.1(60)", "3.5.1(60)(a)", "3.5.1(60)(b)", "3.5.1(60)(c)", "3.5.1(60)(d)", "3.5.1(60)(d)(i)", "3.5.1(60)(d)(ii)", "3.5.1(60)(e)", "3.5.1(60)(f)", "3.5.1(60)(f)(i)", "3.5.1(60)(f)(ii)" ], "emea-eu-dora-2023": [ "Article 9.4(b)", "Article 14.1", "Article 14.2", "Article 14.3", "Article 18.1", "Article 18.1(a)", "Article 18.1(b)", "Article 18.1(c)", "Article 18.1(d)", "Article 18.1(e)", "Article 18.1(f)", "Article 18.2" ], "emea-eu-nis2-2022": [ "Article 21.2(b)", "Article 23.1" ], "emea-eu-nis2-annex-2024": [ "3.1.2(b)", "3.4.1", "3.4.2(e)", "3.5.2(a)", "3.5.2(b)", "3.5.2(c)", "3.5.3(b)" ], "emea-deu-bsrit-2017": [ "4.7" ], "emea-deu-c5-2020": [ "SIM-02" ], "emea-isr-cmo-1-0": [ "7.2", "24.2" ], "emea-sau-cgiot-2024": [ "2-12-2" ], "emea-sau-ecc-1-2018": [ "2-13-3-2" ], "emea-sau-otcc-1-2022": [ "2-12-2-1", "2-12-2-2", "2-12-2-3", "2-12-2-4", "2-12-2-5", "2-12-2-6", "2-12-2-7", "2-12-2-8" ], "emea-sau-sacs-002-2022": [ "TPC-23", "TPC-88", "TPC-89" ], "emea-esp-boe-a-2022-7191": [ "Article 25.1", "Article 25.2", "Article 33.4" ], "emea-esp-decree-311-2022": [ "25.1", "25.2", "33.4" ], "emea-esp-ccn-stic-825-2023": [ "7.3.7 [OP.EXP.7]", "7.3.9 [OP.EXP.9]" ], "emea-uae-niaf-2023": [ "3.3.1", "3.3.2" ], "emea-gbr-caf-4-0": [ "D1.b" ], "emea-gbr-def-stan-05-138-2024": [ "3105", "4104" ], "emea-gbr-def-stan-05-138-l1-2024": [ "4104" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3105", "4104" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3105", "4104" ], "apac-aus-essential-8-2024": [ "ML2-P3", "ML2-P4", "ML2-P5", "ML2-P7", "ML3-P3", "ML3-P4", "ML3-P5", "ML3-P7" ], "apac-aus-ism-2024-june": [ "ISM-0123", "ISM-0141", "ISM-0917", "ISM-1618", "ISM-1803" ], "apac-aus-ps-cps-230-2023": [ "32" ], "apac-aus-ps-cps-234-2019": [ "23", "24" ], "apac-chn-pipl-2021": [ "57", "57(1)", "57(2)", "57(3)" ], "apac-ind-sebi-2024": [ "RS.MA.S2" ], "apac-jpn-ismap": [ "16.1.1", "16.1.1.1", "16.1.1.3", "16.1.2", "16.1.2.1", "16.1.2.2", "16.1.2.3", "16.1.2.4", "16.1.2.5", "16.1.2.6", "16.1.2.7", "16.1.2.8", "16.1.2.9", "16.1.2.10", "16.1.2.11.P", "16.1.2.12.P", "16.1.2.13.P", "16.1.3", "16.1.3.1", "16.1.3.2", "16.1.5.9" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP07", "HML07" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP07" ], "apac-nzl-ism-3-9": [ "5.7.4.C.01", "7.2.17.C.01", "7.2.17.C.02", "7.2.18.C.01", "7.2.19.C.01", "7.3.9.C.01", "7.3.10.C.01" ], "apac-sgp-mas-trm-2021": [ "7.7.3(a)", "7.7.3(b)", "7.7.3(c)" ], "americas-bra-lgpd-2018": [ "48" ], "americas-can-osfi-b13-2022": [ "2.7", "2.7.1", "2.7.2", "3.3", "3.3.3", "3.4.1", "3.4.3", "3.4.4" ], "americas-can-itsp-10-171-2025": [ "03.03.04.B", "03.06.01", "03.06.02.A", "03.06.02.B", "03.06.02.C", "03.06.02.D" ] } }, { "control_id": "IRO-02.1", "title": "Automated Incident Handling Processes", "family": "IRO", "description": "Automated mechanisms exist to support the incident handling process.", "scf_question": "Does the organization use automated mechanisms to support the incident handling process?", "relative_weight": 1, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically support the incident handling process.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-csa-iot-2": [ "IAM-08" ], "general-govramp": [ "IR-04(01)" ], "general-govramp-core": [ "IR-04(01)" ], "general-govramp-mod": [ "IR-04(01)" ], "general-govramp-high": [ "IR-04(01)" ], "general-nist-800-53-r4": [ "IR-4(1)", "SI-4(7)" ], "general-nist-800-53-r5-2": [ "IR-04(01)", "SI-04(07)" ], "general-nist-800-53-r5-2-privacy": [ "SI-04(07)" ], "general-nist-800-53-r5-2-mod": [ "IR-04(01)" ], "general-nist-800-82-r3": [ "IR-04(01)", "SI-04(07)" ], "general-nist-800-82-r3-mod": [ "IR-04(01)" ], "general-nist-800-82-r3-high": [ "IR-04(01)" ], "general-nist-800-160-vol-2-r1": [ "SI-04(07)" ], "usa-federal-fbi-cjis-6-0": [ "IR-4(1)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-04(07)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-04(01)", "SI-04(07)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-04(01)", "SI-04(07)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-04(07)" ], "usa-federal-irs-1075-2021": [ "IR-4(CE-1)" ], "usa-federal-cms-marse-2-0": [ "IR-4(1)" ], "emea-eu-dora-2023": [ "Article 9.4(b)" ], "emea-isr-cmo-1-0": [ "24.4" ] } }, { "control_id": "IRO-02.2", "title": "Insider Threat Response Capability", "family": "IRO", "description": "Mechanisms exist to implement and govern an insider threat program.", "scf_question": "Does the organization implement and govern an insider threat program?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement and govern an insider threat program.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-govramp": [ "IR-04(06)" ], "general-govramp-high": [ "IR-04(06)" ], "general-nist-800-53-r4": [ "IR-4(6)" ], "general-nist-800-53-r5-2": [ "IR-04(06)", "IR-04(07)" ], "general-nist-800-82-r3": [ "IR-04(06)", "IR-04(07)" ], "general-nist-800-161-r1": [ "IR-4(6)", "IR-4(7)" ], "general-nist-800-161-r1-level-1": [ "IR-4(6)", "IR-4(7)" ], "general-nist-800-161-r1-level-2": [ "IR-4(6)", "IR-4(7)" ], "general-nist-800-161-r1-level-3": [ "IR-4(6)", "IR-4(7)" ], "general-sparta": [ "CM0052" ], "usa-federal-gsa-fedramp-5-high": [ "IR-04(06)" ], "usa-federal-sro-finra": [ "248.201(d)(1)", "248.201(d)(2)", "248.201(d)(2)(i)", "248.201(d)(2)(ii)", "248.201(d)(2)(iii)", "248.201(d)(2)(iv)" ], "usa-federal-irs-1075-2021": [ "IR-4(CE-6)" ], "apac-aus-ism-2024-june": [ "ISM-1625", "ISM-1626" ] } }, { "control_id": "IRO-02.3", "title": "Dynamic Reconfiguration", "family": "IRO", "description": "Automated mechanisms exist to dynamically reconfigure system components as part of the incident response capability.", "scf_question": "Does the organization use automated mechanisms to dynamically reconfigure system components as part of the incident response capability?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Incident Response (IRO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IRO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Incident response-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically dynamically reconfigure system components as part of the incident response capability.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "large": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)", "enterprise": "∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-IR-3" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-cr-cmm-2026": [ "CR4.1.7" ], "general-govramp": [ "IR-04(02)" ], "general-govramp-high": [ "IR-04(02)" ], "general-nist-800-53-r4": [ "IR-4(2)" ], "general-nist-800-53-r5-2": [ "IR-04(02)" ], "general-nist-800-82-r3": [ "IR-04(02)" ], "general-nist-800-160-vol-2-r1": [ "IR-04(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-04(02)" ] } }, { "control_id": "IRO-02.4", "title": "Incident Classification & Prioritization", "family": "IRO", "description": "Mechanisms exist to identify classes of incidents and actions to take to ensure the continuation of organizational missions and business functions.", "scf_question": "Does the organization identify classes of incidents and actions to take to ensure the continuation of organizational missions and business functions?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-01" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ IT and/or cybersecurity personnel facilitate prompt response to suspected or confirmed security incidents, including timely notification to affected stakeholders.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify classes of incidents and actions to take to ensure the continuation of organizational missions and business functions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ National Cyber Incident Scoring\nSystem (NCISS) (https://cisa.gov)", "small": "∙ National Cyber Incident Scoring\nSystem (NCISS) (https://cisa.gov)", "medium": "∙ National Cyber Incident Scoring\nSystem (NCISS) (https://cisa.gov)", "large": "∙ National Cyber Incident Scoring\nSystem (NCISS) (https://cisa.gov)", "enterprise": "∙ National Cyber Incident Scoring\nSystem (NCISS) (https://cisa.gov)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF10", "CC7.3-POF7" ], "general-cobit-2019": [ "DSS03.01" ], "general-govramp": [ "IR-04(03)" ], "general-govramp-high": [ "IR-04(03)" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.4" ], "general-nist-100-1-ai-rmf": [ "GOVERN 6.2" ], "general-nist-800-53-r4": [ "IR-4(3)" ], "general-nist-800-53-r5-2": [ "IR-04(03)" ], "general-nist-800-53-r5-2-privacy": [ "IR-04(03)" ], "general-nist-800-82-r3": [ "IR-04(03)" ], "general-nist-800-160-vol-2-r1": [ "IR-04(03)" ], "general-nist-csf-2-0": [ "DE.AE", "DE.AE-02", "DE.AE-04", "DE.AE-06", "DE.AE-08", "RS.MA-03", "RS.AN-08" ], "general-pci-dss-4-0-1": [ "12.10" ], "general-swift-cscf-2025": [ "7.1" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-1b", "RESPONSE-2a", "RESPONSE-2b", "RESPONSE-2c", "RESPONSE-2d", "RESPONSE-2e", "RESPONSE-2h" ], "usa-federal-dow-zt-roadmap-1-1": [ "6.7.2" ], "usa-federal-gsa-fedramp-5-low": [ "IR-04(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-04(03)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-04(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-04(03)" ], "usa-federal-sro-finra": [ "248.30(a)(3)(i)" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 1.1", "CIP-008-6 1.2.1", "CIP-008-6 1.2.2" ], "usa-federal-sec-cybersecurity-rule-2023": [ "Form 8-K Item 1.05(a)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(17)(A)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-08-SID" ], "emea-eu-nis2-2022": [ "Article 23.3", "Article 23.3(a)", "Article 23.3(b)" ], "emea-eu-nis2-annex-2024": [ "3.1.2(a)", "3.4.1", "3.4.2(a)" ], "emea-esp-boe-a-2022-7191": [ "Article 33.4" ], "emea-esp-decree-311-2022": [ "33.4" ], "apac-ind-sebi-2024": [ "RS.AN.S2" ], "apac-jpn-ismap": [ "16.1.4", "16.1.4.1", "16.1.4.2" ], "americas-can-osfi-b13-2022": [ "2.7", "3.4.2" ] } }, { "control_id": "IRO-02.5", "title": "Correlation with External Organizations", "family": "IRO", "description": "Mechanisms exist to coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses.", "scf_question": "Does the organization coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-01" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-govramp": [ "IR-04(08)" ], "general-govramp-high": [ "IR-04(08)" ], "general-nist-800-53-r4": [ "IR-4(8)" ], "general-nist-800-53-r5-2": [ "IR-04(08)" ], "general-nist-800-82-r3": [ "IR-04(08)" ], "general-nist-800-161-r1": [ "IR-1(1)" ], "general-nist-csf-2-0": [ "GV.SC-08", "DE.AE-03", "RS.MA-01", "RS.CO" ], "usa-federal-irs-1075-2021": [ "IR-4(CE-8)" ], "emea-deu-c5-2020": [ "OPS-21" ], "apac-ind-sebi-2024": [ "GV.SC.S6", "RS.CO.S3", "RS.MA.S5" ], "apac-nzl-ism-3-9": [ "7.3.10.C.01" ], "amaericas-can-osfi-self-assessment": [ "3.6" ] } }, { "control_id": "IRO-02.6", "title": "Automatic Disabling of Technology Assets, Applications and/or Services (TAAS)", "family": "IRO", "description": "Mechanisms exist to automatically disable Technology Assets, Applications and/or Services (TAAS), upon detection of a possible incident that meets organizational criteria, which allows for forensic analysis to be performed.", "scf_question": "Does the organization automatically disable Technology Assets, Applications and/or Services (TAAS), upon detection of a possible incident that meets organizational criteria, which allows for forensic analysis to be performed?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Incident Response (IRO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IRO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Incident response-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically disable Technology Assets, Applications and/or Services (TAAS), upon detection of a possible incident that meets organizational criteria, which allows for forensic analysis to be performed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-IR-3" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-csa-iot-2": [ "IAM-08" ], "general-nist-800-53-r5-2": [ "IR-04(05)" ], "general-nist-800-53-r5-2-privacy": [ "IR-04(05)" ], "general-nist-800-82-r3": [ "IR-04(05)" ], "usa-federal-gsa-fedramp-5-low": [ "IR-04(05)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-04(05)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-04(05)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-04(05)" ], "emea-eu-dora-2023": [ "Article 9.4(b)" ], "amaericas-can-osfi-self-assessment": [ "4.13", "4.15" ] } }, { "control_id": "IRO-03", "title": "Indicators of Compromise (IOC)", "family": "IRO", "description": "Mechanisms exist to define specific Indicators of Compromise (IOC) to identify the signs of potential cybersecurity events.", "scf_question": "Does the organization define specific Indicators of Compromise (IOC) to identify the signs of potential cybersecurity events?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-IRO-02" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define specific Indicators of Compromise (IOC) to identify the signs of potential cybersecurity events.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Indicators of Compromise (IoC)", "small": "∙ Indicators of Compromise (IoC)", "medium": "∙ Indicators of Compromise (IoC)", "large": "∙ Indicators of Compromise (IoC)", "enterprise": "∙ Indicators of Compromise (IoC)" }, "risks": [ "R-AM-3", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-cobit-2019": [ "DSS02.01" ], "general-csa-cmm-4-1-0": [ "LOG-14" ], "general-csa-iot-2": [ "IAM-09", "MON-02", "MON-09", "MON-11" ], "general-nist-800-171-r2": [ "3.14.7" ], "general-nist-csf-2-0": [ "DE.CM" ], "general-shared-assessments-sig-2025": [ "J.5" ], "general-tisax-6-0-3": [ "1.6.1" ], "general-un-155-2021": [ "7.2.2.2(h)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(h)" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.DTDIS" ], "usa-federal-dhs-cisa-cpg-2-0": [ "3.A" ], "usa-federal-doe-c2m2-2-1": [ "SITUATION-2d", "SITUATION-2h", "SITUATION-2i" ], "usa-federal-dow-cmmc-2-level-2": [ "SIL2.-3.14.7" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 1.2.1", "CIP-008-6 1.2.2" ], "emea-deu-bsrit-2017": [ "5.4" ], "emea-sau-otcc-1-2022": [ "2-3-1-12" ], "emea-gbr-caf-4-0": [ "C1.f" ], "emea-gbr-def-stan-05-138-2024": [ "3201" ], "emea-gbr-def-stan-05-138-l1-2024": [ "3201" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3201" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3201" ], "apac-nzl-ism-3-9": [ "7.2.17.C.01", "7.2.17.C.02" ], "americas-can-osfi-b13-2022": [ "2.7.2", "3.1" ] } }, { "control_id": "IRO-04", "title": "Incident Response Plan (IRP)", "family": "IRO", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "scf_question": "Does the organization maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-01" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Incident Response Plan (IRP)", "small": "∙ Incident Response Plan (IRP)", "medium": "∙ Integrated Incident Response Program (IIRP)", "large": "∙ Integrated Incident Response Program (IIRP)", "enterprise": "∙ Integrated Incident Response Program (IIRP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.3-POF3" ], "general-aicpa-tsc-2017": [ "CC2.2-POF10", "CC2.3-POF8", "CC7.3", "CC7.3-POF1", "CC7.4", "CC7.4-POF1", "CC7.4-POF2", "CC7.4-POF3", "CC7.4-POF4", "CC7.4-POF5", "CC7.4-POF6", "CC7.4-POF7", "CC7.4-POF8", "CC7.4-POF9", "CC7.4-POF10", "CC7.4-POF11", "CC7.4-POF12", "CC7.4-POF13" ], "general-cis-csc-8-1": [ "17.1", "17.4", "17.5", "17.6", "17.9" ], "general-cis-csc-8-1-ig1": [ "17.1" ], "general-cis-csc-8-1-ig2": [ "17.1", "17.4", "17.5", "17.6" ], "general-cis-csc-8-1-ig3": [ "17.1", "17.4", "17.5", "17.6", "17.9" ], "general-cobit-2019": [ "DSS02.01" ], "general-csa-cmm-4-1-0": [ "SEF-03", "SEF-07" ], "general-csa-iot-2": [ "IAM-09", "IMT-01" ], "general-govramp": [ "IR-08" ], "general-govramp-core": [ "IR-08" ], "general-govramp-low": [ "IR-08" ], "general-govramp-low-plus": [ "IR-08" ], "general-govramp-mod": [ "IR-08" ], "general-govramp-high": [ "IR-08" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.7" ], "general-iso-21434-2021": [ "RQ-13-02" ], "general-iso-27002-2022": [ "5.24", "5.26" ], "general-iso-27017-2015": [ "16.1.5" ], "general-iso-27018-2025": [ "5.24", "5.26" ], "general-mpa-csbp-5-3-1": [ "OR-1.3", "OR-4.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.H(1)", "4.H(2)", "4.H(2)(a)", "4.H(2)(b)", "4.H(2)(c)", "4.H(2)(d)", "4.H(2)(e)", "4.H(2)(f)", "4.H(2)(g)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 6.2", "MANAGE 4.0" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.2-003", "MG-2.3-001", "MG-4.2-002" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P7" ], "general-nist-800-53-r4": [ "IR-8" ], "general-nist-800-53-r5-2": [ "IR-08" ], "general-nist-800-53-r5-2-privacy": [ "IR-08" ], "general-nist-800-53-r5-2-low": [ "IR-08" ], "general-nist-800-82-r3": [ "IR-08" ], "general-nist-800-82-r3-low": [ "IR-08" ], "general-nist-800-82-r3-mod": [ "IR-08" ], "general-nist-800-82-r3-high": [ "IR-08" ], "general-nist-800-161-r1": [ "IR-8" ], "general-nist-800-161-r1-cscrm": [ "IR-8" ], "general-nist-800-161-r1-flowdown": [ "IR-8" ], "general-nist-800-161-r1-level-2": [ "IR-8" ], "general-nist-800-161-r1-level-3": [ "IR-8" ], "general-nist-800-171-r2": [ "NFO - IR-8" ], "general-nist-800-171-r3": [ "03.06.01", "03.06.05.a", "03.06.05.a.01", "03.06.05.a.02", "03.06.05.a.03", "03.06.05.a.04", "03.06.05.a.05", "03.06.05.a.06", "03.06.05.b" ], "general-nist-800-171a-r3": [ "A.03.06.02.ODP[01]", "A.03.06.02.ODP[02]", "A.03.06.05.a.01", "A.03.06.05.a.02", "A.03.06.05.a.03", "A.03.06.05.a.04", "A.03.06.05.a.05", "A.03.06.05.a.06", "A.03.06.05.b[01]", "A.03.06.05.b[02]", "A.03.06.05.d" ], "general-nist-csf-2-0": [ "ID.IM-04", "DE.AE-06", "RS", "RS.MA", "RS.MA-01", "RS.MA-02", "RS.MA-04", "RS.MI" ], "general-pci-dss-4-0-1": [ "12.10", "12.10.1", "12.10.5", "12.10.7" ], "general-pci-dss-4-0-1-saq-a": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-b": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.10.1", "12.10.5", "12.10.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.10.1", "12.10.5", "12.10.7" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.10.1" ], "general-scf-dpmp-2025": [ "8.0" ], "general-swift-cscf-2025": [ "7.1" ], "general-tisax-6-0-3": [ "1.6.3", "9.6.2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.IRPIH" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.S" ], "usa-federal-fbi-cjis-6-0": [ "IR-8" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-1a", "RESPONSE-3b", "RESPONSE-3d", "RESPONSE-3e", "RESPONSE-3f", "RESPONSE-3l" ], "usa-federal-dow-zt-roadmap-1-1": [ "6.7.1" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(3)" ], "usa-federal-gsa-fedramp-5-low": [ "IR-08" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-08" ], "usa-federal-gsa-fedramp-5-high": [ "IR-08" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-08" ], "usa-federal-sro-finra": [ "248.30(a)(3)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(h)", "314.4(h)(1)", "314.4(h)(2)", "314.4(h)(3)", "314.4(h)(4)", "314.4(h)(5)", "314.4(h)(6)", "314.4(h)(7)" ], "usa-federal-irs-1075-2021": [ "IR-8" ], "usa-federal-cms-marse-2-0": [ "IR-8", "IR-8.a", "IR-8.a.1", "IR-8.a.2", "IR-8.a.3", "IR-8.a.4", "IR-8.a.5", "IR-8.a.6", "IR-8.a.7", "IR-8.a.8", "IR-8.a.9", "IR-8.a.9(i)", "IR-8.a.9(ii)", "IR-8.a.9(iii)", "IR-8.a.9(iv)", "IR-8.a.9(v)", "IR-8.a.9(vi)", "IR-8.a.9(vii)", "IR-8.a.9(viii)", "IR-8.b", "IR-8.c", "IR-8.d", "IR-8.e", "IR-8-IS.1", "IR-8-IS.2", "IR-8-IS.3" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 R1", "CIP-008-6 1.1", "CIP-008-6 1.4", "CIP-008-6 R2", "CIP-008-6 2.2", "CIP-008-6 R3" ], "usa-federal-sec-cybersecurity-rule-2023": [ "Form 8-K Item 1.05(a)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(17)(B)(i)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(a)", "500.16(a)(1)", "500.16(a)(1)(i)", "500.16(a)(1)(ii)", "500.16(a)(1)(iii)", "500.16(a)(1)(iv)", "500.16(a)(1)(v)", "500.16(a)(1)(vi)", "500.16(a)(1)(vii)", "500.16(a)(1)(viii)", "500.16(b)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-08" ], "usa-state-tx-txramp-2-0-level-1": [ "IR-08" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-08" ], "emea-eu-eba-ict-srm-2025": [ "3.5.1(59)", "3.5.1(60)", "3.5.1(60)(a)", "3.5.1(60)(b)", "3.5.1(60)(c)", "3.5.1(60)(d)", "3.5.1(60)(d)(i)", "3.5.1(60)(d)(ii)", "3.5.1(60)(e)", "3.5.1(60)(f)", "3.5.1(60)(f)(i)", "3.5.1(60)(f)(ii)" ], "emea-eu-dora-2023": [ "Article 17.1", "Article 17.2", "Article 17.3(a)", "Article 17.3(b)", "Article 17.3(c)", "Article 17.3(d)", "Article 17.3(e)", "Article 17.3(f)" ], "emea-eu-nis2-annex-2024": [ "3.1.1", "3.1.2(b)", "3.1.2(d)", "3.5.1", "6.10.2(d)" ], "emea-isr-cmo-1-0": [ "7.2", "24.2", "24.3", "24.8", "24.9" ], "emea-sau-cgiot-2024": [ "2-12-1", "2-12-2" ], "emea-sau-ecc-1-2018": [ "2-13-3-1", "2-13-3-2" ], "emea-sau-otcc-1-2022": [ "2-12-2-2", "2-12-2-3", "2-12-2-4", "2-12-2-5" ], "emea-sau-sacs-002-2022": [ "TPC-23", "TPC-88" ], "emea-esp-boe-a-2022-7191": [ "Article 25.1", "Article 25.2" ], "emea-esp-decree-311-2022": [ "25.1", "25.2" ], "emea-gbr-caf-4-0": [ "D1.a" ], "emea-gbr-def-stan-05-138-2024": [ "4101", "4102" ], "emea-gbr-def-stan-05-138-l2-2024": [ "4101", "4102" ], "emea-gbr-def-stan-05-138-l3-2024": [ "4101", "4102" ], "apac-aus-ism-2024-june": [ "ISM-0043", "ISM-0576", "ISM-0917", "ISM-1784" ], "apac-aus-ps-cps-234-2019": [ "23", "24", "25(a)", "25(b)" ], "apac-chn-cybersecurity-law-2017": [ "Article 25" ], "apac-chn-pipl-2021": [ "57", "57(1)", "57(2)", "57(3)" ], "apac-ind-sebi-2024": [ "DE.DP.S2", "GV.RM.S3", "RS.MA.S1", "RS.MA.S3" ], "apac-jpn-ismap": [ "16.1.5", "16.1.5.1", "16.1.5.2", "16.1.5.3", "16.1.5.4", "16.1.5.5", "16.1.5.6", "16.1.5.7", "16.1.5.8" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP07", "HML07" ], "apac-nzl-hisf-microsmall-2023": [ "HMS20" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP07" ], "apac-nzl-ism-3-9": [ "5.1.12.C.01", "5.1.12.C.02", "5.6.3.C.01", "5.6.3.C.02", "7.2.18.C.01", "7.3.5.C.01", "7.3.9.C.01", "7.3.10.C.01", "16.1.47.C.01" ], "apac-sgp-mas-trm-2021": [ "7.7.3(a)", "7.7.3(b)", "7.7.3(c)", "12.3.1", "12.3.2", "12.3.3" ], "apac-kor-pipa-2011": [ "34" ], "americas-bmu-mba-coc-2020": [ "6.4" ], "amaericas-can-osfi-self-assessment": [ "5.1", "5.2", "5.3", "5.4", "5.5", "5.6", "5.7", "5.8" ], "americas-can-osfi-b13-2022": [ "2.7.1", "2.7.2", "3.4.3" ], "americas-can-itsp-10-171-2025": [ "03.06.01", "03.06.05.A", "03.06.05.A.01", "03.06.05.A.02", "03.06.05.A.03", "03.06.05.A.04", "03.06.05.A.05", "03.06.05.A.06", "03.06.05.B" ] } }, { "control_id": "IRO-04.1", "title": "Data Breach", "family": "IRO", "description": "Mechanisms exist to address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations.", "scf_question": "Does the organization address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Incident Response Plan (IRP)", "small": "∙ Incident Response Plan (IRP)", "medium": "∙ Integrated Incident Response Program (IIRP)", "large": "∙ Integrated Incident Response Program (IIRP)", "enterprise": "∙ Integrated Incident Response Program (IIRP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-pmf-2020": [ "D6.6", "D6.6-POF2" ], "general-aicpa-tsc-2017": [ "CC7.3", "CC7.3-POF4", "CC7.3-POF5", "P6.3", "P6.6", "P6.6-POF2", "P6.7" ], "general-csa-cmm-4-1-0": [ "SEF-08" ], "general-csa-iot-2": [ "GVN-06" ], "general-iso-27002-2022": [ "5.25" ], "general-iso-27018-2025": [ "5.25" ], "general-naic-insurance-data-security-model-law-668-2017": [ "6.C" ], "general-nist-privacy-framework-1-0": [ "CM.AW-P7", "CM.AW-P8" ], "general-nist-800-53-r4": [ "SE-2" ], "general-nist-800-53-r5-2": [ "IR-08(01)" ], "general-nist-800-53-r5-2-privacy": [ "IR-08(01)" ], "general-nist-800-82-r3": [ "IR-08(01)" ], "general-scf-dpmp-2025": [ "8.0" ], "usa-federal-fbi-cjis-6-0": [ "IR-8(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.404(a)(1)", "164.404(a)(2)", "164.404(c)(1)(A)", "164.404(c)(1)(B)", "164.404(c)(1)(C)", "164.404(c)(1)(D)", "164.404(c)(1)(E)", "164.404(c)(2)", "164.404(d)(1)(i)", "164.404(d)(1)(ii)", "164.404(d)(2)", "164.404(d)(2)(i)", "164.404(d)(2)(ii)(A)", "164.404(d)(2)(ii)(B)", "164.404(d)(3)", "164.406(a)", "164.406(b)", "164.406(c)", "164.410(c)(1)" ], "usa-federal-irs-1075-2021": [ "IR-8(CE-1)", "IR-8(CE-1).a", "IR-8(CE-1).b", "IR-8(CE-1).c" ], "emea-eu-gdpr-2016": [ "Article 33.1" ], "emea-deu-c5-2020": [ "SIM-02" ], "emea-ken-pda-2019": [ "43(1)(b)", "43(2)", "43(3)", "43(4)", "43(5)", "43(5)(a)", "43(5)(b)", "43(5)(c)", "43(5)(d)", "43(5)(e)", "43(6)", "43(7)", "43(8)(a)", "43(8)(b)", "43(8)(c)" ], "emea-qat-pdppl-2020": [ "14" ], "emea-sau-pdpl-2023": [ "Article 20.1", "Article 20.2" ], "emea-srb-act-9-2018": [ "53", "53.1", "53.2", "53.3" ], "emea-zaf-popia-2013": [ "22" ], "emea-che-fadp-2025": [ "12" ], "emea-gbr-dpa-1998": [ "Chapter29-Schedule1-Part1-Principles 7" ], "apac-aus-ism-2024-june": [ "ISM-0133" ], "apac-chn-pipl-2021": [ "57", "57(1)", "57(2)", "57(3)" ], "apac-ind-dpdpa-2023": [ "8(6)" ], "apac-jpn-ppi-2020": [ "22-2(1)", "22-2(2)" ], "apac-phl-dpa-2012": [ "38" ], "apac-kor-pipa-2011": [ "34" ], "apac-twn-pdpa-2025": [ "12" ], "americas-bra-lgpd-2018": [ "48" ], "americas-mex-fdpa-2010": [ "20" ] } }, { "control_id": "IRO-04.2", "title": "IRP Update", "family": "IRO", "description": "Mechanisms exist to regularly review and modify incident response practices to incorporate lessons learned, business process changes and industry developments, as necessary.", "scf_question": "Does the organization regularly review and modify incident response practices to incorporate lessons learned, business process changes and industry developments, as necessary?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-IRO-07" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ On at least an annual basis, IT and/or cybersecurity personnel update incident response strategies to keep current with business needs, technology changes and regulatory requirements.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to regularly review and modify incident response practices to incorporate lessons learned, business process changes and industry developments, as necessary.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.4-POF11" ], "general-cobit-2019": [ "DSS03.04" ], "general-govramp": [ "IR-01" ], "general-govramp-low": [ "IR-01" ], "general-govramp-low-plus": [ "IR-01" ], "general-govramp-mod": [ "IR-01" ], "general-govramp-high": [ "IR-01" ], "general-nist-800-53-r4": [ "IR-1" ], "general-nist-800-53-r5-2": [ "IR-01" ], "general-nist-800-53-r5-2-privacy": [ "IR-01" ], "general-nist-800-53-r5-2-low": [ "IR-01" ], "general-nist-800-82-r3": [ "IR-01" ], "general-nist-800-82-r3-low": [ "IR-01" ], "general-nist-800-82-r3-mod": [ "IR-01" ], "general-nist-800-82-r3-high": [ "IR-01" ], "general-nist-800-161-r1": [ "IR-1" ], "general-nist-800-161-r1-cscrm": [ "IR-1" ], "general-nist-800-161-r1-flowdown": [ "IR-1" ], "general-nist-800-161-r1-level-1": [ "IR-1" ], "general-nist-800-161-r1-level-2": [ "IR-1" ], "general-nist-800-161-r1-level-3": [ "IR-1" ], "general-nist-800-171-r2": [ "NFO - IR-1" ], "general-nist-800-171-r3": [ "03.06.04.b", "03.06.05.c" ], "general-nist-800-171a-r3": [ "A.03.06.05.c" ], "general-nist-csf-2-0": [ "ID.IM-04" ], "general-pci-dss-4-0-1": [ "12.10.2", "12.10.6" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.10.2", "12.10.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.10.2", "12.10.6" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.S" ], "usa-federal-fbi-cjis-6-0": [ "IR-1" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(3)" ], "usa-federal-gsa-fedramp-5-low": [ "IR-01" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-01" ], "usa-federal-gsa-fedramp-5-high": [ "IR-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-01" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(h)(7)" ], "usa-federal-irs-1075-2021": [ "IR-1" ], "usa-federal-cms-marse-2-0": [ "IR-1" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 3.1.2", "CIP-008-6 3.1.3", "CIP-008-6 3.2.1", "CIP-008-6 3.2.2" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(a)(1)(ix)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-01", "IR-01-SID" ], "usa-state-tx-txramp-2-0-level-1": [ "IR-01" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-01" ], "apac-ind-sebi-2024": [ "EV.ST.S3", "RS.IM.S2" ], "amaericas-can-osfi-self-assessment": [ "5.9" ], "americas-can-osfi-b13-2022": [ "2.7.3" ], "americas-can-itsp-10-171-2025": [ "03.06.04.B", "03.06.05.C" ] } }, { "control_id": "IRO-04.3", "title": "Continuous Incident Response Improvements", "family": "IRO", "description": "Mechanisms exist to use qualitative and quantitative data from incident response testing to: \n(1) Determine the effectiveness of incident response processes;\n(2) Continuously improve incident response processes; and\n(3) Provide incident response measures and metrics that are accurate, consistent and in a reproducible format.", "scf_question": "Does the organization use qualitative and quantitative data from incident response testing to: \n (1) Determine the effectiveness of incident response processes;\n (2) Continuously improve incident response processes; and\n (3) Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Incident Response (IRO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IRO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Incident response-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to use qualitative and quantitative data from incident response testing to: \n(1) Determine the effectiveness of incident response processes;\n(2) Continuously improve incident response processes; and\n(3) Provide incident response measures and metrics that are accurate, consistent and in a reproducible format.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ ITIL 4 (https://axelos.com) ∙ Incident and problem management", "large": "∙ ITIL 4 (https://axelos.com) ∙ Incident and problem management", "enterprise": "∙ ITIL 4 (https://axelos.com) ∙ Incident and problem management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-cobit-2019": [ "DSS03.04", "DSS03.05" ], "general-nist-800-53-r5-2": [ "IR-03(03)" ], "general-nist-800-82-r3": [ "IR-03(03)" ], "general-nist-800-171-r3": [ "03.06.04.b" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.S" ], "usa-federal-irs-1075-2021": [ "IR-3(CE-3)", "IR-3(CE-3).a", "IR-3(CE-3).b", "IR-3(CE-3).c" ], "apac-jpn-ismap": [ "16.1.1.14" ], "americas-can-itsp-10-171-2025": [ "03.06.04.B" ] } }, { "control_id": "IRO-05", "title": "Incident Response Training", "family": "IRO", "description": "Mechanisms exist to train personnel in their incident response roles and responsibilities.", "scf_question": "Does the organization train personnel in their incident response roles and responsibilities?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-05", "E-IRO-06" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ Incident responders are proficient on their specific IRP role(s) and responsibilities through recurring training events (e.g., annual rock drill).", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to train personnel in their incident response roles and responsibilities.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ ITIL 4 (https://axelos.com) ∙ Incident and problem management", "large": "∙ ITIL 4 (https://axelos.com) ∙ Incident and problem management", "enterprise": "∙ ITIL 4 (https://axelos.com) ∙ Incident and problem management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-govramp": [ "IR-02" ], "general-govramp-low": [ "IR-02" ], "general-govramp-low-plus": [ "IR-02" ], "general-govramp-mod": [ "IR-02" ], "general-govramp-high": [ "IR-02" ], "general-iso-27002-2022": [ "5.29" ], "general-iso-27018-2025": [ "5.29" ], "general-nist-800-53-r4": [ "IR-2" ], "general-nist-800-53-r5-2": [ "IR-02", "IR-02(03)" ], "general-nist-800-53-r5-2-privacy": [ "IR-02", "IR-02(03)" ], "general-nist-800-53-r5-2-low": [ "IR-02" ], "general-nist-800-82-r3": [ "IR-02", "IR-02(03)" ], "general-nist-800-82-r3-low": [ "IR-02" ], "general-nist-800-82-r3-mod": [ "IR-02" ], "general-nist-800-82-r3-high": [ "IR-02" ], "general-nist-800-161-r1": [ "IR-2" ], "general-nist-800-161-r1-cscrm": [ "IR-2" ], "general-nist-800-161-r1-flowdown": [ "IR-2" ], "general-nist-800-161-r1-level-2": [ "IR-2" ], "general-nist-800-161-r1-level-3": [ "IR-2" ], "general-nist-800-171-r2": [ "3.6.1" ], "general-nist-800-171-r3": [ "03.06.04.a", "03.06.04.a.03" ], "general-nist-800-171a-r3": [ "A.03.06.04.ODP[01]", "A.03.06.04.ODP[02]", "A.03.06.04.ODP[03]", "A.03.06.04.ODP[04]", "A.03.06.04.a.01", "A.03.06.04.b[01]", "A.03.06.04.b[02]", "A.03.06.04.b[03]", "A.03.06.04.b[04]" ], "general-pci-dss-4-0-1": [ "12.10.4", "12.10.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.10.4", "12.10.4.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.10.4", "12.10.4.1" ], "usa-federal-fbi-cjis-6-0": [ "IR-2", "IR-2(3)" ], "usa-federal-dow-cmmc-2-level-2": [ "IRL2.-3.6.1" ], "usa-federal-gsa-fedramp-5-low": [ "IR-02" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-02" ], "usa-federal-gsa-fedramp-5-high": [ "IR-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-02" ], "usa-federal-irs-1075-2021": [ "IR-2", "IR-2(CE-3)" ], "usa-federal-cms-marse-2-0": [ "IR-2", "IR-2-1", "IR-2-1a", "IR-2-1b", "IR-2-1c", "IR-2-2", "IR-2-2a", "IR-2-2b", "IR-2-2c", "IR-2-2d" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 3.1.3", "CIP-008-6 3.2.2" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-02", "IR-02-SID" ], "usa-state-tx-txramp-2-0-level-1": [ "IR-02" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-02" ], "emea-isr-cmo-1-0": [ "24.10", "24.11" ], "emea-sau-otcc-1-2022": [ "2-12-2-6" ], "emea-sau-sacs-002-2022": [ "TPC-88" ], "apac-ind-sebi-2024": [ "RS.IM.S2" ], "amaericas-can-osfi-self-assessment": [ "2.8" ], "americas-can-itsp-10-171-2025": [ "03.06.04.A", "03.06.04.A.03" ] } }, { "control_id": "IRO-05.1", "title": "Simulated Incidents", "family": "IRO", "description": "Mechanisms exist to incorporate simulated events into incident response training to facilitate effective response by personnel in crisis situations.", "scf_question": "Does the organization incorporate simulated events into incident response training to facilitate effective response by personnel in crisis situations?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to incorporate simulated events into incident response training to facilitate effective response by personnel in crisis situations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-cr-cmm-2026": [ "CR6.3.2" ], "general-govramp": [ "IR-02(01)" ], "general-govramp-high": [ "IR-02(01)" ], "general-nist-800-53-r4": [ "IR-2(1)" ], "general-nist-800-53-r5-2": [ "IR-02(01)" ], "general-nist-800-53-r5-2-high": [ "IR-02(01)" ], "general-nist-800-82-r3": [ "IR-02(01)" ], "general-nist-800-82-r3-high": [ "IR-02(01)" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNL.STEXE" ], "usa-federal-gsa-fedramp-5-high": [ "IR-02(01)" ], "usa-federal-irs-1075-2021": [ "IR-2(CE-1)" ], "amaericas-can-osfi-self-assessment": [ "2.8" ] } }, { "control_id": "IRO-05.2", "title": "Automated Incident Response Training Environments", "family": "IRO", "description": "Automated mechanisms exist to provide a more thorough and realistic incident response training environment.", "scf_question": "Does the organization use automated mechanisms to provide a more thorough and realistic incident response training environment?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Incident Response (IRO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IRO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Incident response-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically provide a more thorough and realistic incident response training environment.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-govramp": [ "IR-02(02)" ], "general-govramp-high": [ "IR-02(02)" ], "general-nist-800-53-r4": [ "IR-2(2)" ], "general-nist-800-53-r5-2": [ "IR-02(02)" ], "general-nist-800-53-r5-2-high": [ "IR-02(02)" ], "general-nist-800-82-r3": [ "IR-02(02)" ], "general-nist-800-82-r3-high": [ "IR-02(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-02(02)" ] } }, { "control_id": "IRO-06", "title": "Incident Response Testing", "family": "IRO", "description": "Mechanisms exist to formally test incident response capabilities through realistic exercises to determine the operational effectiveness of those capabilities.", "scf_question": "Does the organization formally test incident response capabilities through realistic exercises to determine the operational effectiveness of those capabilities?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-04" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ Incident responders are proficient on their specific IRP role(s) and responsibilities through recurring training events (e.g., annual rock drill).\n▪ On at least an annual basis, IT and/or cybersecurity personnel conduct tabletop exercises to validate disaster recovery and contingency plans, in conjunction with stakeholders and any required vendors.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to formally test incident response capabilities through realistic exercises to determine the operational effectiveness of those capabilities.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ \"Table Top\" incident response exercises (rock drills)", "small": "∙ \"Table Top\" incident response exercises (rock drills)", "medium": "∙ \"Table Top\" incident response exercises (rock drills)\n∙ \"Red team vs blue team\" exercises\n∙ EICAR test file antimalware detection and response exercises", "large": "∙ \"Table Top\" incident response exercises (rock drills)\n∙ \"Red team vs blue team\" exercises\n∙ EICAR test file antimalware detection and response exercises", "enterprise": "∙ \"Table Top\" incident response exercises (rock drills)\n∙ \"Red team vs blue team\" exercises\n∙ EICAR test file antimalware detection and response exercises" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.5-POF2" ], "general-cis-csc-8-1": [ "17.7" ], "general-cis-csc-8-1-ig2": [ "17.7" ], "general-cis-csc-8-1-ig3": [ "17.7" ], "general-csa-cmm-4-1-0": [ "SEF-04" ], "general-cr-cmm-2026": [ "CR6.2.6" ], "general-govramp": [ "IR-03" ], "general-govramp-core": [ "IR-03" ], "general-govramp-low": [ "IR-03" ], "general-govramp-low-plus": [ "IR-03" ], "general-govramp-mod": [ "IR-03" ], "general-govramp-high": [ "IR-03" ], "general-iso-27002-2022": [ "5.3" ], "general-iso-27018-2025": [ "5.30" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.2-003" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P8" ], "general-nist-800-53-r4": [ "IR-3", "SI-4(9)" ], "general-nist-800-53-r5-2": [ "IR-03", "SI-04(09)" ], "general-nist-800-53-r5-2-privacy": [ "IR-03" ], "general-nist-800-53-r5-2-mod": [ "IR-03" ], "general-nist-800-82-r3": [ "IR-03", "SI-04(09)" ], "general-nist-800-82-r3-mod": [ "IR-03" ], "general-nist-800-82-r3-high": [ "IR-03" ], "general-nist-800-161-r1": [ "IR-3" ], "general-nist-800-161-r1-level-2": [ "IR-3" ], "general-nist-800-161-r1-level-3": [ "IR-3" ], "general-nist-800-171-r2": [ "3.6.3" ], "general-nist-800-171-r3": [ "03.06.03" ], "general-nist-800-171a": [ "3.6.3" ], "general-nist-800-171a-r3": [ "A.03.06.03.ODP[01]", "A.03.06.03" ], "general-pci-dss-4-0-1": [ "12.10.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.10.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.10.2" ], "general-scf-dpmp-2025": [ "8.0" ], "general-swift-cscf-2025": [ "7.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNL.STEXE" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.S" ], "usa-federal-fbi-cjis-6-0": [ "IR-3" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-3g" ], "usa-federal-dow-cmmc-2-level-2": [ "IRL2.-3.6.3" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-03" ], "usa-federal-gsa-fedramp-5-high": [ "IR-03" ], "usa-federal-irs-1075-2021": [ "IR-3" ], "usa-federal-cms-marse-2-0": [ "IR-3", "IR-3.a", "IR-3.b", "IR-3.c", "IR-3(2)" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 2.1", "CIP-008-6 3.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(17)(B)(ii)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.16(d)(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-03" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-03" ], "emea-eu-nis2-annex-2024": [ "3.5.5" ], "emea-isr-cmo-1-0": [ "24.10", "24.11", "24.12" ], "emea-sau-otcc-1-2022": [ "2-12-2-7" ], "emea-gbr-caf-4-0": [ "D1.c" ], "emea-gbr-def-stan-05-138-2024": [ "4103", "4105" ], "emea-gbr-def-stan-05-138-l2-2024": [ "4103", "4105" ], "emea-gbr-def-stan-05-138-l3-2024": [ "4103", "4105" ], "apac-aus-ps-cps-234-2019": [ "26" ], "apac-ind-sebi-2024": [ "DE.DP.S2", "GV.RM.S3" ], "amaericas-can-osfi-self-assessment": [ "2.8" ], "americas-can-osfi-b13-2022": [ "2.7.2" ], "americas-can-itsp-10-171-2025": [ "03.06.03" ] } }, { "control_id": "IRO-06.1", "title": "Coordination with Related Plans", "family": "IRO", "description": "Mechanisms exist to coordinate incident response testing with organizational elements responsible for related plans.", "scf_question": "Does the organization coordinate incident response testing with organizational elements responsible for related plans?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-01" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ On at least an annual basis, IT and/or cybersecurity personnel conduct tabletop exercises to validate disaster recovery and contingency plans, in conjunction with stakeholders and any required vendors.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to coordinate incident response testing with organizational elements responsible for related plans.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-govramp": [ "IR-03(02)" ], "general-govramp-mod": [ "IR-03(02)" ], "general-govramp-high": [ "IR-03(02)" ], "general-iso-27002-2022": [ "5.29" ], "general-iso-27018-2025": [ "5.29" ], "general-nist-800-53-r4": [ "IR-3(2)" ], "general-nist-800-53-r5-2": [ "IR-03(02)" ], "general-nist-800-53-r5-2-mod": [ "IR-03(02)" ], "general-nist-800-82-r3": [ "IR-03(02)" ], "general-nist-800-82-r3-mod": [ "IR-03(02)" ], "general-nist-800-82-r3-high": [ "IR-03(02)" ], "general-nist-csf-2-0": [ "RS.CO" ], "usa-federal-fbi-cjis-6-0": [ "IR-3(2)" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-3j" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-03(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-03(02)" ], "usa-federal-irs-1075-2021": [ "IR-3(CE-2)" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-03 (02)" ], "emea-sau-otcc-1-2022": [ "2-12-2-8" ], "amaericas-can-osfi-self-assessment": [ "2.8" ], "americas-can-osfi-b13-2022": [ "3.4.1" ] } }, { "control_id": "IRO-07", "title": "Integrated Security Incident Response Team (ISIRT)", "family": "IRO", "description": "Mechanisms exist to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and data protection incident response operations.", "scf_question": "Does the organization establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and data protection incident response operations?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-01", "E-IRO-09" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ IT and/or cybersecurity personnel facilitate prompt response to suspected or confirmed security incidents, including timely notification to affected stakeholders.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and data protection incident response operations.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Integrated Security Incident Response Team (ISIRT)", "large": "∙ Integrated Security Incident Response Team (ISIRT)", "enterprise": "∙ Integrated Security Incident Response Team (ISIRT)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF6", "CC7.4", "CC7.4-POF1" ], "general-cis-csc-8-1": [ "17.1", "17.4", "17.5", "17.6", "17.9" ], "general-cis-csc-8-1-ig1": [ "17.1" ], "general-cis-csc-8-1-ig2": [ "17.1", "17.4", "17.5", "17.6" ], "general-cis-csc-8-1-ig3": [ "17.1", "17.4", "17.5", "17.6", "17.9" ], "general-csa-iot-2": [ "IMT-01" ], "general-iso-27002-2022": [ "5.25", "5.26" ], "general-iso-27017-2015": [ "16.1.4" ], "general-iso-27018-2025": [ "5.25", "5.26" ], "general-nist-800-53-r4": [ "IR-10" ], "general-nist-800-53-r5-2": [ "IR-04(11)" ], "general-nist-800-53-r5-2-high": [ "IR-04(11)" ], "general-nist-800-82-r3": [ "IR-04(11)" ], "general-nist-800-82-r3-high": [ "IR-04(11)" ], "general-nist-800-160-vol-2-r1": [ "IR-04(11)" ], "general-nist-800-161-r1": [ "IR-4(11)" ], "general-nist-800-161-r1-level-3": [ "IR-4(11)" ], "general-nist-800-171a-r3": [ "A.03.06.02.b", "A.03.06.02.d" ], "general-nist-800-172": [ "3.6.2e" ], "general-nist-csf-2-0": [ "DE.AE-06", "RS", "RS.MA", "RS.MA-01", "RS.MA-04" ], "general-pci-dss-4-0-1": [ "12.10.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.10.3" ], "general-pci-dss-4-0-1-saq-c": [ "12.10.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.10.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.10.3" ], "general-scf-dpmp-2025": [ "8.1" ], "general-tisax-6-0-3": [ "1.6.3" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-3a" ], "usa-federal-dow-cmmc-2-level-3": [ "IR.L3-3.6.2E" ], "usa-federal-gsa-fedramp-5-high": [ "IR-04(11)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(h)(3)" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 1.3" ], "usa-federal-sec-cybersecurity-rule-2023": [ "Form 8-K Item 1.05(a)" ], "emea-eu-eba-ict-srm-2025": [ "3.5.1(60)(d)", "3.5.1(60)(d)(i)" ], "emea-eu-dora-2023": [ "Article 14.1", "Article 14.2", "Article 14.3" ], "emea-eu-nis2-annex-2024": [ "3.1.2(c)", "3.1.3", "3.5.3(a)", "4.3.3" ], "emea-isr-cmo-1-0": [ "24.7", "24.9" ], "emea-sau-sacs-002-2022": [ "TPC-89" ], "emea-esp-boe-a-2022-7191": [ "Article 33.3" ], "emea-esp-decree-311-2022": [ "33.3" ], "apac-aus-ism-2024-june": [ "ISM-0733", "ISM-1618" ], "apac-aus-ps-cps-234-2019": [ "23", "24", "25(a)", "25(b)" ], "apac-nzl-ism-3-9": [ "7.2.18.C.01" ], "apac-sgp-mas-trm-2021": [ "7.7.5" ], "amaericas-can-osfi-self-assessment": [ "5.1", "5.2", "5.3", "5.4", "5.5", "5.6", "5.7", "5.8" ], "americas-can-osfi-b13-2022": [ "2.7.2", "3.3.3", "3.4.4" ] } }, { "control_id": "IRO-08", "title": "Chain of Custody & Forensics", "family": "IRO", "description": "Mechanisms exist to perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices.", "scf_question": "Does the organization perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-01", "E-IRO-10" ], "pptdf": "Data", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Third-party advisors (e.g., virtual CISO, Managed Security Services Provider (MSSP), etc.)", "small": "∙ Third-party advisors (e.g., virtual CISO, Managed Security Services Provider (MSSP), etc.)", "medium": "∙ Chain of custody procedures\n∙ OpenText Encase (https://opentext.com)\n∙ AccessData Forensic Toolkit (FTK) (https://pluralsight.com)\n∙ Extero (https://exterro.com)", "large": "∙ Chain of custody procedures\n∙ OpenText Encase (https://opentext.com)\n∙ AccessData Forensic Toolkit (FTK) (https://pluralsight.com)\n∙ Extero (https://exterro.com)", "enterprise": "∙ Chain of custody procedures\n∙ OpenText Encase (https://opentext.com)\n∙ AccessData Forensic Toolkit (FTK) (https://pluralsight.com)\n∙ Extero (https://exterro.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-csa-iot-2": [ "IMT-01" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.5.2" ], "general-iso-27002-2022": [ "5.26", "5.28" ], "general-iso-27017-2015": [ "16.1.7" ], "general-iso-27018-2025": [ "5.26", "5.28" ], "general-mpa-csbp-5-3-1": [ "OR-4.0" ], "general-nist-800-53-r4": [ "AU-10(3)" ], "general-nist-800-53-r5-2": [ "AU-10(03)", "IR-04(12)" ], "general-nist-800-53-r5-2-privacy": [ "IR-04(12)" ], "general-nist-800-82-r3": [ "AU-10(03)", "IR-04(12)" ], "general-nist-800-160-vol-2-r1": [ "IR-04(12)" ], "general-nist-800-161-r1": [ "AU-10(3)" ], "general-nist-800-161-r1-level-2": [ "AU-10(3)" ], "general-nist-800-161-r1-level-3": [ "AU-10(3)" ], "general-nist-csf-2-0": [ "RS.AN", "RS.AN-06", "RS.AN-07" ], "usa-federal-dow-cert-rmm-1-2": [ "IMC:SG2.SP3" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(e)" ], "usa-federal-gsa-fedramp-5-low": [ "IR-04(12)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-04(12)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-04(12)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-04(12)" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 2.3", "CIP-009-6 1.5" ], "emea-deu-c5-2020": [ "SIM-03" ], "emea-sau-sacs-002-2022": [ "TPC-89" ], "emea-gbr-def-stan-05-138-2024": [ "3104" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3104" ], "emea-gbr-def-stan-05-138-l3-2024": [ "3104" ], "apac-aus-ism-2024-june": [ "ISM-0137", "ISM-0138", "ISM-1609", "ISM-1731", "ISM-1732" ], "apac-ind-sebi-2024": [ "RS.AN.S3" ], "apac-jpn-ismap": [ "16.1.7", "16.1.7.1", "16.1.7.2", "16.1.7.3", "16.1.7.4", "16.1.7.5", "16.1.7.6", "16.1.7.7", "16.1.7.8", "16.1.7.9", "16.1.7.10", "16.1.7.11", "16.1.7.12", "16.1.7.13.PB" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP74", "HML74" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP66" ], "apac-nzl-ism-3-9": [ "7.3.11.C.01" ], "americas-can-osfi-b13-2022": [ "3.4.5" ] } }, { "control_id": "IRO-08.1", "title": "Licensed Forensic Investigators", "family": "IRO", "description": "Mechanisms exist to utilize licensed forensic investigators to perform data analysis for evidentiary purposes that may be used in legal proceedings or to prove wrongdoing.", "scf_question": "Does the organization utilize licensed forensic investigators to perform data analysis for evidentiary purposes that may be used in legal proceedings or to prove wrongdoing?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Incident Response (IRO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IRO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Incident response-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ For eDiscovery, IT and/or cybersecurity personnel manually identify and collect Electronically Stored Information (ESI) in order to respond to a request from a lawsuit or investigation.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ Incident responders are proficient on their specific IRP role(s) and responsibilities through recurring training events (e.g., annual rock drill).", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize licensed forensic investigators to perform data analysis for evidentiary purposes that may be used in legal proceedings or to prove wrongdoing.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-BC-1", "R-BC-4", "R-EX-1", "R-EX-4", "R-EX-5", "R-GV-2", "R-GV-6", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-2", "MT-5", "MT-6", "MT-8", "MT-9", "MT-11" ], "errata": "- new control (SCF)", "family_name": "Incident Response", "crosswalks": {} }, { "control_id": "IRO-09", "title": "Situational Awareness For Incidents", "family": "IRO", "description": "Mechanisms exist to document, monitor and report the status of cybersecurity and data protection incidents to internal stakeholders all the way through the resolution of the incident.", "scf_question": "Does the organization document, monitor and report the status of cybersecurity and data protection incidents to internal stakeholders all the way through the resolution of the incident?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-03" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ IT and/or cybersecurity personnel facilitate prompt response to suspected or confirmed security incidents, including timely notification to affected stakeholders.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document, monitor and report the status of cybersecurity and data protection incidents to internal stakeholders all the way through the resolution of the incident.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF6", "CC2.3-POF8", "CC7.3-POF2", "CC7.4", "CC7.4-POF6", "CC7.4-POF9" ], "general-cis-csc-8-1": [ "17.2", "17.6" ], "general-cis-csc-8-1-ig1": [ "17.2" ], "general-cis-csc-8-1-ig2": [ "17.2", "17.6" ], "general-cis-csc-8-1-ig3": [ "17.2", "17.6" ], "general-cobit-2019": [ "DSS02.02", "DSS02.05", "DSS02.07" ], "general-govramp": [ "IR-05" ], "general-govramp-low": [ "IR-05" ], "general-govramp-low-plus": [ "IR-05" ], "general-govramp-mod": [ "IR-05" ], "general-govramp-high": [ "IR-05" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.5.2" ], "general-iso-27002-2022": [ "5.25" ], "general-iso-27018-2025": [ "5.25" ], "general-mpa-csbp-5-3-1": [ "OR-4.0" ], "general-nist-800-53-r4": [ "IR-5" ], "general-nist-800-53-r5-2": [ "IR-05" ], "general-nist-800-53-r5-2-privacy": [ "IR-05" ], "general-nist-800-53-r5-2-low": [ "IR-05" ], "general-nist-800-66-r2": [ "164.308(a)(1)" ], "general-nist-800-82-r3": [ "IR-05" ], "general-nist-800-82-r3-low": [ "IR-05" ], "general-nist-800-82-r3-mod": [ "IR-05" ], "general-nist-800-82-r3-high": [ "IR-05" ], "general-nist-800-160-vol-2-r1": [ "IR-05" ], "general-nist-800-161-r1": [ "IR-5" ], "general-nist-800-161-r1-cscrm": [ "IR-5" ], "general-nist-800-161-r1-level-2": [ "IR-5" ], "general-nist-800-161-r1-level-3": [ "IR-5" ], "general-nist-800-171-r3": [ "03.06.02.a", "03.06.02.b" ], "general-nist-800-171a-r3": [ "A.03.06.02.a[01]", "A.03.06.02.a[02]" ], "general-nist-csf-2-0": [ "DE.AE-06", "RS", "RS.AN-06", "RS.CO", "RC.RP-06" ], "general-pci-dss-4-0-1": [ "A3.3.1" ], "general-tisax-6-0-3": [ "1.6.2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.D" ], "usa-federal-fbi-cjis-6-0": [ "IR-5" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-1c", "RESPONSE-2f" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(3)(iv)" ], "usa-federal-gsa-fedramp-5-low": [ "IR-05" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-05" ], "usa-federal-gsa-fedramp-5-high": [ "IR-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-05" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(h)(6)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(1)(ii)(D)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(1)(ii)(D)" ], "usa-federal-irs-1075-2021": [ "IR-5" ], "usa-federal-cms-marse-2-0": [ "IR-5" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 2.3" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-05" ], "usa-state-tx-txramp-2-0-level-1": [ "IR-05" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-05" ], "emea-eu-eba-ict-srm-2025": [ "3.5.1(60)(d)", "3.5.1(60)(d)(ii)" ], "emea-eu-gdpr-2016": [ "Article 33.5" ], "emea-eu-nis2-annex-2024": [ "3.5.3(b)", "3.5.4", "6.10.2(a)" ], "emea-isr-cmo-1-0": [ "24.5" ], "emea-sau-sacs-002-2022": [ "TPC-89", "TPC-90" ], "emea-esp-boe-a-2022-7191": [ "Article 25.2" ], "emea-esp-decree-311-2022": [ "25.2" ], "emea-uae-niaf-2023": [ "3.3.1" ], "apac-aus-ism-2024-june": [ "ISM-0125", "ISM-0137", "ISM-0733", "ISM-1609", "ISM-1803" ], "apac-aus-ps-cps-234-2019": [ "23", "24" ], "apac-ind-dpdpa-2023": [ "8(6)" ], "apac-ind-sebi-2024": [ "RS.CO.S3" ], "apac-nzl-ism-3-9": [ "3.2.16.C.01", "7.3.6.C.01", "7.3.6.C.02" ], "apac-sgp-mas-trm-2021": [ "7.7.5" ], "americas-can-osfi-b13-2022": [ "2.7" ], "americas-can-itsp-10-171-2025": [ "03.06.02.A", "03.06.02.B" ] } }, { "control_id": "IRO-09.1", "title": "Automated Tracking, Data Collection & Analysis", "family": "IRO", "description": "Automated mechanisms exist to assist in the tracking, collection and analysis of information from actual and potential cybersecurity and data protection incidents.", "scf_question": "Does the organization use automated mechanisms to assist in the tracking, collection and analysis of information from actual and potential cybersecurity and data protection incidents?", "relative_weight": 1, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically assist in the tracking, collection and analysis of information from actual and potential cybersecurity and data protection incidents.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-govramp": [ "IR-05(01)" ], "general-govramp-high": [ "IR-05(01)" ], "general-nist-800-53-r4": [ "IR-5(1)" ], "general-nist-800-53-r5-2": [ "IR-05(01)" ], "general-nist-800-53-r5-2-high": [ "IR-05(01)" ], "general-nist-800-82-r3": [ "IR-05(01)" ], "general-nist-800-82-r3-high": [ "IR-05(01)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-05(01)" ], "emea-isr-cmo-1-0": [ "24.5" ] } }, { "control_id": "IRO-09.2", "title": "Recurring Incident Analysis", "family": "IRO", "description": "Mechanisms exist to periodically review incident response activities for the existence of recurring incidents.", "scf_question": "Does the organization periodically review incident response activities for the existence of recurring incidents?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Incident Response (IRO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IRO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Incident response-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to periodically review incident response activities for the existence of recurring incidents.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "emea-eu-nis2-annex-2024": [ "3.4.2(b)" ], "apac-jpn-ismap": [ "16.1.5.10" ] } }, { "control_id": "IRO-09.3", "title": "Incident Tracking Repository", "family": "IRO", "description": "Mechanisms exist to maintain a repository of cybersecurity events and incidents that documents:\n(1) Details of the incident (e.g., category, severity, affected parties, etc.);\n(2) Remediation actions taken through incident closure; and\n(3) A summary from the Root Cause Analysis (RCA), if applicable.", "scf_question": "Does the organization maintain a repository of cybersecurity events and incidents that documents:\n(1) Details of the incident (e.g., category, severity, affected parties, etc.);\n(2) Remediation actions taken through incident closure; and\n(3) A summary from the Root Cause Analysis (RCA), if applicable?", "relative_weight": 7, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a repository of cybersecurity events and incidents that documents:\n(1) Details of the incident (e.g., category, severity, affected parties, etc.);\n(2) Remediation actions taken through incident closure; and\n(3) A summary from the Root Cause Analysis (RCA), if applicable.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-BC-1", "R-BC-4", "R-EX-1", "R-EX-4", "R-EX-6", "R-GV-6", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-2", "MT-5", "MT-6", "MT-8", "MT-9" ], "errata": "- new control (C2M2)", "family_name": "Incident Response", "crosswalks": { "usa-federal-doe-c2m2-2-1": [ "RESPONSE-2f" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(j)" ], "usa-state-vt-act-171-2018": [ "2447(b)(10)(A)" ] } }, { "control_id": "IRO-09.4", "title": "Incident Pattern Analysis", "family": "IRO", "description": "Mechanisms exist to analyze historical incidents in aggregate to identify:\n(1) Patterns;\n(2) Trends; and \n(3) Other common root causes in order to address the vulnerability and risk.", "scf_question": "Does the organization analyze historical incidents in aggregate to identify:\n(1) Patterns;\n(2) Trends; and \n(3) Other common root causes in order to address the vulnerability and risk?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to analyze historical incidents in aggregate to identify:\n(1) Patterns;\n(2) Trends; and \n(3) Other common root causes in order to address the vulnerability and risk.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-BC-1", "R-BC-4", "R-EX-1", "R-EX-4", "R-EX-6", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-2", "MT-5", "MT-6", "MT-8", "MT-9" ], "errata": "- new control (C2M2)", "family_name": "Incident Response", "crosswalks": { "usa-federal-doe-c2m2-2-1": [ "RESPONSE-2i" ] } }, { "control_id": "IRO-10", "title": "Incident Stakeholder Reporting", "family": "IRO", "description": "Mechanisms exist to timely-report incidents to applicable:\n(1) Internal stakeholders; \n(2) Affected clients & third-parties; and\n(3) Regulatory authorities.", "scf_question": "Does the organization timely-report incidents to applicable:\n (1) Internal stakeholders; \n (2) Affected clients & third-parties; and\n (3) Regulatory authorities?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-01", "E-IRO-11", "E-IRO-13" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ IT and/or cybersecurity personnel facilitate prompt response to suspected or confirmed security incidents, including timely notification to affected stakeholders.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to timely-report incidents to applicable:\n(1) Internal stakeholders; \n(2) Affected clients & third-parties; and\n(3) Regulatory authorities.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-pmf-2020": [ "D6.6", "D6.6-POF2" ], "general-aicpa-tsc-2017": [ "CC2.2-POF6", "CC2.3", "CC2.3-POF1", "CC2.3-POF8", "CC7.3-POF2", "CC7.4", "CC7.4-POF6", "CC7.4-POF9", "CC7.4-POF13", "CC7.5-POF2", "P6.3", "P6.7" ], "general-cis-csc-8-1": [ "17.2" ], "general-cis-csc-8-1-ig1": [ "17.2" ], "general-cis-csc-8-1-ig2": [ "17.2" ], "general-cis-csc-8-1-ig3": [ "17.2" ], "general-cobit-2019": [ "EDM05.02" ], "general-coso-2013": [ "15" ], "general-csa-cmm-4-1-0": [ "SEF-08" ], "general-govramp": [ "IR-06" ], "general-govramp-core": [ "IR-06" ], "general-govramp-low": [ "IR-06" ], "general-govramp-low-plus": [ "IR-06" ], "general-govramp-mod": [ "IR-06" ], "general-govramp-high": [ "IR-06" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.5.1" ], "general-iso-27002-2022": [ "6.8" ], "general-iso-27017-2015": [ "16.1.2" ], "general-iso-27018-2025": [ "6.8" ], "general-iso-29100-2024": [ "6.1" ], "general-iso-42001-2023": [ "A.8.3", "A.8.4" ], "general-mpa-csbp-5-3-1": [ "OR-4.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "6.E(1)(a)", "6.E(1)(b)" ], "general-nist-100-1-ai-rmf": [ "MANAGE 4.3" ], "general-nist-600-1-gen-ai-profile": [ "MG-4.3-001" ], "general-nist-privacy-framework-1-0": [ "CM.AW-P7" ], "general-nist-800-53-r4": [ "IR-6" ], "general-nist-800-53-r5-2": [ "IR-06" ], "general-nist-800-53-r5-2-privacy": [ "IR-06" ], "general-nist-800-53-r5-2-low": [ "IR-06" ], "general-nist-800-82-r3": [ "IR-06" ], "general-nist-800-82-r3-low": [ "IR-06" ], "general-nist-800-82-r3-mod": [ "IR-06" ], "general-nist-800-82-r3-high": [ "IR-06" ], "general-nist-800-161-r1": [ "IR-6" ], "general-nist-800-171-r3": [ "03.06.02.b", "03.06.02.c" ], "general-nist-800-171a-r3": [ "A.03.06.02.ODP[01]", "A.03.06.02.b", "A.03.06.02.c", "A.03.06.02.d" ], "general-nist-csf-2-0": [ "DE.AE-06", "RS", "RS.MA-01", "RS.CO", "RS.CO-02", "RS.CO-03" ], "general-pci-dss-4-0-1": [ "12.1.4", "12.10.1", "A1.2.3" ], "general-pci-dss-4-0-1-saq-a": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.1.4", "12.10.1" ], "general-pci-dss-4-0-1-saq-b": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.1.4", "12.10.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.1.4", "12.10.1", "A1.2.3" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.10.1" ], "general-scf-dpmp-2025": [ "8.2" ], "general-tisax-6-0-3": [ "1.6.2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "4.A" ], "usa-federal-fbi-cjis-6-0": [ "IR-6" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-2g", "RESPONSE-3c" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(3)(v)", "609.930(c)(3)(vi)" ], "usa-federal-gsa-fedramp-5-low": [ "IR-06" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-06" ], "usa-federal-gsa-fedramp-5-high": [ "IR-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-06" ], "usa-federal-sro-finra": [ "248.30(a)(3)(iii)", "248.30(a)(4)(i)", "248.30(a)(4)(ii)", "248.30(a)(4)(iii)", "248.30(a)(4)(iv)", "248.30(a)(4)(iv)(A)", "248.30(a)(4)(iv)(B)", "248.30(a)(4)(iv)(C)", "248.30(a)(4)(iv)(D)", "248.30(a)(4)(iv)(E)", "248.30(a)(4)(iv)(F)", "248.30(a)(4)(iv)(G)", "248.30(a)(4)(iv)(H)", "248.30(a)(5)(i)(B)", "248.30(a)(5)(ii)", "248.30(a)(5)(iii)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(h)(4)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.404(b)", "164.408(a)", "164.408(b)", "164.408(c)" ], "usa-federal-irs-1075-2021": [ "IR-6" ], "usa-federal-cms-marse-2-0": [ "IR-6", "IR-6.a", "IR-6.b" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 4.2", "CIP-008-6 4.3" ], "usa-federal-sec-cybersecurity-rule-2023": [ "Form 8-K Item 1.05(a)" ], "usa-state-ca-sb1386-2002": [ "1798.29(a)", "1798.29(c)", "1798.82(a)", "1798.82(b)", "1798.82(c)" ], "usa-state-il-pipa-2006": [ "10(a)", "10(a)(1)", "10(a)(1)(A)", "10(a)(1)(B)", "10(a)(1)(C)", "10(a)(2)", "10(b)", "10(b-5)", "10(c)", "10(c)(1)", "10(c)(2)", "10(c)(3)", "10(d)", "10(e)(2)", "10(e)(2)(A)", "10(e)(2)(B)", "10(e)(2)(C)", "12(a)", "12(a)(1)", "12(a)(1)(i)", "12(a)(1)(ii)", "12(a)(1)(iii)", "12(a)(2)", "12(a-5)", "12(b)", "12(b)(1)", "12(b)(2)", "12(b)(3)", "12(b)(3)(i)", "12(b)(3)(ii)", "12(b)(3)(iii)", "12(c)", "12(d)", "12(e)", "12(e)(A)", "12(e)(B)", "12(e)(C)", "12(e)(D)" ], "usa-state-nv-regulation-5-2024": [ "5.260.4(a)", "5.260.4(c)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.17(a)(1)", "500.17(c)", "500.17(c)(1)", "500.17(c)(2)" ], "usa-state-ny-shield-act-2019": [ "3.2", "3.2(a)", "3.2(b)", "3.3", "3.5", "3.5(a)", "3.5(b)", "3.5(c)", "3.5(d)", "3.5(d)(1)", "3.5(d)(2)", "3.5(d)(3)", "3.8(a)", "3.8(b)", "3.9", "5.2", "5.2(a)", "5.2(b)", "5.3", "5.6", "5.7(a)", "5.7(b)", "5.9", "5.10" ], "usa-state-tx-bc521-2009": [ "521.053(b)", "521.053(b-1)", "521.053(c)", "521.053(d)", "521.053(e)", "521.053(e)(1)", "521.053(e)(2)", "521.053(e)(3)", "521.053(f)", "521.053(f)(1)", "521.053(f)(2)", "521.053(f)(3)", "521.053(g)", "521.053(h)", "521.053(i)", "521.053(i)(1)", "521.053(i)(2)", "521.053(i)(3)", "521.053(i)(4)", "521.053(i)(5)", "521.053(i)(6)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-06", "IR-06-SID" ], "usa-state-tx-sb820-2019": [ "11.175(e)", "11.175(f)" ], "usa-state-tx-txramp-2-0-level-1": [ "IR-06" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-06" ], "emea-eu-ai-act-2024": [ "Article 17.1(j)" ], "emea-eu-eba-ict-srm-2025": [ "3.7.5(91)" ], "emea-eu-dora-2023": [ "Article 14.1", "Article 14.2", "Article 14.3", "Article 19.1", "Article 19.2", "Article 19.3", "Article 19.4", "Article 19.4(a)", "Article 19.4(b)", "Article 19.4(c)", "Article 19.5", "Article 45.3" ], "emea-eu-gdpr-2016": [ "Article 34.1", "Article 34.2" ], "emea-eu-nis2-2022": [ "Article 23.1", "Article 23.2", "Article 23.4", "Article 23.4(a)", "Article 23.4(b)", "Article 23.4(c)", "Article 23.4(d)", "Article 23.4(d)(i)", "Article 23.4(d)(ii)", "Article 23.4(d)(iii)", "Article 23.4(d)(iv)", "Article 23.4(e)" ], "emea-eu-nis2-annex-2024": [ "3.1.2(b)", "13.2.2(c)" ], "emea-deu-c5-2020": [ "SIM-03", "SIM-04" ], "emea-isr-cmo-1-0": [ "24.6", "24.8" ], "emea-qat-pdppl-2020": [ "14" ], "emea-sau-cgiot-2024": [ "2-12-2" ], "emea-sau-ecc-1-2018": [ "2-13-3-3", "2-13-3-4" ], "emea-sau-sacs-002-2022": [ "TPC-23", "TPC-89" ], "emea-zaf-popia-2013": [ "22" ], "emea-esp-boe-a-2022-7191": [ "Article 25.2", "Article 33.2", "Article 33.4", "Article 33.7" ], "emea-esp-decree-311-2022": [ "25.2", "33.2", "33.4", "33.7" ], "emea-uae-niaf-2023": [ "3.3.3" ], "apac-aus-essential-8-2024": [ "ML2-P3", "ML2-P4", "ML2-P5", "ML2-P7", "ML3-P3", "ML3-P4", "ML3-P5", "ML3-P7" ], "apac-aus-ism-2024-june": [ "ISM-0123", "ISM-0137", "ISM-0733", "ISM-1088", "ISM-1609" ], "apac-aus-ps-cps-230-2023": [ "33", "42" ], "apac-ind-dpdpa-2023": [ "8(6)" ], "apac-ind-sebi-2024": [ "DE.DP.S3", "RC.CO.S2", "RC.CO.S3", "RS.CO.S2", "RS.CO.S3" ], "apac-jpn-ismap": [ "6.1.3.2" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP75", "HML75" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP65" ], "apac-nzl-ism-3-9": [ "7.2.18.C.01", "7.2.20.C.01", "7.2.21.C.01", "7.2.23.C.01" ], "apac-sgp-mas-trm-2021": [ "7.7.5", "7.7.6", "7.7.7" ], "americas-bmu-mba-coc-2020": [ "6.5" ], "americas-bra-lgpd-2018": [ "48" ], "americas-can-osfi-b13-2022": [ "3.4.1" ], "americas-can-itsp-10-171-2025": [ "03.06.02.B", "03.06.02.C" ] } }, { "control_id": "IRO-10.1", "title": "Automated Reporting", "family": "IRO", "description": "Automated mechanisms exist to assist in the reporting of cybersecurity and data protection incidents.", "scf_question": "Does the organization use automated mechanisms to assist in the reporting of cybersecurity and data protection incidents?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically assist in the reporting of cybersecurity and data protection incidents.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-govramp": [ "IR-06(01)" ], "general-govramp-core": [ "IR-06(01)" ], "general-govramp-mod": [ "IR-06(01)" ], "general-govramp-high": [ "IR-06(01)" ], "general-nist-800-53-r4": [ "IR-6(1)" ], "general-nist-800-53-r5-2": [ "IR-06(01)" ], "general-nist-800-53-r5-2-mod": [ "IR-06(01)" ], "general-nist-800-82-r3": [ "IR-06(01)" ], "general-nist-800-82-r3-mod": [ "IR-06(01)" ], "general-nist-800-82-r3-high": [ "IR-06(01)" ], "usa-federal-fbi-cjis-6-0": [ "IR-6(1)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-06(01)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-06(01)" ], "usa-federal-irs-1075-2021": [ "IR-6(CE-1)" ], "usa-federal-cms-marse-2-0": [ "IR-6(1)" ] } }, { "control_id": "IRO-10.2", "title": "Cyber Incident Reporting for Sensitive / Regulated Data", "family": "IRO", "description": "Mechanisms exist to report sensitive/regulated data incidents in a timely manner.", "scf_question": "Does the organization report sensitive/regulated data incidents in a timely manner?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-01", "E-IRO-11" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Incident Response (IRO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IRO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Incident response-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to report sensitive/regulated data incidents in a timely manner.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Incident Response Plan (IRP)", "small": "∙ Incident Response Plan (IRP)", "medium": "∙ Integrated Incident Response Program (IIRP)\n∙ Integrated Security Incident Response Team (ISIRT)", "large": "∙ Integrated Incident Response Program (IIRP)\n∙ Integrated Security Incident Response Team (ISIRT)", "enterprise": "∙ Integrated Incident Response Program (IIRP)\n∙ Integrated Security Incident Response Team (ISIRT)" }, "risks": [ "R-BC-1", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-pmf-2020": [ "D6.6", "D6.6-POF2" ], "general-aicpa-tsc-2017": [ "CC2.2-POF6", "CC2.3-POF1", "CC2.3-POF12", "CC7.3-POF2", "CC7.3-POF7", "CC7.4", "CC7.4-POF6", "CC7.4-POF13" ], "general-cis-csc-8-1": [ "17.2" ], "general-cis-csc-8-1-ig1": [ "17.2" ], "general-cis-csc-8-1-ig2": [ "17.2" ], "general-cis-csc-8-1-ig3": [ "17.2" ], "general-csa-cmm-4-1-0": [ "SEF-09" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.5.1" ], "general-naic-insurance-data-security-model-law-668-2017": [ "6.A", "6.A(1)", "6.A(2)", "6.A(2)(a)", "6.A(2)(b)", "6.A(2)(b)(i)", "6.A(2)(b)(ii)", "6.B", "6.B(1)", "6.B(2)", "6.B(3)", "6.B(4)", "6.B(5)", "6.B(6)", "6.B(7)", "6.B(8)", "6.B(9)", "6.B(10)", "6.B(11)", "6.B(12)", "6.B(13)", "6.D(2)", "6.E(2)(a)", "6.E(2)(b)", "6.F" ], "general-nist-600-1-gen-ai-profile": [ "MG-4.3-003" ], "general-nist-privacy-framework-1-0": [ "CM.AW-P7" ], "general-nist-800-171-r3": [ "03.06.02.b", "03.06.02.c" ], "general-nist-800-171a-r3": [ "A.03.06.02.ODP[02]" ], "general-nist-csf-2-0": [ "RS.CO", "RS.CO-02", "RS.CO-03" ], "general-tisax-6-0-3": [ "9.6.2" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-2g", "RESPONSE-3c" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(c)(1)(ii)", "252.204-7012(c)(2)", "252.204-7012(c)(3)", "252.204-7012(d)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(3)(v)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.410(a)(1)" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 4.2" ], "usa-state-ca-sb1386-2002": [ "1798.29(a)", "1798.29(b)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.17(a)(1)" ], "emea-eu-ai-act-2024": [ "Article 17.1(j)" ], "emea-eu-eba-ict-srm-2025": [ "3.7.5(91)" ], "emea-eu-gdpr-2016": [ "Article 33.1", "Article 33.2", "Article 33.3(a)", "Article 33.3(b)", "Article 33.3(c)", "Article 33.3(d)", "Article 33.4" ], "emea-eu-nis2-annex-2024": [ "3.1.2(b)" ], "emea-qat-pdppl-2020": [ "14" ], "emea-sau-ecc-1-2018": [ "2-13-3-3", "2-13-3-4" ], "emea-sau-sacs-002-2022": [ "TPC-23", "TPC-89" ], "emea-srb-act-9-2018": [ "52", "52.1", "52.2", "52.3", "52.4" ], "emea-uae-niaf-2023": [ "3.3.3" ], "apac-aus-ism-2024-june": [ "ISM-0733" ], "apac-chn-pipl-2021": [ "57", "57(1)", "57(2)", "57(3)" ], "apac-ind-sebi-2024": [ "DE.DP.S3", "RS.CO.S2" ], "apac-nzl-ism-3-9": [ "7.2.18.C.01", "7.2.20.C.01", "7.2.21.C.01", "7.2.23.C.01", "7.3.8.C.03" ], "americas-can-itsp-10-171-2025": [ "03.06.02.B", "03.06.02.C" ] } }, { "control_id": "IRO-10.3", "title": "Vulnerabilities Related To Incidents", "family": "IRO", "description": "Mechanisms exist to report system vulnerabilities associated with reported cybersecurity and data protection incidents to organization-defined personnel or roles.", "scf_question": "Does the organization report system vulnerabilities associated with reported cybersecurity and data protection incidents to organization-defined personnel or roles?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to report system vulnerabilities associated with reported cybersecurity and data protection incidents to organization-defined personnel or roles.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-cis-csc-8-1": [ "17.2" ], "general-cis-csc-8-1-ig1": [ "17.2" ], "general-cis-csc-8-1-ig2": [ "17.2" ], "general-cis-csc-8-1-ig3": [ "17.2" ], "general-iso-27002-2022": [ "8.8" ], "general-iso-27018-2025": [ "8.8" ], "general-nist-800-53-r4": [ "IR-6(2)" ], "general-nist-800-53-r5-2": [ "IR-06(02)" ], "general-nist-800-53-r5-2-privacy": [ "IR-06(02)" ], "general-nist-800-82-r3": [ "IR-06(02)" ], "usa-federal-gsa-fedramp-5-low": [ "IR-06(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-06(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-06(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-06(02)" ], "usa-federal-irs-1075-2021": [ "IR-6(CE-3)" ], "emea-deu-c5-2020": [ "PSS-02" ] } }, { "control_id": "IRO-10.4", "title": "Supply Chain Coordination", "family": "IRO", "description": "Mechanisms exist to provide cybersecurity and data protection incident information to the provider of the Technology Assets, Applications and/or Services (TAAS) and other organizations involved in the supply chain for TAAS related to the incident.", "scf_question": "Does the organization provide cybersecurity and data protection incident information to the provider of the Technology Assets, Applications and/or Services (TAAS) and other organizations involved in the supply chain for TAAS related to the incident?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-02" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide cybersecurity and data protection incident information to the provider of the Technology Assets, Applications and/or Services (TAAS) and other organizations involved in the supply chain for TAAS related to the incident.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.3-POF1", "CC7.4" ], "general-cis-csc-8-1": [ "17.2" ], "general-cis-csc-8-1-ig1": [ "17.2" ], "general-cis-csc-8-1-ig2": [ "17.2" ], "general-cis-csc-8-1-ig3": [ "17.2" ], "general-iso-27002-2022": [ "5.2" ], "general-iso-27018-2025": [ "5.20" ], "general-nist-800-53-r4": [ "IR-6(3)" ], "general-nist-800-53-r5-2": [ "IR-04(10)", "IR-06(03)" ], "general-nist-800-53-r5-2-privacy": [ "IR-04(10)" ], "general-nist-800-53-r5-2-mod": [ "IR-06(03)" ], "general-nist-800-82-r3": [ "IR-04(10)", "IR-06(03)" ], "general-nist-800-82-r3-mod": [ "IR-06(03)" ], "general-nist-800-82-r3-high": [ "IR-06(03)" ], "general-nist-800-160-vol-2-r1": [ "IR-04(10)" ], "general-nist-800-161-r1": [ "IR-1(1)", "IR-4(10)", "IR-6(3)" ], "general-nist-800-161-r1-flowdown": [ "IR-4(10)", "IR-6(3)" ], "general-nist-800-161-r1-level-2": [ "IR-4(10)" ], "general-nist-800-161-r1-level-3": [ "IR-6(3)" ], "general-nist-csf-2-0": [ "RS.CO", "RS.CO-02", "RS.CO-03" ], "usa-federal-fbi-cjis-6-0": [ "IR-6(3)" ], "usa-federal-gsa-fedramp-5-low": [ "IR-04(10)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-04(10)", "IR-06(03)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-04(10)", "IR-06(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-04(10)" ], "usa-federal-irs-1075-2021": [ "IR-7" ], "usa-federal-nerc-cip-2024": [ "CIP-013-2 1.2.2" ], "emea-eu-nis2-2022": [ "Article 23.2" ], "emea-isr-cmo-1-0": [ "17.11" ], "apac-aus-ism-2024-june": [ "ISM-1569" ], "apac-ind-sebi-2024": [ "RS.CO.S3" ], "apac-jpn-ismap": [ "16.1.1.15.P" ], "apac-nzl-ism-3-9": [ "7.2.22.C.01" ] } }, { "control_id": "IRO-10.5", "title": "Serious Incident Reporting", "family": "IRO", "description": "Mechanisms exist to report any serious incident involving the organization's Technology Assets, Applications, Services and/or Data (TAASD) to relevant authorities in the locality where the incident occurred, in accordance with mandatory reporting:\n(1) Requirements; and\n(2) Timelines.", "scf_question": "Does the organization report any serious incident involving the organization's Technology Assets, Applications and/or Services (TAAS) to relevant authorities in the locality where the incident occurred, in accordance with mandatory reporting:\n(1) Requirements; and\n(2) Timelines?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to report any serious incident involving the organization's TAASD to relevant authorities in the locality where the incident occurred, in accordance with mandatory reporting:\n(1) Requirements; and\n(2) Timelines.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "usa-federal-nerc-cip-2024": [ "CIP-008-6 R4", "CIP-008-6 4.1", "CIP-008-6 4.1.1", "CIP-008-6 4.1.2", "CIP-008-6 4.1.3", "CIP-008-6 4.2" ], "emea-eu-cyber-resilience-act-2022": [ "Article 11.2", "Article 11.4" ] } }, { "control_id": "IRO-11", "title": "Incident Reporting Assistance", "family": "IRO", "description": "Mechanisms exist to provide incident response advice and assistance to users of Technology Assets, Applications and/or Services (TAAS) for the handling and reporting of actual and potential cybersecurity and data protection incidents.", "scf_question": "Does the organization provide incident response advice and assistance to users of Technology Assets, Applications and/or Services (TAAS) for the handling and reporting of actual and potential cybersecurity and data protection incidents?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide incident response advice and assistance to users of Technology Assets, Applications and/or Services (TAAS) for the handling and reporting of actual and potential cybersecurity and data protection incidents.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-govramp": [ "IR-07" ], "general-govramp-low": [ "IR-07" ], "general-govramp-low-plus": [ "IR-07" ], "general-govramp-mod": [ "IR-07" ], "general-govramp-high": [ "IR-07" ], "general-nist-800-53-r4": [ "IR-7" ], "general-nist-800-53-r5-2": [ "IR-07" ], "general-nist-800-53-r5-2-privacy": [ "IR-07" ], "general-nist-800-53-r5-2-low": [ "IR-07" ], "general-nist-800-82-r3": [ "IR-07" ], "general-nist-800-82-r3-low": [ "IR-07" ], "general-nist-800-82-r3-mod": [ "IR-07" ], "general-nist-800-82-r3-high": [ "IR-07" ], "general-nist-800-161-r1": [ "IR-7" ], "general-nist-800-171-r3": [ "03.06.02.d" ], "general-nist-800-171a-r3": [ "A.03.06.02.d" ], "general-scf-dpmp-2025": [ "8.0" ], "usa-federal-fbi-cjis-6-0": [ "IR-7" ], "usa-federal-gsa-fedramp-5-low": [ "IR-07" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-07" ], "usa-federal-gsa-fedramp-5-high": [ "IR-07" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-07" ], "usa-federal-irs-1075-2021": [ "IR-7(CE-1)" ], "usa-federal-cms-marse-2-0": [ "IR-7" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-07" ], "usa-state-tx-txramp-2-0-level-1": [ "IR-07" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-07" ], "emea-eu-dora-2023": [ "Article 14.1", "Article 14.2", "Article 14.3" ], "apac-nzl-ism-3-9": [ "7.3.12.C.01" ], "americas-can-itsp-10-171-2025": [ "03.06.02.D" ] } }, { "control_id": "IRO-11.1", "title": "Automation Support of Availability of Information / Support", "family": "IRO", "description": "Automated mechanisms exist to increase the availability of incident response-related information and support.", "scf_question": "Does the organization use automated mechanisms to increase the availability of incident response-related information and support?", "relative_weight": 1, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Incident Response (IRO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IRO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Incident response-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically increase the availability of incident response-related information and support.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-govramp": [ "IR-07(01)" ], "general-govramp-mod": [ "IR-07(01)" ], "general-govramp-high": [ "IR-07(01)" ], "general-nist-800-53-r4": [ "IR-7(1)" ], "general-nist-800-53-r5-2": [ "IR-07(01)" ], "general-nist-800-53-r5-2-mod": [ "IR-07(01)" ], "general-nist-800-82-r3": [ "IR-07(01)" ], "general-nist-800-82-r3-mod": [ "IR-07(01)" ], "general-nist-800-82-r3-high": [ "IR-07(01)" ], "usa-federal-fbi-cjis-6-0": [ "IR-7(1)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-07(01)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-07(01)" ], "usa-federal-cms-marse-2-0": [ "IR-7(1)" ] } }, { "control_id": "IRO-11.2", "title": "Coordination With External Providers", "family": "IRO", "description": "Mechanisms exist to establish a direct, cooperative relationship between the organization's incident response capability and external service providers.", "scf_question": "Does the organization establish a direct, cooperative relationship between its incident response capability and external service providers?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish a direct, cooperative relationship between the organization's incident response capability and external service providers.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF6", "CC2.3-POF2", "CC2.3-POF12", "CC7.4" ], "general-govramp": [ "IR-07(02)" ], "general-govramp-low-plus": [ "IR-07(02)" ], "general-govramp-mod": [ "IR-07(02)" ], "general-govramp-high": [ "IR-07(02)" ], "general-iso-27002-2022": [ "5.29" ], "general-iso-27018-2025": [ "5.29" ], "general-nist-800-53-r4": [ "IR-7(2)" ], "general-nist-800-53-r5-2": [ "IR-07(02)" ], "general-nist-800-82-r3": [ "IR-07(02)" ], "general-nist-800-161-r1": [ "IR-7(2)" ], "general-nist-800-161-r1-flowdown": [ "IR-7(2)" ], "general-nist-800-161-r1-level-3": [ "IR-7(2)" ], "general-scf-dpmp-2025": [ "8.2" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-3j", "RESPONSE-3k" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(f)", "252.204-7012(g)" ], "usa-federal-irs-1075-2021": [ "IR-7(CE-2)", "IR-7(CE-2).a", "IR-7(CE-2).b" ], "emea-zaf-popia-2013": [ "21.2" ], "apac-nzl-ism-3-9": [ "7.3.10.C.01", "7.3.11.C.01", "7.3.12.C.01" ] } }, { "control_id": "IRO-12", "title": "Sensitive / Regulated Data Spill Response", "family": "IRO", "description": "Mechanisms exist to respond to sensitive/regulated data spills.", "scf_question": "Does the organization respond to sensitive/regulated data spills?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-IRO-12" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to respond to sensitive/regulated data spills.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Incident Response Plan (IRP)", "small": "∙ Incident Response Plan (IRP)", "medium": "∙ Integrated Incident Response Program (IIRP)\n∙ Integrated Security Incident Response Team (ISIRT)", "large": "∙ Integrated Incident Response Program (IIRP)\n∙ Integrated Security Incident Response Team (ISIRT)", "enterprise": "∙ Integrated Incident Response Program (IIRP)\n∙ Integrated Security Incident Response Team (ISIRT)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-tsc-2017": [ "P6.3" ], "general-govramp": [ "IR-09" ], "general-govramp-low-plus": [ "IR-09" ], "general-govramp-mod": [ "IR-09" ], "general-govramp-high": [ "IR-09" ], "general-nist-privacy-framework-1-0": [ "PR.DS-P5" ], "general-nist-800-53-r4": [ "IR-9" ], "general-nist-800-53-r5-2": [ "IR-09" ], "general-nist-800-53-r5-2-privacy": [ "IR-09" ], "general-nist-800-82-r3": [ "IR-09" ], "general-nist-800-161-r1": [ "IR-9" ], "general-nist-800-161-r1-flowdown": [ "IR-9" ], "general-nist-800-161-r1-level-3": [ "IR-9" ], "general-nist-800-171-r3": [ "03.06.01" ], "general-nist-800-171a-r3": [ "A.03.01.22.b[02]" ], "general-pci-dss-4-0-1": [ "12.10.7", "A3.2.5.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.10.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.10.7" ], "usa-federal-gsa-fedramp-5-low": [ "IR-09" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-09" ], "usa-federal-gsa-fedramp-5-high": [ "IR-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-09" ], "usa-federal-irs-1075-2021": [ "IR-9" ], "usa-federal-cms-marse-2-0": [ "IR-9", "IR-9.a", "IR-9.b", "IR-9.c", "IR-9.d", "IR-9.e" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-3.e", "9-4" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-09" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-09" ], "apac-aus-ism-2024-june": [ "ISM-0133" ], "apac-nzl-ism-3-9": [ "7.3.7.C.01", "7.3.7.C.02", "7.3.7.C.03", "7.3.7.C.04", "7.3.7.C.05", "7.3.7.C.06", "7.3.8.C.01", "7.3.8.C.02", "7.3.8.C.03" ], "americas-can-itsp-10-171-2025": [ "03.06.01" ] } }, { "control_id": "IRO-12.1", "title": "Sensitive / Regulated Data Spill Responsible Personnel", "family": "IRO", "description": "Mechanisms exist to formally assign personnel or roles with responsibility for responding to sensitive/regulated data spills.", "scf_question": "Does the organization formally assign personnel or roles with responsibility for responding to sensitive/regulated data spills?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to formally assign personnel or roles with responsibility for responding to sensitive/regulated data spills.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Incident Response Plan (IRP)", "small": "∙ Incident Response Plan (IRP)", "medium": "∙ Integrated Incident Response Program (IIRP)\n∙ Integrated Security Incident Response Team (ISIRT)", "large": "∙ Integrated Incident Response Program (IIRP)\n∙ Integrated Security Incident Response Team (ISIRT)", "enterprise": "∙ Integrated Incident Response Program (IIRP)\n∙ Integrated Security Incident Response Team (ISIRT)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-govramp": [ "IR-09" ], "general-govramp-low-plus": [ "IR-09" ], "general-govramp-mod": [ "IR-09" ], "general-govramp-high": [ "IR-09" ], "general-nist-800-53-r4": [ "IR-9(1)" ], "general-nist-800-53-r5-2": [ "IR-09" ], "general-nist-800-53-r5-2-privacy": [ "IR-09" ], "general-nist-800-82-r3": [ "IR-09" ], "general-nist-800-161-r1": [ "IR-9" ], "general-nist-800-161-r1-flowdown": [ "IR-9" ], "general-nist-800-161-r1-level-3": [ "IR-9" ], "usa-federal-gsa-fedramp-5-low": [ "IR-09" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-09" ], "usa-federal-gsa-fedramp-5-high": [ "IR-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-09" ], "usa-federal-cms-marse-2-0": [ "IR-9" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-09" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-09" ] } }, { "control_id": "IRO-12.2", "title": "Sensitive / Regulated Data Spill Training", "family": "IRO", "description": "Mechanisms exist to ensure incident response training material provides coverage for sensitive/regulated data spillage response.", "scf_question": "Does the organization ensure incident response training material provides coverage for sensitive/regulated data spillage response?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure incident response training material provides coverage for sensitive/regulated data spillage response.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-govramp": [ "IR-09(02)" ], "general-govramp-mod": [ "IR-09(02)" ], "general-govramp-high": [ "IR-09(02)" ], "general-nist-800-53-r4": [ "IR-9(2)" ], "general-nist-800-53-r5-2": [ "IR-09(02)" ], "general-nist-800-82-r3": [ "IR-09(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-09(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-09(02)" ] } }, { "control_id": "IRO-12.3", "title": "Post-Sensitive / Regulated Data Spill Operations", "family": "IRO", "description": "Mechanisms exist to ensure that organizational personnel impacted by sensitive/regulated data spills can continue to carry out assigned tasks while contaminated Technology Assets, Applications and/or Services (TAAS) are undergoing corrective actions.", "scf_question": "Does the organization ensure that organizational personnel impacted by sensitive/regulated data spills can continue to carry out assigned tasks while contaminated Technology Assets, Applications and/or Services (TAAS) are undergoing corrective actions?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that organizational personnel impacted by sensitive/regulated data spills can continue to carry out assigned tasks while contaminated Technology Assets, Applications and/or Services (TAAS) are undergoing corrective actions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-govramp": [ "IR-09(03)" ], "general-govramp-mod": [ "IR-09(03)" ], "general-govramp-high": [ "IR-09(03)" ], "general-nist-800-53-r4": [ "IR-9(3)" ], "general-nist-800-53-r5-2": [ "IR-09(03)" ], "general-nist-800-82-r3": [ "IR-09(03)" ], "general-pci-dss-4-0-1": [ "12.10.7", "A3.2.5.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.10.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.10.7" ], "general-shared-assessments-sig-2025": [ "K.7" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-09(03)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-09(03)" ], "emea-deu-c5-2020": [ "OPS-21" ], "apac-aus-ism-2024-june": [ "ISM-0133" ] } }, { "control_id": "IRO-12.4", "title": "Sensitive / Regulated Data Exposure to Unauthorized Personnel", "family": "IRO", "description": "Mechanisms exist to address security safeguards for personnel exposed to sensitive/regulated data that is not within their assigned access authorizations.", "scf_question": "Does the organization address security safeguards for personnel exposed to sensitive/regulated data that is not within their assigned access authorizations?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to address security safeguards for personnel exposed to sensitive/regulated data that is not within their assigned access authorizations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-govramp": [ "IR-09(04)" ], "general-govramp-mod": [ "IR-09(04)" ], "general-govramp-high": [ "IR-09(04)" ], "general-nist-800-53-r4": [ "IR-9(4)" ], "general-nist-800-53-r5-2": [ "IR-09(04)" ], "general-nist-800-82-r3": [ "IR-09(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-09(04)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-09(04)" ], "apac-aus-ism-2024-june": [ "ISM-0133" ], "apac-nzl-ism-3-9": [ "7.3.8.C.01", "7.3.8.C.02" ] } }, { "control_id": "IRO-13", "title": "Root Cause Analysis (RCA) & Lessons Learned", "family": "IRO", "description": "Mechanisms exist to incorporate lessons learned from analyzing and resolving cybersecurity and data protection incidents to reduce the likelihood or impact of future incidents.", "scf_question": "Does the organization incorporate lessons learned from analyzing and resolving cybersecurity and data protection incidents to reduce the likelihood or impact of future incidents?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-IRO-08" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ Incident responders provide After Action Review (AAR) feedback on what worked, what did not work and ways to improve future responses to similar incidents.\n▪ A formal Root Cause Analysis (RCA) is performed that documents the findings in a report for both technical and business leadership management.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to incorporate lessons learned from analyzing and resolving cybersecurity and data protection incidents to reduce the likelihood or impact of future incidents.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Root Cause Analysis (RCA)", "small": "∙ Root Cause Analysis (RCA)", "medium": "∙ Root Cause Analysis (RCA)", "large": "∙ Root Cause Analysis (RCA)", "enterprise": "∙ Root Cause Analysis (RCA)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.4-POF10" ], "general-cis-csc-8-1": [ "16.3", "17.8" ], "general-cis-csc-8-1-ig2": [ "16.3", "17.8" ], "general-cis-csc-8-1-ig3": [ "16.3", "17.8" ], "general-cobit-2019": [ "DSS03.03" ], "general-govramp": [ "IR-01" ], "general-govramp-low": [ "IR-01" ], "general-govramp-low-plus": [ "IR-01" ], "general-govramp-mod": [ "IR-01" ], "general-govramp-high": [ "IR-01" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.6.3" ], "general-iso-27002-2022": [ "5.24", "5.27" ], "general-iso-27017-2015": [ "16.1.6" ], "general-iso-27018-2025": [ "5.24", "5.26(a)", "5.27" ], "general-nist-600-1-gen-ai-profile": [ "MG-4.2-002", "MG-4.3-001" ], "general-nist-privacy-framework-1-0": [ "GV.MT-P6" ], "general-nist-800-53-r4": [ "IR-1" ], "general-nist-800-53-r5-2": [ "IR-01", "IR-04(12)", "IR-06(02)" ], "general-nist-800-53-r5-2-privacy": [ "IR-01", "IR-04(12)", "IR-06(02)" ], "general-nist-800-53-r5-2-low": [ "IR-01" ], "general-nist-800-82-r3": [ "IR-01", "IR-04(12)", "IR-06(02)" ], "general-nist-800-82-r3-low": [ "IR-01" ], "general-nist-800-82-r3-mod": [ "IR-01" ], "general-nist-800-82-r3-high": [ "IR-01" ], "general-nist-800-160-vol-2-r1": [ "IR-04(12)" ], "general-nist-800-161-r1": [ "IR-1" ], "general-nist-800-161-r1-cscrm": [ "IR-1" ], "general-nist-800-161-r1-flowdown": [ "IR-1" ], "general-nist-800-161-r1-level-1": [ "IR-1" ], "general-nist-800-161-r1-level-2": [ "IR-1" ], "general-nist-800-161-r1-level-3": [ "IR-1" ], "general-nist-800-171-r2": [ "NFO - IR-1" ], "general-nist-800-171-r3": [ "03.06.04.b" ], "general-nist-800-171a-r3": [ "A.03.06.04.ODP[04]" ], "general-nist-800-218": [ "RV.3" ], "general-nist-csf-2-0": [ "ID.IM-02", "ID.IM-03", "RS.AN-03" ], "general-pci-dss-4-0-1": [ "12.10.6", "A3.3.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.10.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.10.6" ], "general-tisax-6-0-3": [ "1.6.2" ], "usa-federal-dow-cert-rmm-1-2": [ "IMC:SG5", "IMC:SG5.SP1", "IMC:SG5.SP2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.D" ], "usa-federal-fbi-cjis-6-0": [ "IR-1" ], "usa-federal-doe-c2m2-2-1": [ "RESPONSE-3h", "RESPONSE-3i" ], "usa-federal-gsa-fedramp-5-low": [ "IR-01", "IR-04(12)", "IR-06(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-01", "IR-04(12)", "IR-06(02)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-01", "IR-04(12)", "IR-06(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-01", "IR-04(12)", "IR-06(02)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(h)(7)" ], "usa-federal-irs-1075-2021": [ "IR-1", "IR-6(CE-2)" ], "usa-federal-cms-marse-2-0": [ "IR-1" ], "usa-federal-nerc-cip-2024": [ "CIP-008-6 3.1.1", "CIP-008-6 3.1.2" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(j)" ], "usa-state-nv-regulation-5-2024": [ "5.260.4(b)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-01" ], "usa-state-tx-txramp-2-0-level-1": [ "IR-01" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-01" ], "usa-state-vt-act-171-2018": [ "2447(b)(10)(B)" ], "emea-eu-dora-2023": [ "Article 13.2", "Article 13.2(a)", "Article 13.2(b)", "Article 13.2(c)", "Article 13.2(d)", "Article 13.3" ], "emea-eu-nis2-2022": [ "Article 23.4(d)(ii)" ], "emea-eu-nis2-annex-2024": [ "3.6.1", "3.6.2", "3.6.3" ], "emea-deu-c5-2020": [ "SIM-05" ], "emea-sau-cgiot-2024": [ "2-12-2", "2-12-3" ], "emea-sau-sacs-002-2022": [ "TPC-89" ], "emea-gbr-caf-4-0": [ "D2", "D2.a", "D2.b" ], "emea-gbr-cap-1850-2020": [ "D2" ], "emea-gbr-def-stan-05-138-2024": [ "4200" ], "emea-gbr-def-stan-05-138-l1-2024": [ "4200" ], "emea-gbr-def-stan-05-138-l2-2024": [ "4200" ], "emea-gbr-def-stan-05-138-l3-2024": [ "4200" ], "apac-aus-ism-2024-june": [ "ISM-1213" ], "apac-aus-ps-cps-234-2019": [ "25(a)" ], "apac-ind-sebi-2024": [ "EV.ST.S3", "RC.IM.S1", "RS.AN.S3", "RS.AN.S4", "RS.AN.S4a", "RS.AN.S4b", "RS.AN.S5", "RS.IM.S1" ], "apac-jpn-ismap": [ "16.1.6", "16.1.6.1", "16.1.6.2" ], "apac-sgp-mas-trm-2021": [ "7.8.1", "7.8.2", "7.8.3", "12.3.3" ], "americas-bmu-mba-coc-2020": [ "6.4" ], "amaericas-can-osfi-self-assessment": [ "5.9" ], "americas-can-osfi-b13-2022": [ "2.7.3", "3.4", "3.4.5" ], "americas-can-itsp-10-171-2025": [ "03.06.04.B" ] } }, { "control_id": "IRO-14", "title": "Regulatory & Law Enforcement Contacts", "family": "IRO", "description": "Mechanisms exist to maintain incident response contacts with applicable regulatory and law enforcement agencies.", "scf_question": "Does the organization maintain incident response contacts with applicable regulatory and law enforcement agencies?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain incident response contacts with applicable regulatory and law enforcement agencies.", "4": "Incident Response (IRO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.3", "CC7.4" ], "general-coso-2013": [ "15" ], "general-csa-cmm-4-1-0": [ "SEF-10" ], "general-govramp": [ "IR-06" ], "general-govramp-core": [ "IR-06" ], "general-govramp-low": [ "IR-06" ], "general-govramp-low-plus": [ "IR-06" ], "general-govramp-mod": [ "IR-06" ], "general-govramp-high": [ "IR-06" ], "general-nist-800-53-r4": [ "IR-6" ], "general-nist-800-53-r5-2": [ "IR-06" ], "general-nist-800-53-r5-2-privacy": [ "IR-06" ], "general-nist-800-53-r5-2-low": [ "IR-06" ], "general-nist-800-82-r3": [ "IR-06" ], "general-nist-800-82-r3-low": [ "IR-06" ], "general-nist-800-82-r3-mod": [ "IR-06" ], "general-nist-800-82-r3-high": [ "IR-06" ], "general-nist-800-161-r1": [ "IR-6" ], "general-nist-800-171-r3": [ "03.06.02.c" ], "general-nist-800-171a-r3": [ "A.03.06.02.ODP[02]" ], "usa-federal-fbi-cjis-6-0": [ "IR-6" ], "usa-federal-gsa-fedramp-5-low": [ "IR-06" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-06" ], "usa-federal-gsa-fedramp-5-high": [ "IR-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-06" ], "usa-federal-irs-1075-2021": [ "IR-6" ], "usa-federal-cms-marse-2-0": [ "IR-6" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.17(a)(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-06" ], "usa-state-tx-txramp-2-0-level-1": [ "IR-06" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-06" ], "emea-eu-eba-ict-srm-2025": [ "3.7.5(91)" ], "emea-aut-fappd-2000": [ "Sec 10" ], "apac-aus-ism-2024-june": [ "ISM-0140" ], "apac-mys-pdpa-2010": [ "9" ], "apac-nzl-ism-3-9": [ "2.1.10.C.01" ], "apac-sgp-pdpa-2012": [ "11" ], "americas-can-itsp-10-171-2025": [ "03.06.02.C" ] } }, { "control_id": "IRO-15", "title": "Detonation Chambers (Sandboxes)", "family": "IRO", "description": "Mechanisms exist to utilize a detonation chamber capability to detect and/or block potentially-malicious files and email attachments.", "scf_question": "Does the organization utilize a detonation chamber capability to detect and/or block potentially-malicious files and email attachments?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize a detonation chamber capability to detect and/or block potentially-malicious files and email attachments.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-cis-csc-8-1": [ "9.0", "9.6", "9.7" ], "general-cis-csc-8-1-ig2": [ "9.6" ], "general-cis-csc-8-1-ig3": [ "9.6", "9.7" ], "general-iso-21434-2021": [ "RC-05-15" ], "general-mitre-att&ck-16-1": [ "T1137", "T1137.001", "T1137.002", "T1137.003", "T1137.004", "T1137.005", "T1137.006", "T1203", "T1204", "T1204.001", "T1204.002", "T1204.003", "T1221", "T1564.009", "T1566", "T1566.001", "T1566.002", "T1566.003", "T1598", "T1598.001", "T1598.002", "T1598.003" ], "general-nist-800-53-r4": [ "SC-44" ], "general-nist-800-53-r5-2": [ "SC-44" ], "general-nist-800-82-r3": [ "SC-44" ], "general-nist-800-160-vol-2-r1": [ "SC-44" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.E3AEP", "3.PEP.EM.MFPRO", "3.PEP.EM.PDPRO", "3.PEP.FI.DCHAM" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "4" ], "emea-gbr-def-stan-05-138-2024": [ "2411" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2411" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2411" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2411" ], "apac-aus-ism-2024-june": [ "ISM-0651", "ISM-0652", "ISM-1389" ], "apac-jpn-ismap": [ "12.2.1.14" ], "apac-nzl-ism-3-9": [ "15.2.21.C.01" ] } }, { "control_id": "IRO-16", "title": "Public Relations & Reputation Repair", "family": "IRO", "description": "Mechanisms exist to proactively manage public relations associated with incidents and employ appropriate measures to prevent further reputational damage and develop plans to repair any damage to the organization's reputation.", "scf_question": "Does the organization proactively manage public relations associated with incidents and employ appropriate measures to prevent further reputational damage and develop plans to repair any damage to its reputation?", "relative_weight": 6, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-IRO-09" ], "pptdf": "Process", "nist_csf_function": "Recover", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Incident Response (IRO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IRO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Incident response-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "2": "Incident Response (IRO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with DCH domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Incident response-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Incident response management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.", "3": "Incident Response (IRO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IRO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Cybersecurity personnel operate an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.\n▪ An incident response team, or similar function, is appropriately staffed and supported to implement and maintain IRO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of incident response operations (e.g., incident management software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IRO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to proactively manage public relations associated with incidents and employ appropriate measures to prevent further reputational damage and develop plans to repair any damage to the organization's reputation.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic incident response plan\n∙ Designate incident response contact", "small": "∙ Documented incident response plan\n∙ Incident log\n∙ Designated IR team", "medium": "∙ Formal incident response program\n∙ IR playbooks\n∙ Tabletop exercises", "large": "∙ Enterprise incident response program\n∙ 24/7 SOC monitoring\n∙ SOAR platform", "enterprise": "∙ Enterprise SOC with SIEM/SOAR (e.g., Splunk SOAR, Palo Alto XSOAR)\n∙ IR retainer\n∙ Threat hunting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Incident Response", "crosswalks": { "general-nist-privacy-framework-1-0": [ "CM.AW-P8" ], "general-nist-800-53-r5-2": [ "IR-04(15)" ], "general-nist-800-82-r3": [ "IR-04(15)" ], "general-nist-csf-2-0": [ "RC.CO-04" ], "usa-federal-sro-finra": [ "248.30(a)(4)(i)" ], "emea-eu-eba-ict-srm-2025": [ "3.7.5(91)" ], "emea-eu-nis2-2022": [ "Article 23.2" ], "apac-ind-sebi-2024": [ "RC.CO.S1" ], "apac-sgp-mas-trm-2021": [ "7.7.5", "7.7.6", "7.7.7" ] } }, { "control_id": "IAO-01", "title": "Information Assurance (IA) Operations", "family": "IAO", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience assessment and authorization controls.", "scf_question": "Does the organization facilitate the implementation of security, compliance and resilience assessment and authorization controls?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAO-01" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Information Assurance (IAO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Pre-production security testing-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain an informal process to conduct limited control testing of High Value Assets (HVAs) to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.\n▪ IAP operations focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel coordinate IAP activities with affected stakeholders before conducting such activities in order to reduce the potential impact on operations.", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of security, compliance and resilience assessment and authorization controls.", "4": "Information Assurance (IAO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Controls Validation Testing (CVT)", "small": "∙ Controls Validation Testing (CVT)", "medium": "∙ Controls Validation Testing (CVT)\n∙ Information Assurance (IA) program\n∙ VisibleOps security management", "large": "∙ Controls Validation Testing (CVT)\n∙ Information Assurance (IA) program\n∙ VisibleOps security management", "enterprise": "∙ Controls Validation Testing (CVT)\n∙ Information Assurance (IA) program\n∙ VisibleOps security management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Information Assurance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.1", "CC4.1-POF8", "CC6.1-POF2", "CC6.1-POF9" ], "general-cobit-2019": [ "MEA04.05", "MEA04.06" ], "general-coso-2013": [ "16" ], "general-csa-iot-2": [ "IOT-01", "SET-01" ], "general-govramp": [ "CA-01" ], "general-govramp-low": [ "CA-01" ], "general-govramp-low-plus": [ "CA-01" ], "general-govramp-mod": [ "CA-01" ], "general-govramp-high": [ "CA-01" ], "general-iec-62443-2-1-2024": [ "ORG 2.4" ], "general-iso-21434-2021": [ "PM-06-15", "RQ-06-24", "RQ-06-25", "RQ-06-26", "RQ-06-27", "RQ-06-28", "RQ-06-28(a)", "RQ-06-28(b)", "RQ-06-29" ], "general-iso-27002-2022": [ "5.21" ], "general-iso-27018-2025": [ "5.21" ], "general-iso-31000-2018": [ "5.5", "5.6" ], "general-iso-31010-2009": [ "4.3.2" ], "general-iso-42001-2023": [ "A.6.2.5" ], "general-nist-100-1-ai-rmf": [ "GOVERN 4.3", "MANAGE 1.1" ], "general-nist-800-53-r4": [ "CA-1", "PM-10" ], "general-nist-800-53-r5-2": [ "CA-01", "PM-10" ], "general-nist-800-53-r5-2-privacy": [ "CA-01", "PM-10" ], "general-nist-800-53-r5-2-low": [ "CA-01" ], "general-nist-800-82-r3": [ "CA-01", "PM-10" ], "general-nist-800-82-r3-low": [ "CA-01", "PM-10" ], "general-nist-800-82-r3-mod": [ "CA-01", "PM-10" ], "general-nist-800-82-r3-high": [ "CA-01", "PM-10" ], "general-nist-800-161-r1": [ "CA-1", "PM-10" ], "general-nist-800-161-r1-cscrm": [ "CA-1" ], "general-nist-800-161-r1-level-1": [ "CA-1", "PM-10" ], "general-nist-800-161-r1-level-2": [ "CA-1", "PM-10" ], "general-nist-800-161-r1-level-3": [ "CA-1" ], "general-nist-800-171-r2": [ "NFO - CA-1" ], "general-nist-800-171-r3": [ "03.12.01" ], "general-nist-csf-2-0": [ "ID.RA-01" ], "general-scf-dpmp-2025": [ "7.11" ], "general-sparta": [ "CM0089" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(e)", "7.2.2.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.F", "2.Q" ], "usa-federal-fbi-cjis-6-0": [ "CA-1" ], "usa-federal-doe-c2m2-2-1": [ "RISK-4c" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(a)", "11.10(b)", "11.10(c)" ], "usa-federal-gsa-fedramp-5-low": [ "CA-01" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-01" ], "usa-federal-gsa-fedramp-5-high": [ "CA-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-01" ], "usa-federal-irs-1075-2021": [ "CA-1", "PM-10" ], "usa-federal-cms-marse-2-0": [ "CA-1", "PM-10-1", "PM-10-1a", "PM-10-1b", "PM-10-1c", "PM-10-2", "PM-10-2a", "PM-10-2b", "PM-10-2c", "PM-10-2d" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "11-3.a(4)(a)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.F", "III.F.1", "III.F.2.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(C)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CA-01", "PM-10" ], "usa-state-tx-txramp-2-0-level-1": [ "CA-01" ], "usa-state-tx-txramp-2-0-level-2": [ "CA-01" ], "emea-eu-ai-act-2024": [ "Article 9.8" ], "emea-eu-eba-ict-srm-2025": [ "3.4.6(41)", "3.4.6(42)", "3.4.6(43)", "3.4.6(43)(a)", "3.4.6(43)(b)", "3.4.6(44)", "3.4.6(45)", "3.4.6(46)", "3.4.6(47)", "3.4.6(48)", "3.6.2(70)" ], "emea-eu-nis2-annex-2024": [ "6.5.1", "6.5.2(a)", "6.5.3" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "7.11" ], "emea-isr-cmo-1-0": [ "10.6", "16.5", "17.1", "17.16", "17.18" ], "emea-qat-pdppl-2020": [ "11.1", "11.2", "11.3", "11.4", "11.5", "11.6", "11.7", "11.8" ], "emea-sau-cgiot-2024": [ "1-5-2", "2-15-2", "4-1-5", "4-2-3" ], "emea-sau-otcc-1-2022": [ "1-4-1-2" ], "emea-sau-sacs-002-2022": [ "TPC-51" ], "emea-zaf-popia-2013": [ "19", "60" ], "emea-gbr-def-stan-05-138-2024": [ "1205" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1205" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1205" ], "apac-aus-ism-2024-june": [ "ISM-0027", "ISM-0280", "ISM-1525" ], "apac-ind-sebi-2024": [ "ID.AM.S4", "PR.AA.S16" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP68", "HML67" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP59" ], "apac-nzl-ism-3-9": [ "2.2.5.C.01", "4.4.4.C.01", "4.4.5.C.01", "4.4.5.C.02", "4.4.5.C.03", "4.4.5.C.04", "4.4.6.C.01", "4.4.7.C.01", "4.4.7.C.02", "4.4.8.C.01", "4.4.8.C.02", "4.4.8.C.03", "4.4.8.C.04", "4.4.9.C.01", "4.4.10.C.01", "4.4.11.C.01", "4.4.12.C.01", "4.4.12.C.02", "4.4.12.C.03", "4.4.12.C.04", "4.4.12.C.05" ], "apac-sgp-mas-trm-2021": [ "5.1.2", "5.4.1", "5.4.2", "5.4.3", "5.4.4", "5.6.1", "5.6.2", "5.6.3", "5.7.1", "5.7.2" ], "americas-bmu-mba-coc-2020": [ "5.14" ], "americas-can-osfi-b13-2022": [ "2.4.4" ], "americas-can-itsp-10-171-2025": [ "03.12.01" ] } }, { "control_id": "IAO-01.1", "title": "Assessment Boundaries", "family": "IAO", "description": "Mechanisms exist to establish the scope of assessments by defining the assessment boundary, according to people, processes and technology that directly or indirectly impact the confidentiality, integrity, availability and safety of the Technology Assets, Applications, Services and/or Data (TAASD) under review.", "scf_question": "Does the organization establish the scope of assessments by defining the assessment boundary, according to people, processes and technology that directly or indirectly impact the confidentiality, integrity, availability and safety of the Technology Assets, Applications, Services and/or Data (TAASD) under review?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-02" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Information Assurance (IAO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Pre-production security testing-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain an informal process to conduct limited control testing of High Value Assets (HVAs) to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.\n▪ IAP operations focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish the scope of assessments by defining the assessment boundary, according to people, processes and technology that directly or indirectly impact the confidentiality, integrity, availability and safety of the TAASD under review.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document security assurance requirements for critical systems", "small": "∙ Security assurance checklist for critical systems", "medium": "∙ Formal information assurance program\n∙ Security testing and validation", "large": "∙ Enterprise information assurance program\n∙ Independent security testing", "enterprise": "∙ Enterprise IA program\n∙ Formal evaluation (e.g., Common Criteria, FedRAMP)\n∙ Continuous assurance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Information Assurance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF11" ], "general-cobit-2019": [ "MEA04.04" ], "general-csa-iot-2": [ "SET-01" ], "general-iso-21434-2021": [ "RQ-06-30", "RQ-06-30(a)", "RQ-06-30(b)", "RQ-06-30(c)", "RQ-06-30(d)" ], "general-nist-800-37-r2": [ "TASK P-11" ], "general-nist-800-66-r2": [ "164.308(a)(8)" ], "general-nist-800-171-r3": [ "03.12.01" ], "general-swift-cscf-2025": [ "7.3A" ], "general-ul-2900-1-2017": [ "4.1(g)" ], "general-un-155-2021": [ "7.2.2.2(e)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(e)" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.F" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(a)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(8)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(8)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.F.2.b" ], "emea-eu-nis2-annex-2024": [ "6.5.2(c)" ], "apac-nzl-ism-3-9": [ "5.8.61.C.01", "5.8.61.C.02", "5.8.61.C.03" ], "apac-sgp-mas-trm-2021": [ "5.7.1", "5.7.2" ], "americas-can-osfi-b13-2022": [ "2.4.4" ], "americas-can-itsp-10-171-2025": [ "03.12.01" ] } }, { "control_id": "IAO-02", "title": "Assessments", "family": "IAO", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "scf_question": "Does the organization formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-IAO-03", "E-IAO-04" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Information Assurance (IAO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Pre-production security testing-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain an informal process to conduct limited control testing of High Value Assets (HVAs) to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.\n▪ IAP operations focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel coordinate IAP activities with affected stakeholders before conducting such activities in order to reduce the potential impact on operations.\n▪ IAP testing results in a formal risk assessment where Business process owners (BPOs) are required to make a decision to (1) reduce, (2) avoid, (3) transfer and/or (4) accept risk(s) on behalf of the organization.", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "4": "Information Assurance (IAO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Controls Validation Testing (CVT)", "small": "∙ Controls Validation Testing (CVT)", "medium": "∙ Controls Validation Testing (CVT)\n∙ Information Assurance (IA) program\n∙ VisibleOps security management", "large": "∙ Controls Validation Testing (CVT)\n∙ Information Assurance (IA) program\n∙ VisibleOps security management", "enterprise": "∙ Controls Validation Testing (CVT)\n∙ Information Assurance (IA) program\n∙ VisibleOps security management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Information Assurance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.1", "CC4.1-POF8", "CC6.1-POF2" ], "general-cobit-2019": [ "BAI03.06", "BAI03.08", "MEA04.06", "MEA04.07" ], "general-coso-2013": [ "16" ], "general-csa-iot-2": [ "SET-01" ], "general-govramp": [ "CA-02" ], "general-govramp-low": [ "CA-02" ], "general-govramp-low-plus": [ "CA-02" ], "general-govramp-mod": [ "CA-02" ], "general-govramp-high": [ "CA-02" ], "general-iec-62443-2-1-2024": [ "ORG 2.4(a)" ], "general-iso-21434-2021": [ "PM-06-15(a)", "PM-06-15(b)", "PM-06-15(c)", "PM-06-16", "PM-06-16(a)", "PM-06-16(b)", "PM-06-16(c)", "PM-06-16(d)", "PM-06-17", "PM-06-17(a)", "PM-06-17(b)", "RQ-06-20", "RQ-06-22", "RQ-10-08", "RQ-10-09", "RQ-10-10", "RQ-10-10(a)", "RQ-10-10(b)", "RQ-10-10(c)", "RQ-10-10(d)", "RQ-10-11", "RQ-10-12", "RQ-10-13", "RQ-11-01", "RQ-11-01(a)", "RQ-11-01(b)", "RQ-11-01(c)", "RQ-11-01(d)", "RQ-11-02" ], "general-iso-27002-2022": [ "5.21", "5.23", "8.29" ], "general-iso-27017-2015": [ "14.2.8" ], "general-iso-27018-2025": [ "5.21", "5.23", "8.29" ], "general-iso-31010-2009": [ "5.3.2" ], "general-iso-42001-2023": [ "A.6.2.5" ], "general-mitre-att&ck-16-1": [ "T1190", "T1195", "T1195.001", "T1195.002", "T1210" ], "general-nist-100-1-ai-rmf": [ "MEASURE 2.0" ], "general-nist-800-37-r2": [ "TASK C-3", "TASK A-1", "TASK A-2", "TASK A-3" ], "general-nist-800-53-r4": [ "CA-2" ], "general-nist-800-53-r5-2": [ "CA-02" ], "general-nist-800-53-r5-2-privacy": [ "CA-02" ], "general-nist-800-53-r5-2-low": [ "CA-02" ], "general-nist-800-66-r2": [ "164.308(a)(8)" ], "general-nist-800-82-r3": [ "CA-02" ], "general-nist-800-82-r3-low": [ "CA-02" ], "general-nist-800-82-r3-mod": [ "CA-02" ], "general-nist-800-82-r3-high": [ "CA-02" ], "general-nist-800-161-r1": [ "CA-2" ], "general-nist-800-161-r1-cscrm": [ "CA-2" ], "general-nist-800-161-r1-level-2": [ "CA-2" ], "general-nist-800-161-r1-level-3": [ "CA-2" ], "general-nist-800-171-r2": [ "3.12.1" ], "general-nist-800-171-r3": [ "03.12.01" ], "general-nist-csf-2-0": [ "ID.RA-01", "ID.IM-01", "ID.IM-02" ], "general-tisax-6-0-3": [ "5.3.1" ], "general-un-155-2021": [ "7.2.2.2(e)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(e)" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.F", "2.Q" ], "usa-federal-fbi-cjis-6-0": [ "CA-2" ], "usa-federal-doe-c2m2-2-1": [ "RISK-4d" ], "usa-federal-dow-cmmc-2-level-2": [ "CAL2.-3.12.1" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(a)" ], "usa-federal-gsa-fedramp-5-low": [ "CA-02" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-02" ], "usa-federal-gsa-fedramp-5-high": [ "CA-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-02" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(8)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(8)" ], "usa-federal-irs-1075-2021": [ "CA-2" ], "usa-federal-cms-marse-2-0": [ "CA-2", "CA-2.a", "CA-2.a.1", "CA-2.a.2", "CA-2.a.3", "CA-2.b", "CA-2.c", "CA-2.d", "CA-2-IS.1", "CA-2-IS.2", "CA-2-IS.3", "CA-2-IS.4" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "11-3.a(4)(b)", "11-3.a(4)(c)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.F.2.a", "III.F.2.b", "III.F.2.c" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CA-02" ], "usa-state-tx-txramp-2-0-level-1": [ "CA-02" ], "usa-state-tx-txramp-2-0-level-2": [ "CA-02" ], "emea-eu-ai-act-2024": [ "Article 9.8" ], "emea-eu-eba-ict-srm-2025": [ "3.4.6(41)", "3.4.6(42)", "3.4.6(43)", "3.4.6(43)(a)", "3.4.6(43)(b)", "3.4.6(44)", "3.4.6(45)", "3.4.6(46)", "3.4.6(47)", "3.4.6(48)", "3.6.2(70)", "3.6.2(71)" ], "emea-eu-nis2-annex-2024": [ "6.5.2(a)", "6.5.2(b)" ], "emea-deu-bsrit-2017": [ "7.11" ], "emea-isr-cmo-1-0": [ "10.6", "16.5", "17.2", "17.16", "17.18" ], "emea-qat-pdppl-2020": [ "11.1", "11.2" ], "emea-sau-cgiot-2024": [ "2-15-2", "4-1-5", "4-2-3", "4-2-4" ], "emea-gbr-def-stan-05-138-2024": [ "1205" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1205" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1205" ], "apac-aus-ism-2024-june": [ "ISM-0100" ], "apac-chn-cybersecurity-law-2017": [ "Article 35" ], "apac-ind-sebi-2024": [ "PR.AA.S16" ], "apac-jpn-ismap": [ "14.1.1.12", "14.1.1.17", "14.1.1.18", "14.2.7.4", "14.2.9", "14.2.9.1", "14.2.9.2", "14.2.9.3", "14.2.9.4" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP68", "HML67" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP59" ], "apac-nzl-ism-3-9": [ "4.2.10.C.01", "4.3.20.C.01", "4.3.20.C.02", "4.3.20.C.03", "6.3.8.C.01" ], "apac-sgp-mas-trm-2021": [ "5.7.1", "5.7.2" ], "americas-bmu-mba-coc-2020": [ "5.14" ], "americas-can-osfi-b13-2022": [ "2.4.4" ], "americas-can-itsp-10-171-2025": [ "03.12.01" ] } }, { "control_id": "IAO-02.1", "title": "Assessor Independence", "family": "IAO", "description": "Mechanisms exist to ensure assessors or assessment teams have the appropriate independence to conduct security, compliance and/or resilience control assessments.", "scf_question": "Does the organization ensure assessors or assessment teams have the appropriate independence to conduct security, compliance and/or resilience control assessments?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Information Assurance (IAO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Pre-production security testing-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain an informal process to conduct limited control testing of High Value Assets (HVAs) to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure assessors or assessment teams have the appropriate independence to conduct security, compliance and/or resilience control assessments.", "4": "Information Assurance (IAO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document security assurance requirements for critical systems", "small": "∙ Security assurance checklist for critical systems", "medium": "∙ Formal information assurance program\n∙ Security testing and validation", "large": "∙ Enterprise information assurance program\n∙ Independent security testing", "enterprise": "∙ Enterprise IA program\n∙ Formal evaluation (e.g., Common Criteria, FedRAMP)\n∙ Continuous assurance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Information Assurance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.1" ], "general-govramp": [ "CA-02(01)" ], "general-govramp-low": [ "CA-02(01)" ], "general-govramp-low-plus": [ "CA-02(01)" ], "general-govramp-mod": [ "CA-02(01)" ], "general-govramp-high": [ "CA-02(01)" ], "general-nist-800-37-r2": [ "TASK A-1" ], "general-nist-800-53-r4": [ "CA-2(1)" ], "general-nist-800-53-r5-2": [ "CA-02(01)" ], "general-nist-800-53-r5-2-mod": [ "CA-02(01)" ], "general-nist-800-82-r3": [ "CA-02(01)" ], "general-nist-800-82-r3-mod": [ "CA-02(01)" ], "general-nist-800-82-r3-high": [ "CA-02(01)" ], "general-nist-800-171-r2": [ "NFO - CA-2(1)" ], "usa-federal-fbi-cjis-6-0": [ "CA-2(1)" ], "usa-federal-gsa-fedramp-5-low": [ "CA-02(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-02(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CA-02(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-02(01)" ], "usa-federal-irs-1075-2021": [ "CA-2(CE-1)" ], "usa-federal-cms-marse-2-0": [ "CA-2(1)", "CA-2(1)-IS" ], "emea-isr-cmo-1-0": [ "17.2", "17.16" ], "apac-nzl-ism-3-9": [ "4.3.16.C.01" ] } }, { "control_id": "IAO-02.2", "title": "Specialized Assessments", "family": "IAO", "description": "Mechanisms exist to conduct specialized assessments for: \n(1) Statutory, regulatory and contractual compliance obligations;\n(2) Monitoring capabilities; \n(3) Mobile devices;\n(4) Databases;\n(5) Application security;\n(6) Embedded technologies (e.g., IoT, OT, etc.);\n(7) Vulnerability management; \n(8) Malicious code; \n(9) Insider threats;\n(10) Performance/load testing; and/or\n(11) Artificial Intelligence and Autonomous Technologies (AAT).", "scf_question": "Does the organization conduct specialized assessments for: \n (1) Statutory, regulatory and contractual compliance obligations;\n (2) Monitoring capabilities; \n (3) Mobile devices;\n (4) Databases;\n (5) Application security;\n (6) Embedded technologies (e.g., IoT, OT, etc.);\n (7) Vulnerability management; \n (8) Malicious code; \n (9) Insider threats;\n (10) Performance/load testing; and/or\n (11) Artificial Intelligence and Autonomous Technologies (AAT) testing?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Information Assurance (IAO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Pre-production security testing-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain an informal process to conduct limited control testing of High Value Assets (HVAs) to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.\n▪ IAP operations focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct specialized assessments for: \n(1) Statutory, regulatory and contractual compliance obligations;\n(2) Monitoring capabilities; \n(3) Mobile devices;\n(4) Databases;\n(5) Application security;\n(6) Embedded technologies (e.g., IoT, OT, etc.);\n(7) Vulnerability management; \n(8) Malicious code; \n(9) Insider threats;\n(10) Performance/load testing; and/or\n(11) Artificial Intelligence and Autonomous Technologies (AAT).", "4": "Information Assurance (IAO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Controls Validation Testing (CVT)", "small": "∙ Controls Validation Testing (CVT)", "medium": "∙ Controls Validation Testing (CVT)", "large": "∙ Controls Validation Testing (CVT)", "enterprise": "∙ Controls Validation Testing (CVT)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Information Assurance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.1", "CC4.1-POF4" ], "general-coso-2013": [ "16" ], "general-csa-cmm-4-1-0": [ "AIS-05" ], "general-csa-iot-2": [ "IOT-01", "SET-01" ], "general-govramp": [ "CA-02(02)" ], "general-govramp-mod": [ "CA-02(02)" ], "general-govramp-high": [ "CA-02(02)" ], "general-iso-27002-2022": [ "5.21", "5.23", "8.29" ], "general-iso-27018-2025": [ "5.21", "5.23", "8.29" ], "general-iso-42001-2023": [ "A.6.2.5" ], "general-nist-100-1-ai-rmf": [ "MAP 2.3", "MEASURE 3.1", "MEASURE 3.2" ], "general-nist-800-37-r2": [ "TASK A-1" ], "general-nist-800-53-r4": [ "CA-2(2)" ], "general-nist-800-53-r5-2": [ "CA-02(02)", "SA-11(05)" ], "general-nist-800-53-r5-2-privacy": [ "SA-11(05)" ], "general-nist-800-53-r5-2-high": [ "CA-02(02)" ], "general-nist-800-82-r3": [ "CA-02(02)", "SA-11(05)" ], "general-nist-800-82-r3-high": [ "CA-02(02)" ], "general-nist-800-160-vol-2-r1": [ "SA-11(05)" ], "general-nist-800-161-r1": [ "CA-2(2)" ], "general-nist-800-161-r1-level-3": [ "CA-2(2)" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A05:2025", "A06:2025", "A07:2025", "A09:2025", "A10:2025" ], "general-ul-2900-1-2017": [ "4.1(h)" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.F" ], "usa-federal-gsa-fedramp-5-low": [ "SA-11(05)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-11(05)" ], "usa-federal-gsa-fedramp-5-high": [ "CA-02(02)", "SA-11(05)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-11(05)" ], "usa-federal-irs-1075-2021": [ "SA-11(CE-5)" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(70)", "3.6.2(71)" ], "emea-deu-bsrit-2017": [ "7.11" ], "emea-isr-cmo-1-0": [ "17.2", "17.16" ], "apac-aus-ism-2024-june": [ "ISM-0100", "ISM-1137", "ISM-1570" ], "apac-nzl-ism-3-9": [ "4.3.20.C.01", "4.3.20.C.02", "4.3.20.C.03" ], "apac-sgp-mas-trm-2021": [ "5.7.4" ] } }, { "control_id": "IAO-02.3", "title": "Third-Party Assessment Reciprocity", "family": "IAO", "description": "Mechanisms exist to accept and respond to the results of external assessments that are performed by impartial, external organizations.", "scf_question": "Does the organization accept and respond to the results of external assessments that are performed by impartial, external organizations?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.\n▪ IAP operations focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to accept and respond to the results of external assessments that are performed by impartial, external organizations.", "4": "Information Assurance (IAO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Controls Validation Testing (CVT)", "small": "∙ Controls Validation Testing (CVT)", "medium": "∙ Controls Validation Testing (CVT)\n∙ Audit steering committee\n∙ Information Assurance (IA) program", "large": "∙ Controls Validation Testing (CVT)\n∙ Audit steering committee\n∙ Information Assurance (IA) program", "enterprise": "∙ Controls Validation Testing (CVT)\n∙ Audit steering committee\n∙ Information Assurance (IA) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed", "family_name": "Information Assurance", "crosswalks": { "general-govramp": [ "CA-02(03)" ], "general-govramp-mod": [ "CA-02(03)" ], "general-govramp-high": [ "CA-02(03)" ], "general-nist-800-53-r4": [ "CA-2(3)" ], "general-nist-800-53-r5-2": [ "CA-02(03)" ], "general-nist-800-82-r3": [ "CA-02(03)" ], "general-nist-800-161-r1": [ "CA-2(3)" ], "general-nist-800-161-r1-level-3": [ "CA-2(3)" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-02(03)" ], "usa-federal-gsa-fedramp-5-high": [ "CA-02(03)" ], "emea-isr-cmo-1-0": [ "17.2", "17.16" ], "apac-aus-ism-2024-june": [ "ISM-0100" ], "apac-nzl-ism-3-9": [ "4.3.16.C.01", "4.3.20.C.01", "4.3.20.C.02", "4.3.20.C.03", "5.8.62.C.01" ] } }, { "control_id": "IAO-02.4", "title": "Security Assessment Report (SAR)", "family": "IAO", "description": "Mechanisms exist to produce a Security Assessment Report (SAR) at the conclusion of a security assessment to certify the results of the assessment and assist with any remediation actions.", "scf_question": "Does the organization produce a Security Assessment Report (SAR) at the conclusion of a security assessment to certify the results of the assessment and assist with any remediation actions?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAO-01", "E-IAO-03", "E-IAO-05" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.\n▪ IAP testing results in a formal risk assessment where Business process owners (BPOs) are required to make a decision to (1) reduce, (2) avoid, (3) transfer and/or (4) accept risk(s) on behalf of the organization.", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to produce a Security Assessment Report (SAR) at the conclusion of a security assessment to certify the results of the assessment and assist with any remediation actions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Controls Validation Testing (CVT)\n∙ Security Assessment Report (SAR)", "small": "∙ Controls Validation Testing (CVT)\n∙ Security Assessment Report (SAR)", "medium": "∙ Controls Validation Testing (CVT)\n∙ Security Assessment Report (SAR)", "large": "∙ Controls Validation Testing (CVT)\n∙ Security Assessment Report (SAR)", "enterprise": "∙ Controls Validation Testing (CVT)\n∙ Security Assessment Report (SAR)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Information Assurance", "crosswalks": { "general-cobit-2019": [ "MEA04.08" ], "general-iec-62443-2-1-2024": [ "ORG 2.4(d)" ], "general-iso-21434-2021": [ "RQ-06-31", "RQ-06-32", "RQ-06-33(b)" ], "general-nist-800-37-r2": [ "TASK A-4", "TASK M-5" ], "general-nist-csf-2-0": [ "ID.IM-01", "ID.IM-02" ], "emea-eu-nis2-annex-2024": [ "6.5.2(c)" ], "apac-aus-ism-2024-june": [ "ISM-1563" ], "apac-nzl-ism-3-9": [ "4.2.11.C.01", "4.2.12.C.01", "4.3.21.C.01", "4.5.17.C.01", "6.3.8.C.01" ], "apac-sgp-mas-trm-2021": [ "5.7.6" ] } }, { "control_id": "IAO-03", "title": "Applied Security, Compliance and Resilience Controls Documentation", "family": "IAO", "description": "Mechanisms exist to generate authoritative documentation (e.g., System Security Plan (SSP)) that:\n(1) Identifies key architectural and implementation information on in-scope Technology Assets, Applications and/or Services (TAAS);\n(2) Reflects the current state of applied security, compliance and resilience controls on applicable People, Processes, Technologies, Data and/or Facilities (PPTDF) that are contained within the system boundary; and\n(3) Provides a historical record of applied security controls, including changes.", "scf_question": "Does the organization generate authoritative documentation (e.g., System Security Plan (SSP)) that:\n(1) Identifies key architectural and implementation information on in-scope Technology Assets, Applications and/or Services (TAAS);\n(2) Reflects the current state of applied security, compliance and resilience controls on applicable People, Processes, Technologies, Data and/or Facilities (PPTDF) that are contained within the system boundary; and\n(3) Provides a historical record of applied security controls, including changes?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-14" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to develop and maintain System Security Plans (SSPs) or similar documentation, to identify and maintain key architectural information for each business-critical Technology Assets, Applications and/or Services (TAAS).", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to generate authoritative documentation (e.g., System Security Plan (SSP)) that:\n(1) Identifies key architectural and implementation information on in-scope Technology Assets, Applications and/or Services (TAAS);\n(2) Reflects the current state of applied security, compliance and resilience controls on applicable People, Processes, Technologies, Data and/or Facilities (PPTDF) that are contained within the system boundary; and\n(3) Provides a historical record of applied security controls, including changes.", "4": "Information Assurance (IAO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ System Security Plan (SSP)\n∙ System Security & Privacy Plan (SSPP)", "small": "∙ System Security Plan (SSP)\n∙ System Security & Privacy Plan (SSPP)", "medium": "∙ System Security Plan (SSP)\n∙ System Security & Privacy Plan (SSPP)", "large": "∙ System Security Plan (SSP)\n∙ System Security & Privacy Plan (SSPP)", "enterprise": "∙ System Security Plan (SSP)\n∙ System Security & Privacy Plan (SSPP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Information Assurance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF11", "CC2.3-POF9", "CC2.3-POF10", "CC2.3-POF11" ], "general-govramp": [ "PL-02" ], "general-govramp-low": [ "PL-02" ], "general-govramp-low-plus": [ "PL-02" ], "general-govramp-mod": [ "PL-02" ], "general-govramp-high": [ "PL-02" ], "general-iso-21434-2021": [ "RQ-06-05", "RQ-06-05(a)", "RQ-06-05(b)", "RQ-06-06", "RQ-06-07", "RQ-06-08", "RQ-06-10", "RQ-06-11", "RQ-06-18", "RQ-06-23", "RQ-09-01(a)", "RQ-09-01(b)", "RQ-09-01(c)", "RQ-09-02", "RQ-09-08", "RQ-09-08(a)", "RQ-09-08(b)", "RQ-09-09", "RQ-09-10", "RQ-09-11", "RQ-09-11(a)", "RQ-09-11(b)", "RQ-12-01", "RQ-12-02", "RQ-12-02(a)", "RQ-12-02(b)", "RQ-12-02(c)", "RQ-12-02(d)", "RQ-12-03" ], "general-nist-100-1-ai-rmf": [ "MANAGE 4.0" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P7", "ID.BE-P3" ], "general-nist-800-37-r2": [ "TASK C-1", "TASK S-4", "TASK S-5", "TASK S-6" ], "general-nist-800-53-r4": [ "PL-2" ], "general-nist-800-53-r5-2": [ "PL-02" ], "general-nist-800-53-r5-2-privacy": [ "PL-02" ], "general-nist-800-53-r5-2-low": [ "PL-02" ], "general-nist-800-82-r3": [ "PL-02" ], "general-nist-800-82-r3-low": [ "PL-02" ], "general-nist-800-82-r3-mod": [ "PL-02" ], "general-nist-800-82-r3-high": [ "PL-02" ], "general-nist-800-161-r1": [ "PL-2" ], "general-nist-800-161-r1-cscrm": [ "PL-2" ], "general-nist-800-161-r1-flowdown": [ "PL-2" ], "general-nist-800-161-r1-level-3": [ "PL-2" ], "general-nist-800-171-r2": [ "3.12.4" ], "general-nist-800-171-r3": [ "03.04.11.b", "03.15.02.a", "03.15.02.a.01", "03.15.02.a.02", "03.15.02.a.03", "03.15.02.a.04", "03.15.02.a.05", "03.15.02.a.06", "03.15.02.a.07", "03.15.02.a.08", "03.15.02.b" ], "general-nist-800-171a": [ "3.12.4[a]", "3.12.4[b]", "3.12.4[c]", "3.12.4[d]", "3.12.4[e]", "3.12.4[f]", "3.12.4[g]", "3.12.4[h]" ], "general-nist-800-171a-r3": [ "A.03.04.11.a[02]", "A.03.04.11.a[03]", "A.03.04.11.b[01]", "A.03.04.11.b[02]", "A.03.15.02.ODP[01]", "A.03.15.02.a.01", "A.03.15.02.a.02", "A.03.15.02.a.03", "A.03.15.02.a.04", "A.03.15.02.a.05", "A.03.15.02.a.06", "A.03.15.02.a.07", "A.03.15.02.a.08", "A.03.15.02.b[01]", "A.03.15.02.b[02]", "A.03.15.02.c" ], "general-nist-800-172": [ "3.11.4e" ], "general-scf-dpmp-2025": [ "5.13" ], "usa-federal-fbi-cjis-6-0": [ "PL-2" ], "usa-federal-dow-cmmc-2-level-2": [ "CAL2.-3.12.4" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.4E" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.30" ], "usa-federal-gsa-fedramp-5-low": [ "PL-02" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-02" ], "usa-federal-gsa-fedramp-5-high": [ "PL-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-02" ], "usa-federal-irs-1075-2021": [ "2.E.4.3", "2.E.4.3-1.1", "2.E.4.3-1.2", "2.E.4.3-1.3", "2.E.4.3-1.4", "2.E.4.3-1.5", "2.E.4.3-2.1", "2.E.4.3-2.2", "2.E.4.3-2.3", "2.E.4.3-2.4", "2.E.6.1-1", "2.E.6.1-2", "2.E.6.1-3", "2.E.6.1-4", "PL-2", "PL-2(IRS-Defined)" ], "usa-federal-cms-marse-2-0": [ "PL-2", "PL-2.a", "PL-2.a.1", "PL-2.a.2", "PL-2.a.3", "PL-2.a.4", "PL-2.a.5", "PL-2.a.6", "PL-2.a.7", "PL-2.a.8", "PL-2.a.9", "PL-2.b", "PL-2.c", "PL-2.d", "PL-2.d.1", "PL-2.d.2", "PL-2.d.3", "PL-2.d.4", "PL-2.d.5", "PL-2.e", "PL-2-IS", "PL-2(3)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "11-3.a(2)(b)3", "11-3.b(3)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B.2", "III.B.2.a", "III.B.2.b" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PL-02" ], "usa-state-tx-txramp-2-0-level-1": [ "PL-02" ], "usa-state-tx-txramp-2-0-level-2": [ "PL-02" ], "emea-eu-ai-act-2024": [ "Article 11.1" ], "emea-qat-pdppl-2020": [ "11.1" ], "emea-gbr-def-stan-05-138-2024": [ "2301" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2301" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2301" ], "apac-aus-ism-2024-june": [ "ISM-0041", "ISM-0432" ], "apac-jpn-ismap": [ "4.4.4", "4.4.5.2" ], "apac-nzl-ism-3-9": [ "3.4.12.C.01", "3.4.12.C.02", "4.3.17.C.01", "4.3.18.C.01", "4.3.18.C.02", "4.3.18.C.03", "4.3.18.C.04", "4.3.18.C.05", "5.1.8.C.01", "5.1.9.C.01", "5.1.10.C.01", "5.4.5.C.01", "5.4.5.C.02", "5.4.5.C.03" ], "americas-can-itsp-10-171-2025": [ "03.04.11.B", "03.15.02.A", "03.15.02.A.01", "03.15.02.A.02", "03.15.02.A.03", "03.15.02.A.04", "03.15.02.A.05", "03.15.02.A.06", "03.15.02.A.07", "03.15.02.A.08", "03.15.02.B" ] } }, { "control_id": "IAO-03.1", "title": "Plan / Coordinate with Other Organizational Entities", "family": "IAO", "description": "Mechanisms exist to plan and coordinate Information Assurance Program (IAP) activities with affected stakeholders before conducting such activities in order to reduce the potential impact on operations.", "scf_question": "Does the organization plan and coordinate Information Assurance Program (IAP) activities with affected stakeholders before conducting such activities in order to reduce the potential impact on operations?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to plan and coordinate Information Assurance Program (IAP) activities with affected stakeholders before conducting such activities in order to reduce the potential impact on operations.", "4": "Information Assurance (IAO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document security assurance requirements for critical systems", "small": "∙ Security assurance checklist for critical systems", "medium": "∙ Audit steering committee\n∙ Information Assurance (IA) program\n∙ VisibleOps security management", "large": "∙ Audit steering committee\n∙ Information Assurance (IA) program\n∙ VisibleOps security management", "enterprise": "∙ Audit steering committee\n∙ Information Assurance (IA) program\n∙ VisibleOps security management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Information Assurance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.1" ], "general-govramp": [ "PL-02" ], "general-govramp-low": [ "PL-02" ], "general-govramp-low-plus": [ "PL-02" ], "general-govramp-mod": [ "PL-02" ], "general-govramp-high": [ "PL-02" ], "general-nist-800-37-r2": [ "TASK P-9" ], "general-nist-800-53-r4": [ "PL-2(3)" ], "general-nist-800-53-r5-2": [ "PL-02" ], "general-nist-800-53-r5-2-privacy": [ "PL-02" ], "general-nist-800-53-r5-2-low": [ "PL-02" ], "general-nist-800-82-r3": [ "PL-02" ], "general-nist-800-82-r3-low": [ "PL-02" ], "general-nist-800-82-r3-mod": [ "PL-02" ], "general-nist-800-82-r3-high": [ "PL-02" ], "general-nist-800-161-r1": [ "PL-2" ], "general-nist-800-161-r1-cscrm": [ "PL-2" ], "general-nist-800-161-r1-flowdown": [ "PL-2" ], "general-nist-800-161-r1-level-3": [ "PL-2" ], "general-nist-800-171-r2": [ "NFO - PL-2(3)" ], "usa-federal-fbi-cjis-6-0": [ "PL-2" ], "usa-federal-gsa-fedramp-5-low": [ "PL-02" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-02" ], "usa-federal-gsa-fedramp-5-high": [ "PL-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-02" ], "usa-federal-irs-1075-2021": [ "PL-2" ], "usa-federal-cms-marse-2-0": [ "PL-2" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PL-02" ], "usa-state-tx-txramp-2-0-level-1": [ "PL-02" ], "usa-state-tx-txramp-2-0-level-2": [ "PL-02" ] } }, { "control_id": "IAO-03.2", "title": "Adequate Security for Sensitive / Regulated Data In Support of Contracts", "family": "IAO", "description": "Mechanisms exist to protect sensitive/regulated data that is collected, developed, received, transmitted, used or stored in support of the performance of a contract.", "scf_question": "Does the organization protect sensitive/regulated data that is collected, developed, received, transmitted, used or stored in support of the performance of a contract?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-IAO-03" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect sensitive/regulated data that is collected, developed, received, transmitted, used or stored in support of the performance of a contract.", "4": "Information Assurance (IAO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Contract flow-down requirements", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Contract flow-down requirements", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Contract flow-down requirements", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Contract flow-down requirements", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Contract flow-down requirements" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Information Assurance", "crosswalks": { "general-cis-csc-8-1": [ "15.4" ], "general-cis-csc-8-1-ig2": [ "15.4" ], "general-cis-csc-8-1-ig3": [ "15.4" ], "general-csa-cmm-4-1-0": [ "DSP-17", "IPY-04" ], "general-csa-iot-2": [ "CLS-04" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.1-004" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P3" ], "general-nist-800-171-r2": [ "3.12.4" ], "general-nist-csf-2-0": [ "GV.SC-05" ], "usa-federal-dow-cmmc-2-level-2": [ "CAL2.-3.12.4" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(b)(3)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(b)(3)" ], "usa-state-co-privacy-act-2021": [ "6-1-1305(3)(b)" ], "usa-state-il-pipa-2006": [ "45(b)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-20-SID", "SA-04-SID", "SA-09-SID" ], "emea-deu-c5-2020": [ "HR-06", "PI-02" ], "emea-isr-cmo-1-0": [ "16.5" ], "emea-sau-sacs-002-2022": [ "TPC-25" ], "emea-srb-act-9-2018": [ "5", "11" ], "apac-aus-ism-2024-june": [ "ISM-0072", "ISM-1451", "ISM-1571", "ISM-1572", "ISM-1573", "ISM-1574", "ISM-1575" ], "apac-jpn-ppi-2020": [ "22" ], "apac-jpn-ismap": [ "13.2.2", "13.2.2.2", "13.2.2.3", "13.2.2.4", "13.2.2.6", "13.2.2.7", "13.2.2.8", "13.2.2.9", "13.2.2.10", "13.2.2.11" ], "apac-nzl-ism-3-9": [ "2.2.5.C.02" ], "apac-nzl-privacy-act-2020": [ "Principle 5", "P5-(a)", "P5-(a)(i)", "P5-(a)(ii)", "P5-(a)(iii)", "P5-(b)" ], "apac-sgp-mas-trm-2021": [ "5.4.3" ], "amaericas-can-osfi-self-assessment": [ "4.26", "4.28" ] } }, { "control_id": "IAO-04", "title": "Threat Analysis & Flaw Remediation During Development", "family": "IAO", "description": "Mechanisms exist to require system developers and integrators to create and execute a Security Testing and Evaluation (ST&E) plan, or similar process, to identify and remediate flaws during development.", "scf_question": "Does the organization require system developers and integrators to create and execute a Security Testing and Evaluation (ST&E) plan to identify and remediate flaws during development?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require system developers and integrators to create and execute a Security Testing and Evaluation (ST&E) plan, or similar process, to identify and remediate flaws during development.", "4": "Information Assurance (IAO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Pre-production Control Validation Testing (CVT)", "small": "∙ Pre-production Control Validation Testing (CVT)", "medium": "∙ Pre-production Control Validation Testing (CVT)", "large": "∙ Pre-production Control Validation Testing (CVT)", "enterprise": "∙ Pre-production Control Validation Testing (CVT)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Information Assurance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.1", "CC4.2" ], "general-cobit-2019": [ "DSS06.04" ], "general-coso-2013": [ "16", "17" ], "general-iec-62443-2-1-2024": [ "ORG 2.4(c)" ], "general-iso-21434-2021": [ "RQ-09-03", "RQ-09-03(a)", "RQ-09-03(b)", "RQ-09-03(c)", "RQ-09-03(d)", "RQ-09-03(e)", "RQ-09-03(f)" ], "general-iso-27002-2022": [ "8.25" ], "general-iso-27018-2025": [ "8.25" ], "general-iso-42001-2023": [ "10.2", "10.2(a)", "10.2(a)(1)", "10.2(a)(2)", "10.2(b)", "10.2(b)(1)", "10.2(b)(2)", "10.2(b)(3)", "10.2(c)", "10.2(d)", "10.2(e)" ], "general-nist-800-37-r2": [ "TASK A-5", "TASK M-3" ], "general-nist-800-53-r5-2": [ "SA-11(05)" ], "general-nist-800-53-r5-2-privacy": [ "SA-11(05)" ], "general-nist-800-82-r3": [ "SA-11(05)" ], "general-nist-800-160-vol-2-r1": [ "SA-11(05)" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A05:2025", "A06:2025", "A07:2025", "A09:2025", "A10:2025" ], "general-pci-dss-4-0-1": [ "6.2.1", "6.2.2", "6.2.3", "6.2.3.1", "6.2.4", "6.3.1", "6.4.1", "6.4.2", "11.4.1", "11.4.4", "12.4.2.1", "A1.2.3" ], "general-pci-dss-4-0-1-saq-a": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.1", "6.2.2", "6.2.4", "6.3.1", "6.4.1", "6.4.2", "11.4.1", "11.4.4" ], "general-pci-dss-4-0-1-saq-b-ip": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.1", "6.2.2", "6.2.3.1", "6.2.4", "6.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.1", "6.2.2", "6.2.3", "6.2.3.1", "6.2.4", "6.3.1", "6.4.1", "6.4.2", "11.4.1", "11.4.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.1", "6.2.2", "6.2.3", "6.2.3.1", "6.2.4", "6.3.1", "6.4.1", "6.4.2", "11.4.1", "11.4.4", "12.4.2.1", "A1.2.3" ], "usa-federal-gsa-fedramp-5-low": [ "SA-11(05)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-11(05)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-11(05)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-11(05)" ], "usa-federal-irs-1075-2021": [ "SA-11(CE-5)", "SA-11(CE-5).a", "SA-11(CE-5).b" ], "emea-eu-nis2-2022": [ "Article 21.4" ], "apac-nzl-ism-3-9": [ "6.2.5.C.01", "6.2.6.C.01" ], "apac-sgp-mas-trm-2021": [ "5.7.5" ], "amaericas-can-osfi-self-assessment": [ "2.7" ] } }, { "control_id": "IAO-05", "title": "Capabilities Deficiency Tracking", "family": "IAO", "description": "Mechanisms exist to govern identified deficiencies (e.g., Plan of Action and Milestones (POA&M) or similar methodology) that formally documents, at a minimum:\n(1) Deficiency tracking number;\n(2) Applicable security, compliance and/or resilience control;\n(3) Description of the deficiency(ies);\n(4) Risk associated with the deficiency(ies);\n(5) Source deficiency identification/detection;\n(6) Temporary compensating controls, if applicable;\n(7) Point of Contact (POC) (e.g., asset/process owner);\n(8) Resources required to conduct remediation actions;\n(9) Planned remedial actions to the deficiency(ies);\n(10) Proposed remediation timeline; and\n(11) Disposition statement (e.g., closeout summary).", "scf_question": "Does the organization govern identified deficiencies (e.g., Plan of Action and Milestones (POA&M) or similar methodology) that formally documents, at a minimum:\n(1) Deficiency tracking number;\n(2) Applicable security, compliance and/or resilience control;\n(3) Description of the deficiency(ies);\n(4) Risk associated with the deficiency(ies);\n(5) Source deficiency identification/detection;\n(6) Temporary compensating controls, if applicable;\n(7) Point of Contact (POC) (e.g., asset/process owner);\n(8) Resources required to conduct remediation actions;\n(9) Planned remedial actions to the deficiency(ies);\n(10) Proposed remediation timeline; and\n(11) Disposition statement (e.g., closeout summary)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-03" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern identified deficiencies (e.g., Plan of Action and Milestones (POA&M) or similar methodology) that formally documents, at a minimum:\n(1) Deficiency tracking number;\n(2) Applicable security, compliance and/or resilience control;\n(3) Description of the deficiency(ies);\n(4) Risk associated with the deficiency(ies);\n(5) Source deficiency identification/detection;\n(6) Temporary compensating controls, if applicable;\n(7) Point of Contact (POC) (e.g., asset/process owner);\n(8) Resources required to conduct remediation actions;\n(9) Planned remedial actions to the deficiency(ies);\n(10) Proposed remediation timeline; and\n(11) Disposition statement (e.g., closeout summary).", "4": "Information Assurance (IAO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Plan of Action and Milestones (POA&M)\n∙ Risk register", "small": "∙ Plan of Action and Milestones (POA&M)\n∙ Risk register", "medium": "∙ Plan of Action and Milestones (POA&M)\n∙ Risk register", "large": "∙ Plan of Action and Milestones (POA&M)\n∙ Risk register", "enterprise": "∙ Plan of Action and Milestones (POA&M)\n∙ Risk register" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Information Assurance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.2", "CC4.2-POF3" ], "general-cobit-2019": [ "APO12.05", "MEA03.04", "MEA04.09" ], "general-coso-2013": [ "17" ], "general-csa-cmm-4-1-0": [ "A&A-06" ], "general-govramp": [ "CA-05" ], "general-govramp-low": [ "CA-05" ], "general-govramp-low-plus": [ "CA-05" ], "general-govramp-mod": [ "CA-05" ], "general-govramp-high": [ "CA-05" ], "general-iso-21434-2021": [ "RQ-09-07(a)", "RQ-09-07(b)", "RQ-09-07(c)", "RQ-09-07(d)" ], "general-iso-31010-2009": [ "4.3.6", "5.6" ], "general-iso-42001-2023": [ "9.3.2(a)", "9.3.2(b)", "10.2", "10.2(a)", "10.2(a)(1)", "10.2(a)(2)", "10.2(b)", "10.2(b)(1)", "10.2(b)(2)", "10.2(b)(3)", "10.2(c)", "10.2(d)", "10.2(e)" ], "general-mpa-csbp-5-3-1": [ "OR-2.0" ], "general-nist-100-1-ai-rmf": [ "MEASURE 3.0", "MEASURE 3.1", "MEASURE 3.2", "MANAGE 1.1", "MANAGE 1.2", "MANAGE 1.3", "MANAGE 1.4", "MANAGE 3.1", "MANAGE 4.0" ], "general-nist-privacy-framework-1-0": [ "GV.MT-P4" ], "general-nist-800-37-r2": [ "TASK I-2", "TASK A-5", "TASK A-6", "TASK R-3" ], "general-nist-800-39": [ "3.4" ], "general-nist-800-53-r4": [ "CA-5", "PM-4" ], "general-nist-800-53-r5-2": [ "CA-05", "PM-04", "SA-15(02)" ], "general-nist-800-53-r5-2-privacy": [ "CA-05", "PM-04" ], "general-nist-800-53-r5-2-low": [ "CA-05" ], "general-nist-800-82-r3": [ "CA-05", "PM-04", "SA-15(02)" ], "general-nist-800-82-r3-low": [ "CA-05", "PM-04" ], "general-nist-800-82-r3-mod": [ "CA-05", "PM-04" ], "general-nist-800-82-r3-high": [ "CA-05", "PM-04" ], "general-nist-800-161-r1": [ "CA-5", "PM-4" ], "general-nist-800-161-r1-cscrm": [ "CA-5" ], "general-nist-800-161-r1-level-2": [ "CA-5", "PM-4" ], "general-nist-800-161-r1-level-3": [ "CA-5", "PM-4" ], "general-nist-800-171-r2": [ "3.12.2" ], "general-nist-800-171-r3": [ "03.04.11.b", "03.12.02.a", "03.12.02.a.01", "03.12.02.a.02", "03.12.02.b", "03.12.02.b.01", "03.12.02.b.02", "03.12.02.b.03", "03.14.01.a" ], "general-nist-800-171a": [ "3.12.2[a]", "3.12.2[b]", "3.12.2[c]" ], "general-nist-800-171a-r3": [ "A.03.12.02.a.01", "A.03.12.02.a.02", "A.03.12.02.b.01", "A.03.12.02.b.02", "A.03.12.02.b.03" ], "general-nist-csf-2-0": [ "ID.RA-01", "ID.IM-01", "ID.IM-02" ], "general-scf-dpmp-2025": [ "9.3" ], "general-tisax-6-0-3": [ "1.5.2" ], "general-ul-2900-1-2017": [ "12.1(g)", "12.1(h)" ], "general-un-155-2021": [ "7.2.2.2(d)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(d)" ], "usa-federal-fbi-cjis-6-0": [ "CA-5" ], "usa-federal-doe-c2m2-2-1": [ "RISK-3f", "RISK-3g" ], "usa-federal-dow-cmmc-2-level-2": [ "CAL2.-3.12.2" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)(2)(ii)(B)" ], "usa-federal-gsa-fedramp-5-low": [ "CA-05", "PM-04" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-05", "PM-04" ], "usa-federal-gsa-fedramp-5-high": [ "CA-05", "PM-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-05", "PM-04" ], "usa-federal-irs-1075-2021": [ "2.E.5", "2.E.5-1", "2.E.5-2", "2.E.5-3", "CA-5", "CA-5(IRS-Defined)-1", "CA-5(IRS-Defined)-2", "PM-4" ], "usa-federal-cms-marse-2-0": [ "CA-5", "CA-5.a", "CA-5.b", "CA-5.c", "CA-5-IS.1", "PM-4", "PM-4.a", "PM-4.a.1", "PM-4.a.2", "PM-4.a.3", "PM-4.b", "PM-4-IS.1" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 2.4" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.C.2", "III.E.3" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CA-05", "PM-04" ], "usa-state-tx-txramp-2-0-level-1": [ "CA-05" ], "usa-state-tx-txramp-2-0-level-2": [ "CA-05" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(13)(d)" ], "emea-eu-nis2-2022": [ "Article 21.4" ], "emea-eu-nis2-annex-2024": [ "6.5.2(d)" ], "emea-sau-otcc-1-2022": [ "1-3-1-6" ], "emea-uae-niaf-2023": [ "3.2" ], "apac-aus-ism-2024-june": [ "ISM-1564" ], "apac-jpn-ismap": [ "4.4.6.1", "4.7.1.4", "4.7.1.7" ], "apac-nzl-ism-3-9": [ "4.2.12.C.01", "6.3.8.C.01" ], "apac-sgp-mas-trm-2021": [ "4.5.2" ], "amaericas-can-osfi-self-assessment": [ "5.9" ], "americas-can-itsp-10-171-2025": [ "03.04.11.B", "03.12.02.A", "03.12.02.A.01", "03.12.02.A.02", "03.12.02.B", "03.12.02.B.01", "03.12.02.B.02", "03.12.02.B.03", "03.14.01.A" ] } }, { "control_id": "IAO-05.1", "title": "Deficiency Tracking Automation", "family": "IAO", "description": "Automated mechanisms exist to help ensure tracked deficiencies are: \n(1) Accurate;\n(2) Up-to-date; and \n(3) Readily-available.", "scf_question": "Does the organization use automated mechanisms to help ensure tracked deficiencies are: \n(1) Accurate;\n(2) Up-to-date; and \n(3) Readily-available?", "relative_weight": 2, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Information Assurance (IAO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Pre-production security testing-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain an informal process to conduct limited control testing of High Value Assets (HVAs) to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automate deficiency tracking to ensure records are: \n(1) Accurate;\n(2) Up-to-date; and \n(3) Readily-available.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document security assurance requirements for critical systems", "small": "∙ Security assurance checklist for critical systems", "medium": "∙ Formal information assurance program\n∙ Security testing and validation", "large": "∙ Enterprise information assurance program\n∙ Independent security testing", "enterprise": "∙ Enterprise IA program\n∙ Formal evaluation (e.g., Common Criteria, FedRAMP)\n∙ Continuous assurance monitoring" }, "risks": [ "R-GV-1", "R-GV-4", "R-GV-5", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Information Assurance", "crosswalks": { "general-nist-800-53-r4": [ "CA-5(1)" ], "general-nist-800-53-r5-2": [ "CA-05(01)" ], "general-nist-800-82-r3": [ "CA-05(01)" ], "usa-federal-cms-marse-2-0": [ "CA-5(1)" ] } }, { "control_id": "IAO-06", "title": "Technical Verification", "family": "IAO", "description": "Mechanisms exist to perform Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical security, compliance and resilience controls.", "scf_question": "Does the organization perform Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical security, compliance and resilience controls?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.\n▪ IAP operations focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical security, compliance and resilience controls.", "4": "Information Assurance (IAO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Controls Validation Testing (CVT)", "small": "∙ Controls Validation Testing (CVT)", "medium": "∙ Controls Validation Testing (CVT)", "large": "∙ Controls Validation Testing (CVT)", "enterprise": "∙ Controls Validation Testing (CVT)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Information Assurance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.1" ], "general-coso-2013": [ "16" ], "general-csa-iot-2": [ "IOT-01" ], "general-govramp": [ "CA-02" ], "general-govramp-low": [ "CA-02" ], "general-govramp-low-plus": [ "CA-02" ], "general-govramp-mod": [ "CA-02" ], "general-govramp-high": [ "CA-02" ], "general-iec-62443-2-1-2024": [ "ORG 2.4(b)" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.3" ], "general-iso-42001-2023": [ "A.6.2.5" ], "general-nist-100-1-ai-rmf": [ "MEASURE 2.0" ], "general-nist-800-53-r4": [ "CA-2", "CM-4(2)" ], "general-nist-800-53-r5-2": [ "CA-02", "CM-04(02)" ], "general-nist-800-53-r5-2-privacy": [ "CA-02" ], "general-nist-800-53-r5-2-low": [ "CA-02" ], "general-nist-800-53-r5-2-mod": [ "CM-04(02)" ], "general-nist-800-82-r3": [ "CA-02", "CM-04(02)" ], "general-nist-800-82-r3-low": [ "CA-02" ], "general-nist-800-82-r3-mod": [ "CA-02", "CM-04(02)" ], "general-nist-800-82-r3-high": [ "CA-02", "CM-04(02)" ], "general-nist-800-161-r1": [ "CA-2" ], "general-nist-800-161-r1-cscrm": [ "CA-2" ], "general-nist-800-161-r1-level-2": [ "CA-2" ], "general-nist-800-161-r1-level-3": [ "CA-2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.Q" ], "usa-federal-fbi-cjis-6-0": [ "CA-2", "CM-4(2)" ], "usa-federal-gsa-fedramp-5-low": [ "CA-02" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-02", "CM-04(02)" ], "usa-federal-gsa-fedramp-5-high": [ "CA-02", "CM-04(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-02" ], "usa-federal-irs-1075-2021": [ "CA-2", "CM-4(CE-2)" ], "usa-federal-cms-marse-2-0": [ "CA-2", "CM-4(2)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(C)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CA-02" ], "usa-state-tx-txramp-2-0-level-1": [ "CA-02" ], "usa-state-tx-txramp-2-0-level-2": [ "CA-02", "CM-04 (02)" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(70)", "3.6.2(71)" ], "emea-isr-cmo-1-0": [ "10.6", "16.5" ], "emea-gbr-def-stan-05-138-2024": [ "1205" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1205" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1205" ] } }, { "control_id": "IAO-07", "title": "Security Authorization", "family": "IAO", "description": "Mechanisms exist to ensure Technology Assets, Applications and/or Services (TAAS) are officially authorized prior to \"go live\" in a production environment.", "scf_question": "Does the organization ensure Technology Assets, Applications and/or Services (TAAS) are officially authorized prior to \"go live\" in a production environment?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Information Assurance (IAO) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with IAO domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Pre-production security testing-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain an informal process to conduct limited control testing of High Value Assets (HVAs) to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.", "2": "Information Assurance (IAO) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Information Assurance (IA)-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ IA management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel implement and maintain a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/or contractual requirements for pre-production cybersecurity and data protection control testing.\n▪ IAP testing results in a formal risk assessment where Business process owners (BPOs) are required to make a decision to (1) reduce, (2) avoid, (3) transfer and/or (4) accept risk(s) on behalf of the organization.", "3": "Information Assurance (IAO) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with IAO domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with IAO domain capabilities are well-documented and kept current by process owners.\n▪ An information assurance team, or similar function, is appropriately staffed and supported to implement and maintain IAO domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of information assurance operations (e.g., assessment scheduling software, risk assessment software, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with IAO domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure Technology Assets, Applications and/or Services (TAAS) are officially authorized prior to \"go live\" in a production environment.", "4": "Information Assurance (IAO) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document security assurance requirements for critical systems", "small": "∙ Security assurance checklist for critical systems", "medium": "∙ Formal information assurance program\n∙ Security testing and validation", "large": "∙ Enterprise information assurance program\n∙ Independent security testing", "enterprise": "∙ Enterprise IA program\n∙ Formal evaluation (e.g., Common Criteria, FedRAMP)\n∙ Continuous assurance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Information Assurance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1-POF9" ], "general-csa-iot-2": [ "IOT-01" ], "general-govramp": [ "CA-06" ], "general-govramp-low": [ "CA-06" ], "general-govramp-low-plus": [ "CA-06" ], "general-govramp-mod": [ "CA-06" ], "general-govramp-high": [ "CA-06" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.3" ], "general-iso-42001-2023": [ "A.6.2.5" ], "general-nist-100-1-ai-rmf": [ "MANAGE 1.1" ], "general-nist-800-37-r2": [ "TASK P-18", "TASK R-1", "TASK R-2", "TASK R-4", "TASK R-5", "TASK M-4", "TASK M-6" ], "general-nist-800-53-r4": [ "CA-6" ], "general-nist-800-53-r5-2": [ "CA-06" ], "general-nist-800-53-r5-2-privacy": [ "CA-06" ], "general-nist-800-53-r5-2-low": [ "CA-06" ], "general-nist-800-82-r3": [ "CA-06" ], "general-nist-800-82-r3-low": [ "CA-06" ], "general-nist-800-82-r3-mod": [ "CA-06" ], "general-nist-800-82-r3-high": [ "CA-06" ], "general-nist-800-161-r1": [ "CA-6" ], "general-nist-800-161-r1-cscrm": [ "CA-6" ], "general-nist-800-161-r1-level-1": [ "CA-6" ], "general-nist-800-161-r1-level-2": [ "CA-6" ], "general-nist-800-161-r1-level-3": [ "CA-6" ], "general-scf-dpmp-2025": [ "7.11" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.Q" ], "usa-federal-fbi-cjis-6-0": [ "CA-6" ], "usa-federal-gsa-fedramp-5-low": [ "CA-06" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-06" ], "usa-federal-gsa-fedramp-5-high": [ "CA-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-06" ], "usa-federal-irs-1075-2021": [ "CA-6" ], "usa-federal-cms-marse-2-0": [ "CA-6", "CA-6.a", "CA-6.b", "CA-6.b.1", "CA-6.b.2", "CA-6.b.3", "CA-6.b.4", "CA-6.b.5", "CA-6.b.6", "CA-6.c", "CA-6.c.1", "CA-6.c.2", "CA-6.c.3", "CA-6.c.4", "CA-6.c.5", "CA-6.c.6" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "11-3.a(3)(c)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(C)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CA-06", "CA-06-SID" ], "usa-state-tx-txramp-2-0-level-1": [ "CA-06" ], "usa-state-tx-txramp-2-0-level-2": [ "CA-06" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(70)", "3.6.2(71)" ], "emea-isr-cmo-1-0": [ "10.6", "16.5" ], "emea-sau-sacs-002-2022": [ "TPC-51" ], "apac-aus-ism-2024-june": [ "ISM-0027", "ISM-0293", "ISM-1525" ], "apac-nzl-ism-3-9": [ "2.2.5.C.01", "4.2.11.C.01", "4.5.18.C.01", "4.5.18.C.02", "4.5.18.C.03", "23.2.16.C.03", "23.2.16.C.04" ] } }, { "control_id": "MNT-01", "title": "Maintenance Operations", "family": "MNT", "description": "Mechanisms exist to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise.", "scf_question": "Does the organization develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-MNT-02", "E-MNT-04" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Maintenance (MNT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MNT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Maintenance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.\n▪ IT and/or cybersecurity personnel use an informal process to implement secure and timely technology asset-specific maintenance operations, including preventative and reactive maintenance operations.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise.", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT maintenance program", "small": "∙ IT maintenance program", "medium": "∙ IT maintenance program", "large": "∙ IT maintenance program", "enterprise": "∙ IT maintenance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-csa-iot-2": [ "OPA-01" ], "general-govramp": [ "MA-01" ], "general-govramp-low": [ "MA-01" ], "general-govramp-low-plus": [ "MA-01" ], "general-govramp-mod": [ "MA-01" ], "general-govramp-high": [ "MA-01" ], "general-iso-27002-2022": [ "7.13" ], "general-iso-27017-2015": [ "11.2.4" ], "general-iso-27018-2025": [ "7.13" ], "general-nist-privacy-framework-1-0": [ "PR.MA-P", "PR.MA-P1" ], "general-nist-800-53-r4": [ "MA-1" ], "general-nist-800-53-r5-2": [ "MA-01" ], "general-nist-800-53-r5-2-privacy": [ "MA-01" ], "general-nist-800-53-r5-2-low": [ "MA-01" ], "general-nist-800-66-r2": [ "164.310(a)", "164.310(d)" ], "general-nist-800-82-r3": [ "MA-01" ], "general-nist-800-82-r3-low": [ "MA-01" ], "general-nist-800-82-r3-mod": [ "MA-01" ], "general-nist-800-82-r3-high": [ "MA-01" ], "general-nist-800-161-r1": [ "MA-1" ], "general-nist-800-161-r1-cscrm": [ "MA-1" ], "general-nist-800-161-r1-flowdown": [ "MA-1" ], "general-nist-800-161-r1-level-1": [ "MA-1" ], "general-nist-800-161-r1-level-2": [ "MA-1" ], "general-nist-800-161-r1-level-3": [ "MA-1" ], "general-nist-800-171-r2": [ "NFO - MA-1" ], "general-nist-800-171-r3": [ "03.04.03.c", "03.07.04.a", "03.07.06.a" ], "general-nist-csf-2-0": [ "PR.PS", "PR.PS-02", "PR.PS-03" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.SADMI" ], "usa-federal-fbi-cjis-6-0": [ "MA-1" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-3i" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-gsa-fedramp-5-low": [ "MA-01" ], "usa-federal-gsa-fedramp-5-mod": [ "MA-01" ], "usa-federal-gsa-fedramp-5-high": [ "MA-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MA-01" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(a)(2)(iv)", "164.310(d)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(a)(2)(iv)", "164.310(d)(1)" ], "usa-federal-irs-1075-2021": [ "MA-1" ], "usa-federal-cms-marse-2-0": [ "MA-1" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MA-01" ], "usa-state-tx-txramp-2-0-level-1": [ "MA-01" ], "usa-state-tx-txramp-2-0-level-2": [ "MA-01" ], "emea-eu-nis2-2022": [ "Article 21.2(e)" ], "emea-eu-nis2-annex-2024": [ "4.3.2(c)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-sau-otcc-1-2022": [ "2-13-1-7" ], "emea-sau-sacs-002-2022": [ "TPC-78" ], "emea-zaf-popia-2013": [ "19" ], "emea-esp-ccn-stic-825-2023": [ "7.3.4 [OP.EXP.4]" ], "apac-aus-ism-2024-june": [ "ISM-0305", "ISM-1226" ], "apac-jpn-ismap": [ "11.2.4", "11.2.4.1", "11.2.4.3", "11.2.4.5" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP15", "HML15" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP13" ], "apac-nzl-ism-3-9": [ "12.5.3.C.01", "12.5.3.C.02", "12.5.6.C.01", "12.5.6.C.02" ], "americas-can-itsp-10-171-2025": [ "03.04.03.C", "03.07.04.A", "03.07.06.A" ] } }, { "control_id": "MNT-02", "title": "Controlled Maintenance", "family": "MNT", "description": "Mechanisms exist to conduct controlled maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).", "scf_question": "Does the organization conduct controlled maintenance activities throughout the lifecycle of theTechnology Asset, Application and/or Service (TAAS)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-MNT-04" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.\n▪ Asset custodians track maintenance activities and component failure rates.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct controlled maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ IT maintenance program", "small": "∙ IT maintenance program", "medium": "∙ IT maintenance program\n∙ VisibleOps security management", "large": "∙ IT maintenance program\n∙ VisibleOps security management", "enterprise": "∙ IT maintenance program\n∙ VisibleOps security management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-csa-iot-2": [ "OPA-01" ], "general-govramp": [ "MA-02" ], "general-govramp-low": [ "MA-02" ], "general-govramp-low-plus": [ "MA-02" ], "general-govramp-mod": [ "MA-02" ], "general-govramp-high": [ "MA-02" ], "general-iso-27002-2022": [ "7.13" ], "general-iso-27017-2015": [ "11.2.4" ], "general-iso-27018-2025": [ "7.13" ], "general-nist-800-53-r4": [ "MA-2" ], "general-nist-800-53-r5-2": [ "MA-02" ], "general-nist-800-53-r5-2-low": [ "MA-02" ], "general-nist-800-66-r2": [ "164.310(a)" ], "general-nist-800-82-r3": [ "MA-02" ], "general-nist-800-82-r3-low": [ "MA-02" ], "general-nist-800-82-r3-mod": [ "MA-02" ], "general-nist-800-82-r3-high": [ "MA-02" ], "general-nist-800-161-r1": [ "MA-2" ], "general-nist-800-171-r2": [ "3.7.1" ], "general-nist-800-171-r3": [ "03.04.03.c", "03.07.04.a", "03.07.05.a" ], "general-nist-800-171a": [ "3.7.1" ], "general-nist-800-171a-r3": [ "A.03.04.03.c[01]" ], "general-nist-csf-2-0": [ "PR.PS", "PR.PS-02", "PR.PS-03" ], "usa-federal-fbi-cjis-6-0": [ "MA-2" ], "usa-federal-dow-cmmc-2-level-2": [ "MAL2.-3.7.1" ], "usa-federal-gsa-fedramp-5-low": [ "MA-02" ], "usa-federal-gsa-fedramp-5-mod": [ "MA-02" ], "usa-federal-gsa-fedramp-5-high": [ "MA-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MA-02" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(a)(2)(iv)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(a)(2)(iv)" ], "usa-federal-irs-1075-2021": [ "MA-2" ], "usa-federal-cms-marse-2-0": [ "MA-2", "MA-2.a", "MA-2.b", "MA-2.c", "MA-2.d", "MA-2.e", "MA-2.f", "MA-2-IS.1" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MA-02" ], "usa-state-tx-txramp-2-0-level-1": [ "MA-02" ], "usa-state-tx-txramp-2-0-level-2": [ "MA-02" ], "emea-sau-sacs-002-2022": [ "TPC-78" ], "emea-gbr-def-stan-05-138-2024": [ "2511" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2511" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2511" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2511" ], "apac-aus-ism-2024-june": [ "ISM-1079" ], "apac-ind-sebi-2024": [ "PR.MA.S1" ], "apac-jpn-ismap": [ "11.2.4.4" ], "apac-nzl-ism-3-9": [ "12.5.3.C.01", "12.5.3.C.02", "12.5.6.C.01", "12.5.6.C.02" ], "americas-can-itsp-10-171-2025": [ "03.04.03.C", "03.07.04.A", "03.07.05.A" ] } }, { "control_id": "MNT-02.1", "title": "Automated Maintenance Activities", "family": "MNT", "description": "Automated mechanisms exist to schedule, conduct and document maintenance and repairs.", "scf_question": "Does the organization use automated mechanisms to schedule, conduct and document maintenance and repairs?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Maintenance (MNT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MNT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Maintenance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically schedule, conduct and document maintenance and repairs.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-govramp": [ "MA-02(02)" ], "general-govramp-high": [ "MA-02(02)" ], "general-nist-800-53-r4": [ "MA-2(2)" ], "general-nist-800-53-r5-2": [ "MA-02(02)" ], "general-nist-800-53-r5-2-high": [ "MA-02(02)" ], "general-nist-800-82-r3": [ "MA-02(02)" ], "general-nist-800-82-r3-high": [ "MA-02(02)" ], "general-nist-800-161-r1": [ "MA-2(2)" ], "general-nist-800-161-r1-level-3": [ "MA-2(2)" ], "usa-federal-gsa-fedramp-5-high": [ "MA-02(02)" ] } }, { "control_id": "MNT-03", "title": "Timely Maintenance", "family": "MNT", "description": "Mechanisms exist to obtain maintenance support and/or spare parts for Technology Assets, Applications and/or Services (TAAS) within a defined Recovery Time Objective (RTO).", "scf_question": "Does the organization obtain maintenance support and/or spare parts for Technology Assets, Applications and/or Services (TAAS) within a defined Recovery Time Objective (RTO)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-MNT-04" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to obtain maintenance support and/or spare parts for Technology Assets, Applications and/or Services (TAAS) within a defined Recovery Time Objective (RTO).", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-csa-iot-2": [ "OPA-01" ], "general-govramp": [ "MA-06" ], "general-govramp-low-plus": [ "MA-06" ], "general-govramp-mod": [ "MA-06" ], "general-govramp-high": [ "MA-06" ], "general-iso-27002-2022": [ "7.13" ], "general-iso-27017-2015": [ "11.2.4" ], "general-iso-27018-2025": [ "7.13" ], "general-nist-800-53-r4": [ "MA-6" ], "general-nist-800-53-r5-2": [ "MA-06" ], "general-nist-800-53-r5-2-mod": [ "MA-06" ], "general-nist-800-82-r3": [ "MA-06" ], "general-nist-800-82-r3-mod": [ "MA-06" ], "general-nist-800-82-r3-high": [ "MA-06" ], "general-nist-800-161-r1": [ "MA-6" ], "general-nist-800-161-r1-level-3": [ "MA-6" ], "general-nist-800-171-r3": [ "03.07.04.a" ], "general-nist-csf-2-0": [ "PR.PS-02", "PR.PS-03" ], "general-pci-dss-4-0-1": [ "10.7", "11.3" ], "usa-federal-fbi-cjis-6-0": [ "MA-6" ], "usa-federal-gsa-fedramp-5-mod": [ "MA-06" ], "usa-federal-gsa-fedramp-5-high": [ "MA-06" ], "usa-federal-irs-1075-2021": [ "MA-6" ], "usa-federal-cms-marse-2-0": [ "MA-6" ], "usa-state-tx-txramp-2-0-level-2": [ "MA-06" ], "emea-gbr-def-stan-05-138-2024": [ "2511" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2511" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2511" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2511" ], "americas-can-itsp-10-171-2025": [ "03.07.04.A" ] } }, { "control_id": "MNT-03.1", "title": "Preventative Maintenance", "family": "MNT", "description": "Mechanisms exist to perform preventive maintenance on critical Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization perform preventive maintenance on critical Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-MNT-04" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.\n▪ Asset custodians track maintenance activities and component failure rates.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform preventive maintenance on critical Technology Assets, Applications and/or Services (TAAS).", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-csa-iot-2": [ "OPA-01" ], "general-nist-800-53-r4": [ "MA-6(1)" ], "general-nist-800-53-r5-2": [ "MA-06(01)" ], "general-nist-800-82-r3": [ "MA-06(01)" ], "general-nist-800-171-r3": [ "03.07.04.a" ], "general-nist-csf-2-0": [ "PR.PS-02", "PR.PS-03" ], "americas-can-itsp-10-171-2025": [ "03.07.04.A" ] } }, { "control_id": "MNT-03.2", "title": "Predictive Maintenance", "family": "MNT", "description": "Mechanisms exist to perform predictive maintenance on critical Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization perform predictive maintenance on critical Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform predictive maintenance on critical Technology Assets, Applications and/or Services (TAAS).", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-nist-800-53-r4": [ "MA-6(2)" ], "general-nist-800-53-r5-2": [ "MA-06(02)" ], "general-nist-800-82-r3": [ "MA-06(02)" ] } }, { "control_id": "MNT-03.3", "title": "Automated Support For Predictive Maintenance", "family": "MNT", "description": "Automated mechanisms exist to transfer predictive maintenance data to a computerized maintenance management system.", "scf_question": "Does the organization use automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically transfer predictive maintenance data to a computerized maintenance management system.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-csa-iot-2": [ "OPA-02" ], "general-nist-800-53-r4": [ "MA-6(3)" ], "general-nist-800-53-r5-2": [ "MA-06(03)" ], "general-nist-800-82-r3": [ "MA-06(03)" ] } }, { "control_id": "MNT-04", "title": "Maintenance Tools", "family": "MNT", "description": "Mechanisms exist to control and monitor the use of system maintenance tools.", "scf_question": "Does the organization control and monitor the use of system maintenance tools?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.\n▪ IT and/or cybersecurity personnel control and monitor the use of system maintenance tools.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to control and monitor the use of system maintenance tools.", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-cis-csc-8-1": [ "2.7" ], "general-cis-csc-8-1-ig3": [ "2.7" ], "general-govramp": [ "MA-03" ], "general-govramp-core": [ "MA-03" ], "general-govramp-low-plus": [ "MA-03" ], "general-govramp-mod": [ "MA-03" ], "general-govramp-high": [ "MA-03" ], "general-iso-21434-2021": [ "RQ-05-14" ], "general-nist-800-53-r4": [ "MA-3" ], "general-nist-800-53-r5-2": [ "MA-03", "MA-03(05)", "MA-03(06)" ], "general-nist-800-53-r5-2-mod": [ "MA-03" ], "general-nist-800-82-r3": [ "MA-03", "MA-03(05)", "MA-03(06)" ], "general-nist-800-82-r3-mod": [ "MA-03" ], "general-nist-800-82-r3-high": [ "MA-03" ], "general-nist-800-161-r1": [ "MA-3" ], "general-nist-800-161-r1-level-2": [ "MA-3" ], "general-nist-800-161-r1-level-3": [ "MA-3" ], "general-nist-800-171-r2": [ "3.7.2" ], "general-nist-800-171-r3": [ "03.07.04.a" ], "general-nist-800-171a": [ "3.7.2[a]", "3.7.2[b]", "3.7.2[c]", "3.7.2[d]" ], "general-nist-800-171a-r3": [ "A.03.07.04.a[01]", "A.03.07.04.a[02]", "A.03.07.04.a[03]" ], "usa-federal-fbi-cjis-6-0": [ "MA-3" ], "usa-federal-dow-cmmc-2-level-2": [ "MAL2.-3.7.2" ], "usa-federal-gsa-fedramp-5-mod": [ "MA-03" ], "usa-federal-gsa-fedramp-5-high": [ "MA-03" ], "usa-federal-irs-1075-2021": [ "MA-3", "MA-3(CE-5)" ], "usa-federal-cms-marse-2-0": [ "MA-3" ], "usa-state-tx-txramp-2-0-level-2": [ "MA-03" ], "americas-can-itsp-10-171-2025": [ "03.07.04.A" ] } }, { "control_id": "MNT-04.1", "title": "Inspect Tools", "family": "MNT", "description": "Mechanisms exist to inspect maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.", "scf_question": "Does the organization inspect maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.\n▪ IT and/or cybersecurity personnel control and monitor the use of system maintenance tools.\n▪ IT and/or cybersecurity personnel inspect maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to inspect maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-govramp": [ "MA-03(01)" ], "general-govramp-low-plus": [ "MA-03(01)" ], "general-govramp-mod": [ "MA-03(01)" ], "general-govramp-high": [ "MA-03(01)" ], "general-nist-800-53-r4": [ "MA-3(1)" ], "general-nist-800-53-r5-2": [ "MA-03(01)" ], "general-nist-800-53-r5-2-mod": [ "MA-03(01)" ], "general-nist-800-82-r3": [ "MA-03(01)" ], "general-nist-800-82-r3-mod": [ "MA-03(01)" ], "general-nist-800-82-r3-high": [ "MA-03(01)" ], "general-nist-800-161-r1": [ "MA-3(1)" ], "general-nist-800-161-r1-level-3": [ "MA-3(1)" ], "general-nist-800-171-r3": [ "03.07.04.b" ], "usa-federal-fbi-cjis-6-0": [ "MA-3(1)" ], "usa-federal-gsa-fedramp-5-mod": [ "MA-03(01)" ], "usa-federal-gsa-fedramp-5-high": [ "MA-03(01)" ], "usa-federal-irs-1075-2021": [ "MA-3(CE-1)" ], "usa-federal-cms-marse-2-0": [ "MA-3(1)" ], "usa-state-tx-txramp-2-0-level-2": [ "MA-03 (01)" ], "americas-can-itsp-10-171-2025": [ "03.07.04.B" ] } }, { "control_id": "MNT-04.2", "title": "Inspect Media", "family": "MNT", "description": "Mechanisms exist to check media containing diagnostic and test programs for malicious code before the media are used.", "scf_question": "Does the organization check media containing diagnostic and test programs for malicious code before the media are used?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-MNT-05" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.\n▪ IT and/or cybersecurity personnel control and monitor the use of system maintenance tools.\n▪ IT and/or cybersecurity personnel inspect maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to check media containing diagnostic and test programs for malicious code before the media are used.", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-govramp": [ "MA-03(02)" ], "general-govramp-mod": [ "MA-03(02)" ], "general-govramp-high": [ "MA-03(02)" ], "general-nist-800-53-r4": [ "MA-3(2)" ], "general-nist-800-53-r5-2": [ "MA-03(02)" ], "general-nist-800-53-r5-2-mod": [ "MA-03(02)" ], "general-nist-800-82-r3": [ "MA-03(02)" ], "general-nist-800-82-r3-mod": [ "MA-03(02)" ], "general-nist-800-82-r3-high": [ "MA-03(02)" ], "general-nist-800-161-r1": [ "MA-3(2)" ], "general-nist-800-161-r1-level-3": [ "MA-3(2)" ], "general-nist-800-171-r2": [ "3.7.4" ], "general-nist-800-171a": [ "3.7.4" ], "general-nist-800-171a-r3": [ "A.03.07.04.b" ], "usa-federal-fbi-cjis-6-0": [ "MA-3(2)" ], "usa-federal-dow-cmmc-2-level-2": [ "MAL2.-3.7.4" ], "usa-federal-gsa-fedramp-5-mod": [ "MA-03(02)" ], "usa-federal-gsa-fedramp-5-high": [ "MA-03(02)" ], "usa-federal-irs-1075-2021": [ "MA-3(CE-2)" ], "usa-federal-cms-marse-2-0": [ "MA-3(2)" ], "usa-state-tx-txramp-2-0-level-2": [ "MA-03 (02)" ], "emea-gbr-def-stan-05-138-2024": [ "2510" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2510" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2510" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2510" ] } }, { "control_id": "MNT-04.3", "title": "Prevent Unauthorized Removal", "family": "MNT", "description": "Mechanisms exist to prevent or control the removal of equipment undergoing maintenance that contains organizational information.", "scf_question": "Does the organization prevent or control the removal of equipment undergoing maintenance that contains organizational information?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.\n▪ Asset / process owners prevent or control the removal of equipment undergoing maintenance that contains organizational information.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent or control the removal of equipment undergoing maintenance that contains organizational information.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Physical Access Control (PAC)", "small": "∙ Physical Access Control (PAC)", "medium": "∙ Physical Access Control (PAC)", "large": "∙ Physical Access Control (PAC)", "enterprise": "∙ Physical Access Control (PAC)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-govramp": [ "MA-03(03)" ], "general-govramp-mod": [ "MA-03(03)" ], "general-govramp-high": [ "MA-03(03)" ], "general-nist-800-53-r4": [ "MA-3(3)" ], "general-nist-800-53-r5-2": [ "MA-03(03)" ], "general-nist-800-53-r5-2-mod": [ "MA-03(03)" ], "general-nist-800-66-r2": [ "164.310(d)" ], "general-nist-800-82-r3": [ "MA-03(03)" ], "general-nist-800-82-r3-mod": [ "MA-03(03)" ], "general-nist-800-82-r3-high": [ "MA-03(03)" ], "general-nist-800-161-r1": [ "MA-3(3)" ], "general-nist-800-161-r1-level-3": [ "MA-3(3)" ], "general-nist-800-171-r3": [ "03.07.04.c" ], "general-nist-800-171a-r3": [ "A.03.07.04.c" ], "general-tisax-6-0-3": [ "3.1.3" ], "usa-federal-fbi-cjis-6-0": [ "MA-3(3)" ], "usa-federal-gsa-fedramp-5-mod": [ "MA-03(03)" ], "usa-federal-gsa-fedramp-5-high": [ "MA-03(03)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(d)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(d)(1)" ], "usa-federal-irs-1075-2021": [ "MA-3(CE-3)", "MA-3(CE-3).a", "MA-3(CE-3).b", "MA-3(CE-3).c", "MA-3(CE-3).d" ], "usa-federal-cms-marse-2-0": [ "MA-3(3)", "MA-3(3).a", "MA-3(3).b", "MA-3(3).c", "MA-3(3).d" ], "usa-state-tx-txramp-2-0-level-2": [ "MA-03 (03)" ], "apac-jpn-ismap": [ "11.2.5", "11.2.5.1", "11.2.5.2", "11.2.5.3", "11.2.5.4" ], "americas-can-itsp-10-171-2025": [ "03.07.04.C" ] } }, { "control_id": "MNT-04.4", "title": "Restrict Tool Usage", "family": "MNT", "description": "Automated mechanisms exist to restrict the use of maintenance tools to authorized maintenance personnel and/or roles.", "scf_question": "Does the organization use automated mechanisms to restrict the use of maintenance tools to authorized maintenance personnel and/or roles?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Maintenance (MNT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MNT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Maintenance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.\n▪ IT and/or cybersecurity personnel control and monitor the use of system maintenance tools.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically restrict the use of maintenance tools to authorized maintenance personnel and/or roles.", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)", "small": "∙ Role Based Access Control (RBAC)", "medium": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "large": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-cis-csc-8-1": [ "2.7" ], "general-cis-csc-8-1-ig3": [ "2.7" ], "general-iso-21434-2021": [ "RQ-05-14" ], "general-nist-800-53-r4": [ "MA-3(4)" ], "general-nist-800-53-r5-2": [ "MA-03(04)" ], "general-nist-800-82-r3": [ "MA-03(04)" ], "usa-federal-irs-1075-2021": [ "MA-3(CE-4)" ] } }, { "control_id": "MNT-05", "title": "Remote Maintenance", "family": "MNT", "description": "Mechanisms exist to authorize, monitor and control remote, non-local maintenance and diagnostic activities.", "scf_question": "Does the organization authorize, monitor and control remote, non-local maintenance and diagnostic activities?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.\n▪ Instances of non-console administrative access use cryptographic mechanisms to protect the confidentiality and integrity of the data being transmitted.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to authorize, monitor and control remote, non-local maintenance and diagnostic activities.", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-cis-csc-8-1": [ "4.6" ], "general-cis-csc-8-1-ig1": [ "4.6" ], "general-cis-csc-8-1-ig2": [ "4.6" ], "general-cis-csc-8-1-ig3": [ "4.6" ], "general-govramp": [ "MA-04" ], "general-govramp-low": [ "MA-04" ], "general-govramp-low-plus": [ "MA-04" ], "general-govramp-mod": [ "MA-04" ], "general-govramp-high": [ "MA-04" ], "general-nist-privacy-framework-1-0": [ "PR.MA-P2" ], "general-nist-800-53-r4": [ "MA-4" ], "general-nist-800-53-r5-2": [ "MA-04" ], "general-nist-800-53-r5-2-privacy": [ "MA-04" ], "general-nist-800-53-r5-2-low": [ "MA-04" ], "general-nist-800-82-r3": [ "MA-04" ], "general-nist-800-82-r3-low": [ "MA-04" ], "general-nist-800-82-r3-mod": [ "MA-04" ], "general-nist-800-82-r3-high": [ "MA-04" ], "general-nist-800-161-r1": [ "MA-4" ], "general-nist-800-161-r1-cscrm": [ "MA-4" ], "general-nist-800-161-r1-flowdown": [ "MA-4" ], "general-nist-800-161-r1-level-2": [ "MA-4" ], "general-nist-800-161-r1-level-3": [ "MA-4" ], "general-nist-800-171-r2": [ "3.7.5" ], "general-nist-800-171-r3": [ "03.01.12.d", "03.07.05.a", "03.07.05.b", "03.07.05.c" ], "general-nist-800-171a": [ "3.7.5[a]", "3.7.5[b]" ], "general-nist-800-171a-r3": [ "A.03.07.05.a[01]", "A.03.07.05.a[02]" ], "general-pci-dss-4-0-1": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-b-ip": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.7" ], "usa-federal-fbi-cjis-6-0": [ "MA-4" ], "usa-federal-dow-cmmc-2-level-2": [ "MAL2.-3.7.5" ], "usa-federal-gsa-fedramp-5-low": [ "MA-04" ], "usa-federal-gsa-fedramp-5-mod": [ "MA-04" ], "usa-federal-gsa-fedramp-5-high": [ "MA-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MA-04" ], "usa-federal-irs-1075-2021": [ "MA-4" ], "usa-federal-cms-marse-2-0": [ "MA-4", "MA-4.a", "MA-4.b", "MA-4.c", "MA-4.d", "MA-4(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MA-04" ], "usa-state-tx-txramp-2-0-level-1": [ "MA-04" ], "usa-state-tx-txramp-2-0-level-2": [ "MA-04" ], "emea-eu-nis2-annex-2024": [ "6.7.2(h)" ], "emea-isr-cmo-1-0": [ "4.18", "12.7" ], "emea-sau-otcc-1-2022": [ "2-2-1-7" ], "emea-sau-sacs-002-2022": [ "TPC-35" ], "emea-gbr-def-stan-05-138-2024": [ "2512" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2512" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2512" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2512" ], "apac-ind-sebi-2024": [ "PR.MA.S2" ], "apac-jpn-ismap": [ "11.2.4.8", "11.2.4.9", "11.2.4.10" ], "americas-can-itsp-10-171-2025": [ "03.01.12.D", "03.07.05.A", "03.07.05.B", "03.07.05.C" ] } }, { "control_id": "MNT-05.1", "title": "Auditing Remote Maintenance", "family": "MNT", "description": "Mechanisms exist to audit remote, non-local maintenance and diagnostic sessions, as well as review the maintenance action performed during remote maintenance sessions.", "scf_question": "Does the organization audit remote, non-local maintenance and diagnostic sessions, as well as review the maintenance action performed during remote maintenance sessions?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to audit remote, non-local maintenance and diagnostic sessions, as well as review the maintenance action performed during remote maintenance sessions.", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-govramp": [ "MA-01", "MA-04" ], "general-govramp-low": [ "MA-01", "MA-04" ], "general-govramp-low-plus": [ "MA-01", "MA-04" ], "general-govramp-mod": [ "MA-01", "MA-04" ], "general-govramp-high": [ "MA-01", "MA-04" ], "general-nist-800-53-r4": [ "MA-4(1)" ], "general-nist-800-53-r5-2": [ "MA-01", "MA-04", "MA-04(01)" ], "general-nist-800-53-r5-2-privacy": [ "MA-01", "MA-04" ], "general-nist-800-53-r5-2-low": [ "MA-01", "MA-04" ], "general-nist-800-82-r3": [ "MA-01", "MA-04", "MA-04(01)" ], "general-nist-800-82-r3-low": [ "MA-01", "MA-04" ], "general-nist-800-82-r3-mod": [ "MA-01", "MA-04", "MA-04(01)" ], "general-nist-800-82-r3-high": [ "MA-01", "MA-04", "MA-04(01)" ], "general-nist-800-161-r1": [ "MA-1", "MA-4" ], "general-nist-800-161-r1-cscrm": [ "MA-1", "MA-4" ], "general-nist-800-161-r1-flowdown": [ "MA-1", "MA-4" ], "general-nist-800-161-r1-level-1": [ "MA-1" ], "general-nist-800-161-r1-level-2": [ "MA-1", "MA-4" ], "general-nist-800-161-r1-level-3": [ "MA-1", "MA-4" ], "general-nist-800-171-r3": [ "03.07.05.a" ], "general-pci-dss-4-0-1": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-b-ip": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.7" ], "usa-federal-fbi-cjis-6-0": [ "MA-1", "MA-4" ], "usa-federal-gsa-fedramp-5-low": [ "MA-01", "MA-04" ], "usa-federal-gsa-fedramp-5-mod": [ "MA-01", "MA-04" ], "usa-federal-gsa-fedramp-5-high": [ "MA-01", "MA-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MA-01", "MA-04" ], "usa-federal-irs-1075-2021": [ "MA-1", "MA-4", "MA-4(CE-1)", "MA-4(CE-1).a", "MA-4(CE-1).b" ], "usa-federal-cms-marse-2-0": [ "MA-1", "MA-4", "MA-4(1)", "MA-4(1).a", "MA-4(1).b" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MA-01", "MA-04" ], "usa-state-tx-txramp-2-0-level-1": [ "MA-01", "MA-04" ], "usa-state-tx-txramp-2-0-level-2": [ "MA-01", "MA-04" ], "emea-isr-cmo-1-0": [ "12.7" ], "apac-jpn-ismap": [ "11.2.4.7" ], "americas-can-itsp-10-171-2025": [ "03.07.05.A" ] } }, { "control_id": "MNT-05.2", "title": "Remote Maintenance Notifications", "family": "MNT", "description": "Mechanisms exist to require maintenance personnel to notify affected stakeholders when remote, non-local maintenance is planned (e.g., date/time).", "scf_question": "Does the organization require maintenance personnel to notify affected stakeholders when remote, non-local maintenance is planned (e.g., date/time)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.\n▪ Asset / process owners require maintenance personnel to notify entity-defined personnel when non-local maintenance is planned (e.g., date/time).", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require maintenance personnel to notify affected stakeholders when remote, non-local maintenance is planned (e.g., date/time).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-govramp": [ "MA-01", "MA-04" ], "general-govramp-low": [ "MA-01", "MA-04" ], "general-govramp-low-plus": [ "MA-01", "MA-04" ], "general-govramp-mod": [ "MA-01", "MA-04" ], "general-govramp-high": [ "MA-01", "MA-04" ], "general-nist-800-53-r4": [ "MA-4(2)" ], "general-nist-800-53-r5-2": [ "MA-01", "MA-04" ], "general-nist-800-53-r5-2-privacy": [ "MA-01", "MA-04" ], "general-nist-800-53-r5-2-low": [ "MA-01", "MA-04" ], "general-nist-800-82-r3": [ "MA-01", "MA-04" ], "general-nist-800-82-r3-low": [ "MA-01", "MA-04" ], "general-nist-800-82-r3-mod": [ "MA-01", "MA-04" ], "general-nist-800-82-r3-high": [ "MA-01", "MA-04" ], "general-nist-800-161-r1": [ "MA-1", "MA-4" ], "general-nist-800-161-r1-cscrm": [ "MA-1", "MA-4" ], "general-nist-800-161-r1-flowdown": [ "MA-1", "MA-4" ], "general-nist-800-161-r1-level-1": [ "MA-1" ], "general-nist-800-161-r1-level-2": [ "MA-1", "MA-4" ], "general-nist-800-161-r1-level-3": [ "MA-1", "MA-4" ], "general-nist-800-171-r2": [ "NFO - MA-4(2)" ], "usa-federal-fbi-cjis-6-0": [ "MA-1", "MA-4" ], "usa-federal-gsa-fedramp-5-low": [ "MA-01", "MA-04" ], "usa-federal-gsa-fedramp-5-mod": [ "MA-01", "MA-04" ], "usa-federal-gsa-fedramp-5-high": [ "MA-01", "MA-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MA-01", "MA-04" ], "usa-federal-irs-1075-2021": [ "MA-1", "MA-4" ], "usa-federal-cms-marse-2-0": [ "MA-1", "MA-4" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MA-01", "MA-04" ], "usa-state-tx-txramp-2-0-level-1": [ "MA-01", "MA-04" ], "usa-state-tx-txramp-2-0-level-2": [ "MA-01", "MA-04" ], "emea-isr-cmo-1-0": [ "12.7" ] } }, { "control_id": "MNT-05.3", "title": "Remote Maintenance Cryptographic Protection", "family": "MNT", "description": "Cryptographic mechanisms exist to protect the integrity and confidentiality of remote, non-local maintenance and diagnostic communications.", "scf_question": "Are cryptographic mechanisms utilized to protect the integrity and confidentiality of remote, non-local maintenance and diagnostic communications?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational cryptographic capability exists to protect the integrity and confidentiality of remote, non-local maintenance and diagnostic communications.", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-cis-csc-8-1": [ "12.3" ], "general-cis-csc-8-1-ig2": [ "12.3" ], "general-cis-csc-8-1-ig3": [ "12.3" ], "general-govramp": [ "MA-04(06)" ], "general-govramp-high": [ "MA-04(06)" ], "general-nist-800-53-r4": [ "MA-4(6)" ], "general-nist-800-53-r5-2": [ "MA-04(06)" ], "general-nist-800-82-r3": [ "MA-04(06)" ], "general-nist-800-171-r3": [ "03.07.05.b" ], "general-nist-800-171a-r3": [ "A.03.07.05.b[02]" ], "general-pci-dss-4-0-1": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-a-ep": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-b-ip": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "2.2.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "2.2.7" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.SADMI" ], "usa-federal-irs-1075-2021": [ "MA-4(CE-6)" ], "emea-isr-cmo-1-0": [ "4.20", "12.7" ], "americas-can-itsp-10-171-2025": [ "03.07.05.B" ] } }, { "control_id": "MNT-05.4", "title": "Remote Maintenance Disconnect Verification", "family": "MNT", "description": "Mechanisms exist to provide remote disconnect verification to ensure remote, non-local maintenance and diagnostic sessions are properly terminated.", "scf_question": "Does the organization provide remote disconnect verification to ensure remote, non-local maintenance and diagnostic sessions are properly terminated?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.\n▪ IT and/or cybersecurity personnel provide remote disconnect verification to ensure non-local maintenance and diagnostic sessions are properly terminated.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide remote disconnect verification to ensure remote, non-local maintenance and diagnostic sessions are properly terminated.", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-nist-800-53-r4": [ "MA-4(7)" ], "general-nist-800-53-r5-2": [ "MA-04(07)" ], "general-nist-800-82-r3": [ "MA-04(07)" ], "general-nist-800-171-r2": [ "3.7.5" ], "general-nist-800-171-r3": [ "03.07.05.c" ], "general-nist-800-171a-r3": [ "A.03.07.05.c[01]" ], "general-pci-dss-4-0-1": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-b-ip": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.7" ], "usa-federal-dow-cmmc-2-level-2": [ "MAL2.-3.7.5" ], "usa-federal-irs-1075-2021": [ "MA-4(CE-7)" ], "emea-isr-cmo-1-0": [ "4.18", "4.20", "12.7" ], "apac-jpn-ismap": [ "11.2.4.11" ], "americas-can-itsp-10-171-2025": [ "03.07.05.C" ] } }, { "control_id": "MNT-05.5", "title": "Remote Maintenance Pre-Approval", "family": "MNT", "description": "Mechanisms exist to require maintenance personnel to obtain pre-approval and scheduling for remote, non-local maintenance sessions.", "scf_question": "Does the organization require maintenance personnel to obtain pre-approval and scheduling for remote, non-local maintenance sessions?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require maintenance personnel to obtain pre-approval and scheduling for remote, non-local maintenance sessions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-nist-800-53-r4": [ "MA-4(5)" ], "general-nist-800-53-r5-2": [ "MA-04(05)" ], "general-nist-800-82-r3": [ "MA-04(05)" ], "general-nist-800-171-r3": [ "03.07.05.a" ], "usa-federal-nerc-cip-2024": [ "CIP-005-7 3.1" ], "emea-isr-cmo-1-0": [ "12.7" ], "apac-ind-sebi-2024": [ "PR.MA.S2" ], "apac-jpn-ismap": [ "11.2.4.7" ], "americas-can-itsp-10-171-2025": [ "03.07.05.A" ] } }, { "control_id": "MNT-05.6", "title": "Remote Maintenance Comparable Security & Sanitization", "family": "MNT", "description": "Mechanisms exist to require Technology Assets, Applications and/or Services (TAAS) performing remote, non-local maintenance and/or diagnostic services implement a security capability comparable to the capability implemented on the system being serviced.", "scf_question": "Does the organization require Technology Assets, Applications and/or Services (TAAS) performing remote, non-local maintenance and/or diagnostic services implement a security capability comparable to the capability implemented on the system being serviced?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require Technology Assets, Applications and/or Services (TAAS) performing remote, non-local maintenance and/or diagnostic services implement a security capability comparable to the capability implemented on the system being serviced.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-govramp": [ "MA-04(03)" ], "general-govramp-high": [ "MA-04(03)" ], "general-nist-800-53-r4": [ "MA-4(3)" ], "general-nist-800-53-r5-2": [ "MA-04(03)" ], "general-nist-800-53-r5-2-high": [ "MA-04(03)" ], "general-nist-800-82-r3": [ "MA-04(03)" ], "general-nist-800-82-r3-high": [ "MA-04(03)" ], "general-nist-800-161-r1": [ "MA-4(3)" ], "general-nist-800-161-r1-level-2": [ "MA-4(3)" ], "general-nist-800-161-r1-level-3": [ "MA-4(3)" ], "usa-federal-gsa-fedramp-5-high": [ "MA-04(03)" ], "usa-federal-cms-marse-2-0": [ "MA-4(3)", "MA-4(3).a", "MA-4(3).b" ] } }, { "control_id": "MNT-05.7", "title": "Separation of Maintenance Sessions", "family": "MNT", "description": "Mechanisms exist to protect maintenance sessions through replay-resistant sessions that are physically or logically separated communications paths from other network sessions.", "scf_question": "Does the organization protect maintenance sessions through replay-resistant sessions that are physically or logically separated communications paths from other network sessions?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Maintenance (MNT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MNT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Maintenance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect maintenance sessions through replay-resistant sessions that are physically or logically separated communications paths from other network sessions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-nist-800-53-r4": [ "MA-4(4)" ], "general-nist-800-53-r5-2": [ "MA-04(04)" ], "general-nist-800-82-r3": [ "MA-04(04)" ], "general-nist-800-160-vol-2-r1": [ "MA-04(04)" ], "usa-federal-irs-1075-2021": [ "MA-4(CE-4)", "MA-4(CE-4).a", "MA-4(CE-4).b", "MA-4(CE-4).b.1", "MA-4(CE-4).b.2" ] } }, { "control_id": "MNT-06", "title": "Authorized Maintenance Personnel", "family": "MNT", "description": "Mechanisms exist to maintain a current list of authorized maintenance organizations or personnel.", "scf_question": "Does the organization maintain a current list of authorized maintenance organizations or personnel?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.\n▪ IT personnel, in conjunction with asset custodians, maintain a current list of authorized maintenance organizations or personnel.\n▪ Asset / process owners require maintenance personnel to obtain pre-approval and scheduling for non-local maintenance sessions.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a current list of authorized maintenance organizations or personnel.", "4": "Maintenance (MNT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)", "small": "∙ Role Based Access Control (RBAC)", "medium": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "large": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)", "enterprise": "∙ Role Based Access Control (RBAC)\n∙ Separation of Duties (SoD)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-govramp": [ "MA-05" ], "general-govramp-low": [ "MA-05" ], "general-govramp-low-plus": [ "MA-05" ], "general-govramp-mod": [ "MA-05" ], "general-govramp-high": [ "MA-05" ], "general-nist-800-53-r4": [ "MA-5" ], "general-nist-800-53-r5-2": [ "MA-05" ], "general-nist-800-53-r5-2-low": [ "MA-05" ], "general-nist-800-82-r3": [ "MA-05" ], "general-nist-800-82-r3-low": [ "MA-05" ], "general-nist-800-82-r3-mod": [ "MA-05" ], "general-nist-800-82-r3-high": [ "MA-05" ], "general-nist-800-161-r1": [ "MA-5" ], "general-nist-800-161-r1-cscrm": [ "MA-5" ], "general-nist-800-161-r1-level-2": [ "MA-5" ], "general-nist-800-161-r1-level-3": [ "MA-5" ], "general-nist-800-171-r2": [ "3.7.6" ], "general-nist-800-171-r3": [ "03.07.06.a", "03.07.06.b", "03.07.06.c", "03.07.06.d" ], "general-nist-800-171a": [ "3.7.6" ], "general-nist-800-171a-r3": [ "A.03.07.06.a", "A.03.07.06.b", "A.03.07.06.c", "A.03.07.06.d[01]", "A.03.07.06.d[02]" ], "usa-federal-fbi-cjis-6-0": [ "MA-5" ], "usa-federal-dow-cmmc-2-level-2": [ "MAL2.-3.7.6" ], "usa-federal-gsa-fedramp-5-low": [ "MA-05" ], "usa-federal-gsa-fedramp-5-mod": [ "MA-05" ], "usa-federal-gsa-fedramp-5-high": [ "MA-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "MA-05" ], "usa-federal-irs-1075-2021": [ "MA-5" ], "usa-federal-cms-marse-2-0": [ "MA-5", "MA-5.a", "MA-5.b", "MA-5.c" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "MA-05" ], "usa-state-tx-txramp-2-0-level-1": [ "MA-05" ], "usa-state-tx-txramp-2-0-level-2": [ "MA-05" ], "emea-isr-cmo-1-0": [ "12.7" ], "emea-sau-otcc-1-2022": [ "2-13-1-7" ], "apac-aus-ism-2024-june": [ "ISM-0305", "ISM-0307" ], "apac-jpn-ismap": [ "11.2.4.2" ], "americas-can-itsp-10-171-2025": [ "03.07.06.A", "03.07.06.B", "03.07.06.C", "03.07.06.D" ] } }, { "control_id": "MNT-06.1", "title": "Maintenance Personnel Without Appropriate Access", "family": "MNT", "description": "Mechanisms exist to ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.", "scf_question": "Does the organization ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-MNT-01" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Maintenance (MNT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MNT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Maintenance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.\n▪ Asset / process owners require maintenance personnel to obtain pre-approval and scheduling for non-local maintenance sessions.\n▪ IT personnel, in conjunction with asset custodians, mitigate the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Role Based Access Control (RBAC)", "small": "∙ Role Based Access Control (RBAC)", "medium": "∙ Role Based Access Control (RBAC)", "large": "∙ Role Based Access Control (RBAC)", "enterprise": "∙ Role Based Access Control (RBAC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-govramp": [ "MA-05(01)" ], "general-govramp-mod": [ "MA-05(01)" ], "general-govramp-high": [ "MA-05(01)" ], "general-nist-800-53-r4": [ "MA-5(1)", "MA-5(2)", "MA-5(3)", "MA-5(4)" ], "general-nist-800-53-r5-2": [ "MA-05(01)", "MA-05(02)", "MA-05(03)", "MA-05(04)" ], "general-nist-800-53-r5-2-high": [ "MA-05(01)" ], "general-nist-800-82-r3": [ "MA-05(01)", "MA-05(02)", "MA-05(03)", "MA-05(04)" ], "general-nist-800-82-r3-high": [ "MA-05(01)" ], "general-nist-800-161-r1": [ "MA-5(4)" ], "general-nist-800-161-r1-flowdown": [ "MA-5(4)" ], "general-nist-800-161-r1-level-2": [ "MA-5(4)" ], "general-nist-800-161-r1-level-3": [ "MA-5(4)" ], "general-nist-800-171-r2": [ "3.7.6" ], "general-nist-800-171-r3": [ "03.07.06.a", "03.07.06.c", "03.07.06.d" ], "general-nist-800-171a-r3": [ "A.03.07.06.c" ], "usa-federal-dow-cmmc-2-level-2": [ "MAL2.-3.7.6" ], "usa-federal-gsa-fedramp-5-mod": [ "MA-05(01)" ], "usa-federal-gsa-fedramp-5-high": [ "MA-05(01)" ], "emea-isr-cmo-1-0": [ "12.7" ], "emea-sau-otcc-1-2022": [ "2-13-1-7" ], "emea-gbr-def-stan-05-138-2024": [ "2513" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2513" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2513" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2513" ], "apac-aus-ism-2024-june": [ "ISM-0306" ], "apac-nzl-ism-3-9": [ "12.5.4.C.01", "12.5.4.C.02", "12.5.4.C.03", "12.5.4.C.04" ], "americas-can-itsp-10-171-2025": [ "03.07.06.A", "03.07.06.C", "03.07.06.D" ] } }, { "control_id": "MNT-06.2", "title": "Non-System Related Maintenance", "family": "MNT", "description": "Mechanisms exist to ensure that non-escorted personnel performing non-IT maintenance activities in the physical proximity of systems have required access authorizations.", "scf_question": "Does the organization ensure that non-escorted personnel performing non-IT maintenance activities in the physical proximity of systems have required access authorizations?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.\n▪ Asset / process owners require maintenance personnel to obtain pre-approval and scheduling for non-local maintenance sessions.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that non-escorted personnel performing non-IT maintenance activities in the physical proximity of systems have required access authorizations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-nist-800-53-r4": [ "MA-5(5)" ], "general-nist-800-53-r5-2": [ "MA-05(05)" ], "general-nist-800-82-r3": [ "MA-05(05)" ], "general-nist-800-171-r2": [ "3.7.6" ], "general-nist-800-171-r3": [ "03.07.06.a", "03.07.06.c" ], "general-nist-800-171a-r3": [ "A.03.07.06.c" ], "usa-federal-dow-cmmc-2-level-2": [ "MAL2.-3.7.6" ], "usa-federal-irs-1075-2021": [ "MA-5(CE-5)" ], "americas-can-itsp-10-171-2025": [ "03.07.06.A", "03.07.06.C" ] } }, { "control_id": "MNT-07", "title": "Maintain Configuration Control During Maintenance", "family": "MNT", "description": "Mechanisms exist to maintain proper physical security and configuration control over technology assets awaiting service or repair.", "scf_question": "Does the organization maintain proper physical security and configuration control over technology assets awaiting service or repair?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain proper physical security and configuration control over technology assets awaiting service or repair.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-nist-800-53-r5-2": [ "SR-11(02)" ], "general-nist-800-53-r5-2-low": [ "SR-11(02)" ], "general-nist-800-82-r3": [ "SR-11(02)" ], "general-nist-800-82-r3-low": [ "SR-11(02)" ], "general-nist-800-82-r3-mod": [ "SR-11(02)" ], "general-nist-800-82-r3-high": [ "SR-11(02)" ], "general-nist-800-161-r1": [ "SR-11(2)" ], "general-nist-800-161-r1-cscrm": [ "SR-11(2)" ], "general-nist-800-161-r1-level-2": [ "SR-11(2)" ], "general-nist-800-161-r1-level-3": [ "SR-11(2)" ], "usa-federal-gsa-fedramp-5-low": [ "SR-11(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "SR-11(02)" ], "usa-federal-gsa-fedramp-5-high": [ "SR-11(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SR-11(02)" ], "usa-federal-irs-1075-2021": [ "SR-11(CE-2)" ] } }, { "control_id": "MNT-08", "title": "Field Maintenance", "family": "MNT", "description": "Mechanisms exist to securely conduct field maintenance on geographically deployed assets.", "scf_question": "Does the organization securely conduct field maintenance on geographically deployed assets?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to securely conduct field maintenance on geographically deployed assets.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-nist-800-53-r5-2": [ "MA-07" ], "general-nist-800-82-r3": [ "MA-07" ], "general-nist-800-82-r3-low": [ "MA-07" ], "general-nist-800-82-r3-mod": [ "MA-07" ], "general-nist-800-82-r3-high": [ "MA-07" ], "general-nist-800-161-r1": [ "MA-7" ], "general-nist-800-161-r1-level-3": [ "MA-7" ], "apac-aus-ism-2024-june": [ "ISM-0305" ], "apac-nzl-ism-3-9": [ "12.5.5.C.01" ] } }, { "control_id": "MNT-09", "title": "Off-Site Maintenance", "family": "MNT", "description": "Mechanisms exist to ensure off-site maintenance activities are conducted securely and the asset(s) undergoing maintenance actions are secured during physical transfer and storage while off-site.", "scf_question": "Does the organization ensure off-site maintenance activities are conducted securely and the asset(s) undergoing maintenance actions are secured during physical transfer and storage while off-site?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure off-site maintenance activities are conducted securely and the asset(s) undergoing maintenance actions are secured during physical transfer and storage while off-site.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-nist-800-171-r3": [ "03.07.04.a" ], "apac-aus-ism-2024-june": [ "ISM-0310" ], "apac-jpn-ismap": [ "11.2.6", "11.2.6.1", "11.2.6.2", "11.2.6.3", "11.2.6.4", "11.2.6.5", "11.2.6.6" ], "apac-nzl-ism-3-9": [ "12.5.5.C.01" ], "americas-can-itsp-10-171-2025": [ "03.07.04.A" ] } }, { "control_id": "MNT-10", "title": "Maintenance Validation", "family": "MNT", "description": "Mechanisms exist to validate:\n(1) Maintenance activities were appropriately performed according to the work order; and \n(2) Applicable security, compliance and resilience controls are operational.", "scf_question": "Does the organization validate:\n(1) Maintenance activities were appropriately performed according to the work order; and \n(2) Applicable security, compliance and resilience controls are operational?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to validate:\n(1) Maintenance activities were appropriately performed according to the work order; and \n(2) Applicable security, compliance and resilience controls are operational.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Maintenance", "crosswalks": { "apac-aus-ism-2024-june": [ "ISM-1598" ], "apac-jpn-ismap": [ "11.2.4.6" ] } }, { "control_id": "MNT-11", "title": "Maintenance Monitoring", "family": "MNT", "description": "Mechanisms exist to maintain situational awareness of the quality and reliability of systems and components through tracking maintenance activities and component failure rates.", "scf_question": "Does the organization maintain situational awareness of the quality and reliability of systems and components through tracking maintenance activities and component failure rates?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Maintenance (MNT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MNT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Maintenance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.", "2": "Maintenance (MNT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Maintenance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel, in conjunction with asset custodians, develop and maintain facilitate localized/regionalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).\n▪ Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.", "3": "Maintenance (MNT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MNT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MNT domain capabilities (e.g., maintenance pans) are documented and maintained by process owners.\n▪ A centralized Change Management Office (CMO), or similar function, is appropriately staffed and supported to implement and maintain MNT domain capabilities.\n▪ Technical procedures (e.g., ITIL change enablement) are utilized along with change management governance capabilities to ensure successful, efficient and secure maintenance operations.\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MNT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain situational awareness of the quality and reliability of systems and components through tracking maintenance activities and component failure rates.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document maintenance activities in a log", "small": "∙ Maintenance log\n∙ Authorized maintenance personnel list", "medium": "∙ Formal maintenance management program\n∙ CMMS or ticketing system", "large": "∙ CMMS (e.g., Maximo, ServiceNow)\n∙ Scheduled maintenance program\n∙ Vendor access controls", "enterprise": "∙ Enterprise CMMS platform\n∙ Automated maintenance scheduling\n∙ Vendor access controls\n∙ Remote access controls" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-4", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Maintenance", "crosswalks": { "general-nist-800-161-r1": [ "MA-8" ], "general-nist-800-161-r1-level-3": [ "MA-8" ] } }, { "control_id": "MDM-01", "title": "Centralized Management Of Mobile Devices", "family": "MDM", "description": "Mechanisms exist to implement and govern Mobile Device Management (MDM) controls.", "scf_question": "Does the organization implement and govern Mobile Device Management (MDM) controls?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Mobile Device Management (MDM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MDM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ MDM-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ MDM is mostly administrative in nature (e.g., policies & standards) that rely on administrative “acceptable use” restrictions to govern mobile device usage.", "2": "Mobile Device Management (MDM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ MDM-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ MDM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Mobile Device Management (MDM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain MDM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of mobile device security operations (e.g., Mobile Device Management (MDM) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement and govern Mobile Device Management (MDM) controls.", "4": "Mobile Device Management (MDM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Mobile Device Management (MDM) program that covers organization-owned and personally-owned devices", "small": "∙ Mobile Device Management (MDM) program that covers organization-owned and personally-owned devices", "medium": "∙ Mobile Device Management (MDM) program that covers organization-owned and personally-owned devices", "large": "∙ Mobile Device Management (MDM) program that covers organization-owned and personally-owned devices", "enterprise": "∙ Mobile Device Management (MDM) program that covers organization-owned and personally-owned devices" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Mobile Device Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.7", "CC6.7-POF4" ], "general-cis-csc-8-1": [ "4.11" ], "general-cis-csc-8-1-ig2": [ "4.11" ], "general-cis-csc-8-1-ig3": [ "4.11" ], "general-csa-cmm-4-1-0": [ "UEM-12" ], "general-csa-iot-2": [ "SAP-05" ], "general-iec-62443-3-3-2013": [ "SR 2.3", "SR 2.3(b)" ], "general-iso-27002-2022": [ "8.1" ], "general-iso-27018-2025": [ "8.1" ], "general-mpa-csbp-5-3-1": [ "TS-1.4" ], "general-nist-800-171-r2": [ "3.1.18" ], "general-nist-800-171-r3": [ "03.01.18.a", "03.01.20.d" ], "general-nist-800-171a-r3": [ "A.03.01.18.a[01]" ], "general-nist-800-207": [ "NIST Tenet 1" ], "general-shared-assessments-sig-2025": [ "M.1.3" ], "general-tisax-6-0-3": [ "3.1.4" ], "usa-federal-fbi-cjis-6-0": [ "5.20", "5.20.1.2", "5.20.1.4", "5.20.2", "5.20.3", "5.20.4", "5.20.4.2", "5.20.6", "5.20.7", "5.20.7.1", "5.20.7.2", "5.20.7.3" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.18" ], "usa-federal-irs-1075-2021": [ "3.3.4" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-isr-cmo-1-0": [ "4.25", "4.28", "13.1", "13.3", "13.5", "13.8", "13.9", "13.10" ], "emea-sau-cscc-1-2019": [ "2-5" ], "emea-sau-ecc-1-2018": [ "2-6-3", "2-6-3-1", "2-6-3-2", "2-6-3-3", "2-6-3-4", "2-6-4", "5-1-3-6" ], "emea-sau-otcc-1-2022": [ "2-5", "2-5-1", "2-5-1-1", "2-5-1-2", "2-5-1-3", "2-5-1-4", "2-5-1-5", "2-5-2" ], "emea-esp-ccn-stic-825-2023": [ "8.3.3 [MP.EQ.3]" ], "emea-gbr-caf-4-0": [ "B3.d" ], "emea-gbr-def-stan-05-138-2024": [ "2309", "2322" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2322" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2309", "2322" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2309", "2322" ], "apac-aus-ism-2024-june": [ "ISM-0682", "ISM-0687", "ISM-0863", "ISM-0864", "ISM-0874", "ISM-1085", "ISM-1195", "ISM-1297", "ISM-1366", "ISM-1533" ], "apac-nzl-ism-3-9": [ "21.1.10.C.01", "21.1.10.C.02", "21.1.10.C.03", "21.1.11.C.01", "21.1.11.C.02", "21.1.12.C.01", "21.1.14.C.01", "21.1.14.C.02", "21.1.15.C.01", "21.1.16.C.01", "21.1.16.C.02", "21.1.17.C.01", "21.1.17.C.02", "21.1.17.C.03", "21.1.18.C.01", "21.1.18.C.02", "21.1.19.C.01", "21.1.19.C.02" ], "americas-bmu-mba-coc-2020": [ "6.11" ], "amaericas-can-osfi-self-assessment": [ "4.14", "4.15" ], "americas-can-itsp-10-171-2025": [ "03.01.18.A", "03.01.20.D" ] } }, { "control_id": "MDM-02", "title": "Access Control For Mobile Devices", "family": "MDM", "description": "Mechanisms exist to enforce access control requirements for the connection of mobile devices to organizational Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization enforce access control requirements for the connection of mobile devices to organizational Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Mobile Device Management (MDM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ MDM-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ MDM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel restrict the connection of personally-owned, mobile devices to organizational TAASD.\n▪ Mobile devices containing sensitive/regulated data use MDM software to prevent the unauthorized disclosure of information at rest (e.g., container encryption).", "3": "Mobile Device Management (MDM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain MDM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of mobile device security operations (e.g., Mobile Device Management (MDM) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce access control requirements for the connection of mobile devices to organizational Technology Assets, Applications and/or Services (TAAS).", "4": "Mobile Device Management (MDM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Mobile Device Management", "crosswalks": { "general-govramp": [ "AC-19" ], "general-govramp-low": [ "AC-19" ], "general-govramp-low-plus": [ "AC-19" ], "general-govramp-mod": [ "AC-19" ], "general-govramp-high": [ "AC-19" ], "general-iso-27002-2022": [ "8.1" ], "general-iso-27017-2015": [ "6.2.1" ], "general-iso-27018-2025": [ "8.1" ], "general-mitre-att&ck-16-1": [ "T1020.001", "T1040", "T1070.001", "T1070.002", "T1070.008", "T1114", "T1114.001", "T1114.002", "T1114.003", "T1119", "T1530", "T1550.001", "T1552", "T1552.004", "T1557", "T1557.002", "T1557.004", "T1558", "T1558.002", "T1558.003", "T1558.004", "T1565", "T1565.001", "T1565.002", "T1602", "T1602.001", "T1602.002" ], "general-nist-800-53-r4": [ "AC-19" ], "general-nist-800-53-r5-2": [ "AC-19" ], "general-nist-800-53-r5-2-low": [ "AC-19" ], "general-nist-800-82-r3": [ "AC-19" ], "general-nist-800-82-r3-low": [ "AC-19" ], "general-nist-800-82-r3-mod": [ "AC-19" ], "general-nist-800-82-r3-high": [ "AC-19" ], "general-nist-800-161-r1": [ "AC-19" ], "general-nist-800-161-r1-cscrm": [ "AC-19" ], "general-nist-800-161-r1-level-2": [ "AC-19" ], "general-nist-800-161-r1-level-3": [ "AC-19" ], "general-nist-800-171-r2": [ "3.1.18" ], "general-nist-800-171-r3": [ "03.01.18.a", "03.01.18.b" ], "general-nist-800-171a": [ "3.1.18[a]", "3.1.18[b]", "3.1.18[c]" ], "general-nist-800-171a-r3": [ "A.03.01.18.b" ], "general-nist-800-207": [ "NIST Tenet 1" ], "usa-federal-fbi-cjis-6-0": [ "AC-19" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.18" ], "usa-federal-gsa-fedramp-5-low": [ "AC-19" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-19" ], "usa-federal-gsa-fedramp-5-high": [ "AC-19" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-19" ], "usa-federal-irs-1075-2021": [ "AC-19" ], "usa-federal-cms-marse-2-0": [ "AC-19", "AC-19.a", "AC-19.b", "AC-19.c", "AC-19.d", "AC-19.e", "AC-19.f", "AC-19.g", "AC-19.h", "AC-19-IS.1", "AC-19-IS.3" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-19" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-19" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-19" ], "emea-isr-cmo-1-0": [ "4.27", "13.2", "13.3", "13.5", "13.7", "13.9" ], "emea-sau-cscc-1-2019": [ "2-5-1-1" ], "emea-sau-ecc-1-2018": [ "2-6-3-2", "5-1-3-6" ], "emea-sau-sacs-002-2022": [ "TPC-84" ], "americas-can-itsp-10-171-2025": [ "03.01.18.A", "03.01.18.B" ] } }, { "control_id": "MDM-03", "title": "Full Device & Container-Based Encryption", "family": "MDM", "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of information on mobile devices through full-device or container encryption.", "scf_question": "Are cryptographic mechanisms utilized to protect the confidentiality and integrity of information on mobile devices through full-device or container encryption?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Mobile Device Management (MDM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ MDM-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ MDM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Mobile devices containing sensitive/regulated data use MDM software to prevent the unauthorized disclosure of information at rest (e.g., container encryption).", "3": "Mobile Device Management (MDM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain MDM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of mobile device security operations (e.g., Mobile Device Management (MDM) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational cryptographic capability exists to protect the confidentiality and integrity of information on mobile devices through full-device or container encryption.", "4": "Mobile Device Management (MDM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Mobile Device Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.7" ], "general-csa-iot-2": [ "SAP-05" ], "general-govramp": [ "AC-19(05)" ], "general-govramp-mod": [ "AC-19(05)" ], "general-govramp-high": [ "AC-19(05)" ], "general-nist-800-53-r4": [ "AC-19(5)" ], "general-nist-800-53-r5-2": [ "AC-19(05)" ], "general-nist-800-53-r5-2-mod": [ "AC-19(05)" ], "general-nist-800-82-r3": [ "AC-19(05)" ], "general-nist-800-82-r3-mod": [ "AC-19(05)" ], "general-nist-800-82-r3-high": [ "AC-19(05)" ], "general-nist-800-171-r2": [ "3.1.19" ], "general-nist-800-171-r3": [ "03.01.18.c" ], "general-nist-800-171a": [ "3.1.19[a]", "3.1.19[b]" ], "general-nist-800-171a-r3": [ "A.03.01.18.c" ], "usa-federal-fbi-cjis-6-0": [ "AC-19(5)" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.19" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-19(05)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-19(05)" ], "usa-federal-irs-1075-2021": [ "AC-19(CE-5)" ], "usa-federal-cms-marse-2-0": [ "AC-19(5)" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-19 (05)" ], "emea-isr-cmo-1-0": [ "4.26", "8.7", "13.4" ], "emea-sau-cscc-1-2019": [ "2-5-1-2" ], "emea-sau-ecc-1-2018": [ "2-6-3-1" ], "emea-gbr-def-stan-05-138-2024": [ "2309" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2309" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2309" ], "apac-aus-ism-2024-june": [ "ISM-0869" ], "apac-nzl-ism-3-9": [ "21.1.13.C.01", "21.1.13.C.02", "21.1.13.C.03", "21.1.13.C.04", "21.1.13.C.05" ], "americas-can-itsp-10-171-2025": [ "03.01.18.C" ] } }, { "control_id": "MDM-04", "title": "Mobile Device Tampering", "family": "MDM", "description": "Mechanisms exist to protect mobile devices from tampering through inspecting devices returning from locations that the organization deems to be of significant risk, prior to the device being connected to the organization's network.", "scf_question": "Does the organization protect mobile devices from tampering through inspecting devices returning from locations that the organization deems to be of significant risk, prior to the device being connected to its network?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Mobile Device Management (MDM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ MDM-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ MDM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel protect mobile devices from tampering through inspecting devices returning from locations that the organization deems to be of significant risk, prior to the device being connected to the organization's network.", "3": "Mobile Device Management (MDM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain MDM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of mobile device security operations (e.g., Mobile Device Management (MDM) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to protect mobile devices from tampering through inspecting devices returning from locations that the organization deems to be of significant risk, prior to the device being connected to the organization's network.", "4": "Mobile Device Management (MDM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Tamper tape\n∙ Microsoft Defender for Endpoint (MDE) (https://microsoft.com)", "small": "∙ Tamper tape\n∙ Microsoft Defender for Endpoint (MDE) (https://microsoft.com)", "medium": "∙ Tamper tape\n∙ Microsoft Defender for Endpoint (MDE) (https://microsoft.com)\n∙ Duo (https://duo.com)", "large": "∙ Tamper tape\n∙ Microsoft Defender for Endpoint (MDE) (https://microsoft.com)\n∙ Duo (https://duo.com)", "enterprise": "∙ Tamper tape\n∙ Microsoft Defender for Endpoint (MDE) (https://microsoft.com)\n∙ Duo (https://duo.com)" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Mobile Device Management", "crosswalks": { "general-nist-800-53-r4": [ "PE-3(5)" ], "general-nist-800-53-r5-2": [ "PE-03(05)" ], "general-nist-800-82-r3": [ "PE-03(05)" ], "general-nist-800-160-vol-2-r1": [ "PE-03(05)" ], "general-nist-800-161-r1": [ "PE-3(5)" ], "general-nist-800-161-r1-level-2": [ "PE-3(5)" ], "general-nist-800-161-r1-level-3": [ "PE-3(5)" ], "general-nist-800-171-r3": [ "03.04.12.b" ], "general-shared-assessments-sig-2025": [ "M.1.3" ], "emea-isr-cmo-1-0": [ "13.9" ], "apac-sgp-mas-trm-2021": [ "14.1.7" ], "americas-can-itsp-10-171-2025": [ "03.04.12.B" ] } }, { "control_id": "MDM-05", "title": "Remote Purging", "family": "MDM", "description": "Mechanisms exist to remotely purge selected information from mobile devices.", "scf_question": "Does the organization remotely purge selected information from mobile devices?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Mobile Device Management (MDM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ MDM-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ MDM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ MDM software can remotely purge selected information from mobile devices.", "3": "Mobile Device Management (MDM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain MDM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of mobile device security operations (e.g., Mobile Device Management (MDM) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to remotely purge selected information from mobile devices.", "4": "Mobile Device Management (MDM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Mobile Device Management (MDM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-3", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Mobile Device Management", "crosswalks": { "general-cis-csc-8-1": [ "4.11" ], "general-cis-csc-8-1-ig2": [ "4.11" ], "general-cis-csc-8-1-ig3": [ "4.11" ], "general-csa-cmm-4-1-0": [ "UEM-13" ], "general-govramp": [ "AC-07(02)" ], "general-govramp-high": [ "AC-07(02)" ], "general-iso-27002-2022": [ "8.1" ], "general-iso-27017-2015": [ "6.2.1" ], "general-iso-27018-2025": [ "8.1" ], "general-mpa-csbp-5-3-1": [ "TS-1.4" ], "general-nist-800-53-r4": [ "AC-7(2)", "MP-6(8)" ], "general-nist-800-53-r5-2": [ "AC-07(02)", "MP-06(08)" ], "general-nist-800-82-r3": [ "AC-07(02)", "MP-06(08)" ], "usa-federal-irs-1075-2021": [ "AC-7(CE-2)" ], "emea-isr-cmo-1-0": [ "13.8" ], "emea-sau-ecc-1-2018": [ "2-6-3-3" ], "emea-sau-sacs-002-2022": [ "TPC-59" ], "apac-aus-ism-2024-june": [ "ISM-0702" ], "apac-nzl-ism-3-9": [ "21.1.20.C.01", "21.1.20.C.02", "21.1.20.C.03" ] } }, { "control_id": "MDM-06", "title": "Personally-Owned Mobile Devices", "family": "MDM", "description": "Mechanisms exist to restrict the connection of personally-owned, mobile devices to organizational Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization restrict the connection of personally-owned, mobile devices to organizational Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Mobile Device Management (MDM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ MDM-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ MDM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel restrict the connection of personally-owned, mobile devices to organizational TAASD.\n▪ MDM software is used to restrict the data that is stored/processed/transmitted on organization-owned and/or applicable Bring Your Own Device (BYOD) (e.g., personal devices).", "3": "Mobile Device Management (MDM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain MDM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of mobile device security operations (e.g., Mobile Device Management (MDM) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict the connection of personally-owned, mobile devices to organizational Technology Assets, Applications and/or Services (TAAS).", "4": "Mobile Device Management (MDM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Mobile Device Management", "crosswalks": { "general-csa-iot-2": [ "SAP-05" ], "general-nist-800-171-r2": [ "3.1.18" ], "general-nist-800-171-r3": [ "03.01.18.a", "03.01.18.b" ], "general-nist-800-207": [ "NIST Tenet 1" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.18" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-3.d" ], "emea-isr-cmo-1-0": [ "13.3", "13.5" ], "emea-sau-cscc-1-2019": [ "2-5-1-1" ], "emea-sau-ecc-1-2018": [ "5-1-3-6" ], "emea-sau-sacs-002-2022": [ "TPC-84" ], "apac-aus-ism-2024-june": [ "ISM-0694", "ISM-1297", "ISM-1400", "ISM-1482" ], "apac-jpn-ismap": [ "6.2.1.23" ], "apac-nzl-ism-3-9": [ "21.1.12.C.01" ], "apac-sgp-mas-trm-2021": [ "14.1.7" ], "americas-can-itsp-10-171-2025": [ "03.01.18.A", "03.01.18.B" ] } }, { "control_id": "MDM-07", "title": "Organization-Owned Mobile Devices", "family": "MDM", "description": "Mechanisms exist to prohibit the installation of non-approved applications or approved applications not obtained through the organization-approved application store.", "scf_question": "Does the organization prohibit the installation of non-approved applications or approved applications not obtained through the organization-approved application store?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Mobile Device Management (MDM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ MDM-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ MDM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Mobile devices containing sensitive/regulated data use MDM software to prevent the unauthorized disclosure of information at rest (e.g., container encryption).\n▪ MDM software is used to restrict the data that is stored/processed/transmitted on organization-owned and/or applicable Bring Your Own Device (BYOD) (e.g., personal devices).", "3": "Mobile Device Management (MDM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain MDM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of mobile device security operations (e.g., Mobile Device Management (MDM) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prohibit the installation of non-approved applications or approved applications not obtained through the organization-approved application store.", "4": "Mobile Device Management (MDM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Mobile Device Management", "crosswalks": { "general-csa-iot-2": [ "SAP-05" ], "general-nist-800-171-r2": [ "3.1.18" ], "general-nist-800-171-r3": [ "03.01.18.a", "03.01.18.b", "03.01.20.d" ], "general-nist-800-207": [ "NIST Tenet 1" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.18" ], "emea-isr-cmo-1-0": [ "13.3", "13.5" ], "emea-sau-ecc-1-2018": [ "5-1-3-6" ], "emea-sau-otcc-1-2022": [ "2-5-1-4" ], "apac-sgp-mas-trm-2021": [ "14.1.7" ], "americas-can-itsp-10-171-2025": [ "03.01.18.A", "03.01.18.B", "03.01.20.D" ] } }, { "control_id": "MDM-08", "title": "Mobile Device Data Retention Limitations", "family": "MDM", "description": "Mechanisms exist to limit data retention on mobile devices to the smallest usable dataset and timeframe.", "scf_question": "Does the organization limit data retention on mobile devices to the smallest usable dataset and timeframe?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Mobile Device Management (MDM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ MDM-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ MDM may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Mobile Device Management (MDM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain MDM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of mobile device security operations (e.g., Mobile Device Management (MDM) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to limit data retention on mobile devices to the smallest usable dataset and timeframe.", "4": "Mobile Device Management (MDM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Mobile device policy (lock screen, encryption)", "small": "∙ Mobile device policy\n∙ MDM solution (e.g., Microsoft Intune)\n∙ BYOD policy", "medium": "∙ MDM/EMM solution (e.g., Microsoft Intune, Jamf)\n∙ Mobile device policy", "large": "∙ Enterprise MDM/UEM (e.g., Microsoft Intune, VMware Workspace ONE)\n∙ Mobile threat defense", "enterprise": "∙ Enterprise UEM platform (e.g., Microsoft Intune, JAMF)\n∙ MTD solution\n∙ Zero-trust mobile access" }, "risks": [ "R-AM-3", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-4", "R-GV-5", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Mobile Device Management", "crosswalks": {} }, { "control_id": "MDM-09", "title": "Mobile Device Geofencing", "family": "MDM", "description": "Mechanisms exist to restrict the functionality of mobile devices based on geographic location.", "scf_question": "Does the organization restrict the functionality of mobile devices based on geographic location?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Mobile Device Management (MDM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain MDM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of mobile device security operations (e.g., Mobile Device Management (MDM) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict the functionality of mobile devices based on geographic location.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ ManageEngine Endpoint Central (https://manageengine.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ ManageEngine Endpoint Central (https://manageengine.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ ManageEngine Endpoint Central (https://manageengine.com)\n∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Mobile Device Management", "crosswalks": { "general-csa-iot-2": [ "IAM-05" ], "general-nist-800-207": [ "NIST Tenet 4" ], "general-shared-assessments-sig-2025": [ "M.1.2" ] } }, { "control_id": "MDM-10", "title": "Separate Mobile Device Profiles", "family": "MDM", "description": "Mechanisms exist to enforce a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data.", "scf_question": "Does the organization enforce a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Mobile Device Management (MDM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain MDM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of mobile device security operations (e.g., Mobile Device Management (MDM) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Mobile device policy (lock screen, encryption)", "small": "∙ Mobile device policy\n∙ MDM solution (e.g., Microsoft Intune)\n∙ BYOD policy", "medium": "∙ MDM/EMM solution (e.g., Microsoft Intune, Jamf)\n∙ Mobile device policy", "large": "∙ Enterprise MDM/UEM (e.g., Microsoft Intune, VMware Workspace ONE)\n∙ Mobile threat defense", "enterprise": "∙ Enterprise UEM platform (e.g., Microsoft Intune, JAMF)\n∙ MTD solution\n∙ Zero-trust mobile access" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Mobile Device Management", "crosswalks": { "general-cis-csc-8-1": [ "4.12" ], "general-cis-csc-8-1-ig3": [ "4.12" ] } }, { "control_id": "MDM-11", "title": "Restricting Access To Authorized Technology Assets, Applications and/or Services (TAAS)", "family": "MDM", "description": "Mechanisms exist to restrict the connectivity of unauthorized mobile devices from communicating with organizational Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization restrict the connectivity of unauthorized mobile devices from communicating with organizational Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-NET-06" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Mobile Device Management (MDM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with MDM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ MDM-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ MDM is mostly administrative in nature (e.g., policies & standards) that rely on administrative “acceptable use” restrictions to govern mobile device usage. \n▪ MDM software is used to restrict the data that is stored/processed/transmitted on organization-owned and/or applicable Bring Your Own Device (BYOD) (e.g., personal devices).\n▪ MDM software is used to prevent the unauthorized disclosure of sensitive/regulated data (e.g., cryptographic containerization).", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Mobile Device Management (MDM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with MDM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with MDM domain capabilities are well-documented and kept current by process owners.\n▪ An endpoint technology management team, or similar function, is appropriately staffed and supported to implement and maintain MDM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of mobile device security operations (e.g., Mobile Device Management (MDM) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with MDM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict the connectivity of unauthorized mobile devices from communicating with organizational Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Mobile device policy (lock screen, encryption)", "small": "∙ Mobile device policy\n∙ MDM solution (e.g., Microsoft Intune)\n∙ BYOD policy", "medium": "∙ MDM/EMM solution (e.g., Microsoft Intune, Jamf)\n∙ Mobile device policy", "large": "∙ Enterprise MDM/UEM (e.g., Microsoft Intune, VMware Workspace ONE)\n∙ Mobile threat defense", "enterprise": "∙ Enterprise UEM platform (e.g., Microsoft Intune, JAMF)\n∙ MTD solution\n∙ Zero-trust mobile access" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Mobile Device Management", "crosswalks": { "general-iec-62443-3-3-2013": [ "SR 2.3(a)", "SR 2.3(c)", "SR 2.3 RE 1" ], "general-nist-800-171-r3": [ "03.01.18.b" ], "general-shared-assessments-sig-2025": [ "M.1.2" ], "emea-sau-cscc-1-2019": [ "2-5-1-1" ], "emea-sau-sacs-002-2022": [ "TPC-84" ], "americas-can-itsp-10-171-2025": [ "03.01.18.B" ] } }, { "control_id": "NET-01", "title": "Network Security Controls (NSC)", "family": "NET", "description": "Mechanisms exist to develop, govern & update procedures to facilitate the implementation of Network Security Controls (NSC).", "scf_question": "Does the organization develop, govern & update procedures to facilitate the implementation of Network Security Controls (NSC)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-NET-04" ], "pptdf": "Technology", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Administrative processes are used to configure boundary devices (e.g., firewalls, routers, etc.) to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception). \n▪ Administrative processes enforce the use of human reviews for Access Control Lists (ACLs) and similar rulesets on a routine basis. \n▪ Internet-facing technologies are governed no differently from internal network assets.\n▪ Network communications containing sensitive/regulated data are protected using a cryptographic mechanism to prevent unauthorized disclosure of information while in transit (e.g., SSH, TLS, VPN, etc.). \n▪ Wireless access is protected via secure authentication and encryption.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ Network communications containing sensitive/regulated data use a cryptographic mechanism to prevent the unauthorized disclosure of information while in transit (e.g., SSH, TLS, VPN, etc.).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to develop, govern & update procedures to facilitate the implementation of Network Security Controls (NSC).", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic firewall (home router or free pfSense)\n∙ Network security policy", "small": "∙ Small business firewall (e.g., Cisco Meraki, Fortinet FortiGate)\n∙ Network security policy", "medium": "∙ Next-gen firewall (NGFW)\n∙ Network segmentation\n∙ IDS/IPS\n∙ Network security standards", "large": "∙ Enterprise NGFW (e.g., Palo Alto Networks, Fortinet)\n∙ Network security program\n∙ IDS/IPS\n∙ NAC", "enterprise": "∙ Enterprise NGFW with threat intelligence feeds\n∙ Zero-trust network architecture\n∙ SIEM integration\n∙ NAC\n∙ SD-WAN" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.1-POF5" ], "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF5", "CC6.6", "CC6.6-POF1", "CC6.6-POF2", "CC6.6-POF3", "CC6.6-POF4" ], "general-cis-csc-8-1": [ "12.0", "12.1", "12.2", "12.3", "12.6" ], "general-cis-csc-8-1-ig1": [ "12.1" ], "general-cis-csc-8-1-ig2": [ "12.1", "12.2", "12.3", "12.6" ], "general-cis-csc-8-1-ig3": [ "12.1", "12.2", "12.3", "12.6" ], "general-cobit-2019": [ "DSS05.02" ], "general-csa-cmm-4-1-0": [ "I&S-03" ], "general-csa-iot-2": [ "OPA-06", "OPA-07", "OPA-08", "SNT-01" ], "general-govramp": [ "SC-01" ], "general-govramp-low": [ "SC-01" ], "general-govramp-low-plus": [ "SC-01" ], "general-govramp-mod": [ "SC-01" ], "general-govramp-high": [ "SC-01" ], "general-iec-62443-2-1-2024": [ "NET 1.2" ], "general-iec-62443-3-3-2013": [ "SR 7.6" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.3" ], "general-iso-27002-2022": [ "5.14", "8.12", "8.2", "8.21" ], "general-iso-27017-2015": [ "13.1.1", "13.1.2", "13.2.1" ], "general-iso-27018-2025": [ "5.14", "8.12", "8.20", "8.21" ], "general-mpa-csbp-5-3-1": [ "TS-1.10", "TS-2.0", "TS-2.3", "TS-2.6", "TS-2.7", "TS-2.13" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(4)(b)" ], "general-nist-privacy-framework-1-0": [ "PR.PT-P3" ], "general-nist-800-53-r4": [ "SC-1" ], "general-nist-800-53-r5-2": [ "SC-01" ], "general-nist-800-53-r5-2-privacy": [ "SC-01" ], "general-nist-800-53-r5-2-low": [ "SC-01" ], "general-nist-800-66-r2": [ "164.312(e)(1)" ], "general-nist-800-82-r3": [ "SC-01" ], "general-nist-800-82-r3-low": [ "SC-01" ], "general-nist-800-82-r3-mod": [ "SC-01" ], "general-nist-800-82-r3-high": [ "SC-01" ], "general-nist-800-161-r1": [ "SC-1" ], "general-nist-800-161-r1-cscrm": [ "SC-1" ], "general-nist-800-161-r1-level-1": [ "SC-1" ], "general-nist-800-161-r1-level-2": [ "SC-1" ], "general-nist-800-161-r1-level-3": [ "SC-1" ], "general-nist-800-171-r2": [ "3.13.1", "NFO - SC-1" ], "general-nist-800-171-r3": [ "03.01.12.a", "03.01.16.a", "03.01.16.b", "03.01.18.a", "03.13.01.a" ], "general-nist-800-207": [ "NIST Tenet 2" ], "general-nist-csf-2-0": [ "PR.IR-01" ], "general-pci-dss-4-0-1": [ "1.1", "1.2", "11.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "11.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "11.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "11.2.1" ], "general-shared-assessments-sig-2025": [ "N.2" ], "general-sparta": [ "CM0002", "CM0033" ], "general-swift-cscf-2025": [ "1.1", "1.4", "2.6" ], "general-tisax-6-0-3": [ "5.1.2", "5.2.7" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.NE.ACONT" ], "usa-federal-fbi-cjis-6-0": [ "SC-1" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-2a", "ARCHITECTURE-2c", "ARCHITECTURE-2f" ], "usa-federal-dow-cmmc-2-level-1": [ "SC.L1-B.1.X" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.1" ], "usa-federal-dow-zt-roadmap-1-1": [ "5.1.1" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "3.0" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(x)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-01" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-01" ], "usa-federal-gsa-fedramp-5-high": [ "SC-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-01" ], "usa-federal-law-hipaa-simplification-2013": [ "164.312(e)(1)", "164.312(e)(2)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.312(e)(1)", "164.312(e)(2)(i)" ], "usa-federal-irs-1075-2021": [ "3.3.6", "SC-1" ], "usa-federal-cms-marse-2-0": [ "SC-1" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.2", "CIP-005-7 1.1", "CIP-005-7 1.2" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.C.5" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)", "7123(c)(8)", "7123(c)(8)(A)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.3(g)", "500.14(a)(2)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-01" ], "usa-state-tx-txramp-2-0-level-1": [ "SC-01" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-01" ], "emea-eu-nis2-2022": [ "Article 21.2(e)", "Article 21.5" ], "emea-eu-nis2-annex-2024": [ "1.1.1(a)", "6.7.2(b)", "6.7.2(i)", "6.8.3", "6.9.1" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-c5-2020": [ "PSS-10" ], "emea-isr-cmo-1-0": [ "9.1" ], "emea-sau-cscc-1-2019": [ "2-3-1-5", "2-4", "2-4-1-5" ], "emea-sau-cgiot-2024": [ "2-3-1", "2-3-2", "2-4-1", "2-4-5" ], "emea-sau-ecc-1-2018": [ "2-4-4", "2-5-1", "2-5-2", "2-5-4" ], "emea-sau-otcc-1-2022": [ "2-3", "2-3-1", "2-3-1-1", "2-4", "2-4-1", "2-4-2", "2-5-2" ], "emea-sau-sacs-002-2022": [ "TPC-13", "TPC-14", "TPC-15", "TPC-16", "TPC-17", "TPC-78" ], "emea-sau-sama-csf-1-2017": [ "3.3.4", "3.3.8" ], "emea-zaf-popia-2013": [ "19" ], "emea-esp-boe-a-2022-7191": [ "Article 23" ], "emea-esp-decree-311-2022": [ "23" ], "emea-esp-ccn-stic-825-2023": [ "8.4.1 [MP.COM.1]", "8.4.2 [MP.COM.2]" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "1" ], "apac-aus-ism-2024-june": [ "ISM-0521", "ISM-0629", "ISM-1186", "ISM-1428", "ISM-1429", "ISM-1430", "ISM-1711", "ISM-1712", "ISM-1774", "ISM-1783" ], "apac-ind-sebi-2024": [ "PR.AA.S2" ], "apac-jpn-ismap": [ "5.1.1.18", "13", "13.1", "13.1.1", "13.1.1.1", "13.1.1.2", "13.1.1.3", "13.1.1.5", "13.1.1.6", "13.1.1.7", "13.1.1.8", "13.1.1.9", "13.1.2" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP49", "HHSP54", "HML49", "HML54" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP41", "HSUP46" ], "apac-nzl-ism-3-9": [ "10.8.34.C.01", "10.8.34.C.02", "10.8.35.C.01", "10.8.36.C.01", "10.8.37.C.01", "10.8.38.C.01", "18.1.9.C.01", "18.1.9.C.02", "18.1.9.C.03", "18.1.9.C.04", "18.1.9.C.05", "18.5.7.C.01", "18.5.7.C.02", "18.5.8.C.01", "18.5.8.C.02", "18.5.8.C.03", "18.5.8.C.04", "18.5.9.C.01", "18.5.9.C.02", "18.5.9.C.03", "18.5.10.C.01", "18.5.10.C.02", "18.5.11.C.01" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.4" ], "apac-sgp-mas-trm-2021": [ "11.2.1", "11.2.2", "11.2.3", "11.2.4", "11.2.5", "11.2.6", "11.2.7", "11.2.8" ], "americas-bmu-mba-coc-2020": [ "6.18" ], "amaericas-can-osfi-self-assessment": [ "4.10", "4.15" ], "americas-can-itsp-10-171-2025": [ "03.01.12.A", "03.01.16.A", "03.01.16.B", "03.01.18.A", "03.13.01.A" ] } }, { "control_id": "NET-01.1", "title": "Zero Trust Architecture (ZTA)", "family": "NET", "description": "Mechanisms exist to treat all users and devices as potential threats and prevent access to data and resources until the users can be properly authenticated and their access authorized.", "scf_question": "Does the organization treat all users and devices as potential threats and prevent access to data and resources until the users can be properly authenticated and their access authorized?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-NET-05" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Administrative processes are used to configure boundary devices (e.g., firewalls, routers, etc.) to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to treat all users and devices as potential threats and prevent access to data and resources until the users can be properly authenticated and their access authorized.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Zero Trust Architecture (ZTA) planning and roadmap", "large": "∙ ZTA implementation\n∙ Identity-centric access controls\n∙ Microsegmentation", "enterprise": "∙ Enterprise ZTA platform (e.g., Zscaler, Palo Alto Prisma Access)\n∙ Identity-based access\n∙ Microsegmentation\n∙ Continuous validation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1-POF5" ], "general-cis-csc-8-1": [ "13.5" ], "general-cis-csc-8-1-ig2": [ "13.5" ], "general-cis-csc-8-1-ig3": [ "13.5" ], "general-csa-iot-2": [ "SNT-02" ], "general-cr-cmm-2026": [ "CR4.1.5" ], "general-iec-62443-4-2-2019": [ "NDR 1.13" ], "general-mpa-csbp-5-3-1": [ "TS-6.0", "TS-6.1", "TS-6.2" ], "general-nist-800-207": [ "NIST Tenet 3", "NIST Tenet 5", "NIST Tenet 6" ], "usa-federal-dow-zt-roadmap-1-1": [ "5.1.1", "6.2.3" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "3.0" ], "apac-aus-ism-2024-june": [ "ISM-0665" ], "apac-ind-sebi-2024": [ "PR.AA.S4" ], "apac-jpn-ismap": [ "9.1.1.16" ], "apac-nzl-ism-3-9": [ "2.3.26.C.01", "2.3.26.C.02" ] } }, { "control_id": "NET-02", "title": "Layered Network Defenses", "family": "NET", "description": "Mechanisms exist to implement security functions as a layered structure that minimizes interactions between layers of the design and avoids any dependence by lower layers on the functionality or correctness of higher layers.", "scf_question": "Does the organization implement security functions as a layered structure that minimizes interactions between layers of the design and avoids any dependence by lower layers on the functionality or correctness of higher layers?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-DCH-03", "E-DCH-04", "E-DCH-05" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Administrative processes are used to configure boundary devices (e.g., firewalls, routers, etc.) to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ IT and/or cybersecurity architects maintain a segmented development network to ensure a secure development environment.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to implement security functions as a layered structure that minimizes interactions between layers of the design and avoids any dependence by lower layers on the functionality or correctness of higher layers.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Firewall + antivirus as layered defenses", "small": "∙ Firewall + IDS/IPS + endpoint protection as layered defenses", "medium": "∙ Layered defense-in-depth architecture\n∙ Firewall, IDS/IPS, endpoint protection, email filtering", "large": "∙ Enterprise layered defense program\n∙ NGFW, IDS/IPS, EDR, email security, WAF", "enterprise": "∙ Enterprise defense-in-depth architecture\n∙ NGFW, SIEM, EDR/XDR, WAF, email security, DLP, UEBA" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.6", "CC6.6-POF4" ], "general-cis-csc-8-1": [ "12.2" ], "general-cis-csc-8-1-ig2": [ "12.2" ], "general-cis-csc-8-1-ig3": [ "12.2" ], "general-csa-iot-2": [ "SNT-01" ], "general-iec-62443-2-1-2024": [ "NET 1.2" ], "general-iso-27002-2022": [ "8.2" ], "general-iso-27017-2015": [ "13.1.1" ], "general-iso-27018-2025": [ "8.20" ], "general-mpa-csbp-5-3-1": [ "TS-2.0" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P5", "PR.PT-P3" ], "general-nist-800-171-r3": [ "03.13.01.b" ], "general-nist-800-172": [ "3.13.4e" ], "general-nist-csf-2-0": [ "PR.IR-01" ], "general-pci-dss-4-0-1": [ "1.4", "1.4.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.4.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.4.1" ], "general-swift-cscf-2025": [ "1.1", "2.4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.X" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-2c" ], "usa-federal-dow-cmmc-2-level-3": [ "SC.L3-3.13.4E" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)", "7123(c)(8)(A)", "7123(c)(10)" ], "emea-deu-c5-2020": [ "PSS-10" ], "emea-isr-cmo-1-0": [ "9.17" ], "emea-sau-cscc-1-2019": [ "2-4-1-5" ], "emea-sau-ecc-1-2018": [ "2-5-3-1" ], "emea-sau-otcc-1-2022": [ "2-3-1-1" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.4" ], "amaericas-can-osfi-self-assessment": [ "4.11", "4.12", "4.15" ], "americas-can-osfi-b13-2022": [ "3.2.4" ], "americas-can-itsp-10-171-2025": [ "03.13.01.B" ] } }, { "control_id": "NET-02.1", "title": "Denial of Service (DoS) Protection", "family": "NET", "description": "Automated mechanisms exist to protect against or limit the effects of denial of service attacks.", "scf_question": "Does the organization use automated mechanisms to protect against or limit the effects of denial of service attacks?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ Boundary protection technologies minimize the effect of Denial of Service (DoS) attacks against business-critical services.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically protect against or limit the effects of denial of service attacks.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Enable DDoS protection on ISP/hosting provider", "small": "∙ Cloud-based DDoS protection (e.g., Cloudflare free tier)\n∙ ISP-level DDoS mitigation", "medium": "∙ DDoS protection service (e.g., Cloudflare, Akamai)\n∙ Rate limiting\n∙ Traffic scrubbing", "large": "∙ Enterprise DDoS protection (e.g., Cloudflare Enterprise, Akamai Prolexic)\n∙ On-premises mitigation appliances", "enterprise": "∙ Enterprise DDoS mitigation platform\n∙ BGP-based scrubbing centers\n∙ Always-on cloud DDoS protection\n∙ On-prem + cloud hybrid protection" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-3", "R-EX-4", "R-GV-1", "R-GV-2" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-csa-iot-2": [ "OPA-08", "OPA-09" ], "general-govramp": [ "SC-05" ], "general-govramp-low": [ "SC-05" ], "general-govramp-low-plus": [ "SC-05" ], "general-govramp-mod": [ "SC-05" ], "general-govramp-high": [ "SC-05" ], "general-iec-62443-3-3-2013": [ "SR 7.1", "SR 7.1 RE 1", "SR 7.1 RE 2" ], "general-iec-62443-4-2-2019": [ "CR 7.1", "CR 7.1(1)" ], "general-mitre-att&ck-16-1": [ "T1496.003" ], "general-nist-800-53-r4": [ "SC-5" ], "general-nist-800-53-r5-2": [ "SC-05" ], "general-nist-800-53-r5-2-privacy": [ "SC-05" ], "general-nist-800-53-r5-2-low": [ "SC-05" ], "general-nist-800-82-r3": [ "SC-05" ], "general-nist-800-82-r3-low": [ "SC-05" ], "general-nist-800-82-r3-mod": [ "SC-05" ], "general-nist-800-82-r3-high": [ "SC-05" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.RE.DDSPR" ], "usa-federal-fbi-cjis-6-0": [ "SC-5" ], "usa-federal-gsa-fedramp-5-low": [ "SC-05" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-05" ], "usa-federal-gsa-fedramp-5-high": [ "SC-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-05" ], "usa-federal-cms-marse-2-0": [ "SC-5", "SC-5.a", "SC-5.b", "SC-5.c", "SC-5-IS" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-05" ], "usa-state-tx-txramp-2-0-level-1": [ "SC-05" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-05" ], "emea-isr-cmo-1-0": [ "9.3" ], "emea-sau-cscc-1-2019": [ "2-4-1-8" ], "emea-sau-sacs-002-2022": [ "TPC-92" ], "emea-esp-ccn-stic-825-2023": [ "8.8.3 [MP.S.3]" ], "apac-aus-ism-2024-june": [ "ISM-1019", "ISM-1431", "ISM-1436", "ISM-1805" ], "apac-nzl-hisf-microsmall-2023": [ "HMS17" ], "apac-nzl-ism-3-9": [ "18.3.18.C.01", "18.3.19.C.01" ], "apac-sgp-mas-trm-2021": [ "11.2.7" ], "americas-bmu-mba-coc-2020": [ "6.19" ], "amaericas-can-osfi-self-assessment": [ "4.3", "4.4" ] } }, { "control_id": "NET-02.2", "title": "Guest Networks", "family": "NET", "description": "Mechanisms exist to implement and manage a secure guest network.", "scf_question": "Does the organization implement and manage a secure guest network?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ IT and/or cybersecurity personnel implement and manage a secure guest network.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to implement and manage a secure guest network.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Separate guest Wi-Fi network (available on most consumer routers)", "small": "∙ Separate guest network with no access to internal resources\n∙ Guest network policy", "medium": "∙ Segregated guest network\n∙ Captive portal\n∙ Guest network access controls", "large": "∙ Enterprise guest network solution\n∙ NAC enforcement\n∙ Guest network monitoring\n∙ VLAN segmentation", "enterprise": "∙ Enterprise NAC with guest access management\n∙ Sponsored guest access\n∙ Guest network monitoring\n∙ Automated provisioning/deprovisioning" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-mpa-csbp-5-3-1": [ "TS-2.11" ], "general-nist-800-171-r2": [ "3.13.1" ], "general-nist-800-171-r3": [ "03.01.16.a", "03.01.16.b" ], "general-nist-800-171a": [ "3.13.1[e]", "3.13.1[g]" ], "general-nist-800-171a-r3": [ "A.03.01.16.a[01]", "A.03.01.16.a[02]", "A.03.01.16.a[04]", "A.03.01.16.b" ], "general-pci-dss-4-0-1": [ "1.2.3", "1.3.3", "2.3", "11.2", "11.2.1", "11.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.3", "1.3.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.2.3", "1.3.3" ], "general-pci-dss-4-0-1-saq-c": [ "1.3.3", "11.2.1", "11.2.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.3", "1.3.3", "11.2.1", "11.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.3", "1.3.3", "11.2.1", "11.2.2" ], "usa-federal-dow-cmmc-2-level-1": [ "SC.L1-B.1.X" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.1" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(x)" ], "emea-isr-cmo-1-0": [ "9.18" ], "apac-aus-ism-2024-june": [ "ISM-0536" ], "apac-nzl-ism-3-9": [ "18.2.6.C.01" ], "americas-can-itsp-10-171-2025": [ "03.01.16.A", "03.01.16.B" ] } }, { "control_id": "NET-02.3", "title": "Cross Domain Solution (CDS)", "family": "NET", "description": "Mechanisms exist to implement a Cross Domain Solution (CDS) to mitigate the specific security risks of accessing or transferring information between security domains.", "scf_question": "Does the organization implement a Cross Domain Solution (CDS) to mitigate the specific security risks of accessing or transferring information between security domains?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to implement a Cross Domain Solution (CDS) to mitigate the specific security risks of accessing or transferring information between security domains.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "medium": "∙ Documented cross-domain solution policy\n∙ Review data transfers between security domains", "large": "∙ Formal cross-domain solution (CDS) controls\n∙ Data transfer approval process", "enterprise": "∙ Enterprise CDS platform\n∙ Hardware data diodes where applicable\n∙ Formal CDS approval and monitoring program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1021.001", "T1021.003", "T1021.006", "T1046", "T1048", "T1048.001", "T1048.002", "T1072", "T1098.001", "T1133", "T1136", "T1136.002", "T1190", "T1199", "T1210", "T1482", "T1489", "T1552.007", "T1557", "T1557.001", "T1557.003", "T1557.004", "T1563", "T1563.002", "T1565", "T1565.003", "T1622" ], "general-nist-800-53-r5-2": [ "SC-46" ], "general-nist-800-82-r3": [ "SC-46" ], "general-nist-800-160-vol-2-r1": [ "SC-46" ], "general-nist-800-172": [ "3.1.3e" ], "general-nist-800-207": [ "NIST Tenet 4" ], "general-swift-cscf-2025": [ "2.4" ], "usa-federal-dow-cmmc-2-level-3": [ "AC.L3-3.1.3E" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.C.5" ], "emea-sau-otcc-1-2022": [ "2-4-1-2" ], "apac-aus-ism-2024-june": [ "ISM-0597", "ISM-0610", "ISM-0626", "ISM-0635", "ISM-0670", "ISM-1287", "ISM-1521", "ISM-1522", "ISM-1523" ], "apac-nzl-ism-3-9": [ "19.2.15.C.01", "19.2.16.C.01", "19.2.16.C.02", "19.2.17.C.01", "19.2.17.C.02", "19.2.18.C.01", "19.2.19.C.01", "19.2.19.C.02", "19.2.20.C.01" ] } }, { "control_id": "NET-03", "title": "Boundary Protection", "family": "NET", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "scf_question": "Does the organization monitor and control communications at the external network boundary and at key internal boundaries within the network?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-NET-08", "E-NET-09" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ SBC enforce network activity monitoring and control communications at the external network boundary and at key internal boundaries within the network.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Firewall as boundary protection device", "small": "∙ Business-grade firewall (e.g., Cisco Meraki, pfSense)\n∙ DMZ for public-facing services", "medium": "∙ NGFW boundary protection\n∙ DMZ architecture\n∙ IDS/IPS at perimeter", "large": "∙ Enterprise NGFW with IPS\n∙ DMZ design\n∙ Network segmentation\n∙ Perimeter monitoring", "enterprise": "∙ Enterprise perimeter security\n∙ NGFW, IPS, DMZ\n∙ Zero-trust perimeter\n∙ Continuous boundary monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF5", "CC6.6", "CC6.6-POF1", "CC6.6-POF3", "CC6.6-POF4", "CC6.8" ], "general-cis-csc-8-1": [ "9.6", "13.5" ], "general-cis-csc-8-1-ig2": [ "9.6", "13.5" ], "general-cis-csc-8-1-ig3": [ "9.6", "13.5" ], "general-csa-iot-2": [ "IOT-10" ], "general-govramp": [ "SC-07" ], "general-govramp-core": [ "SC-07" ], "general-govramp-low": [ "SC-07" ], "general-govramp-low-plus": [ "SC-07" ], "general-govramp-mod": [ "SC-07" ], "general-govramp-high": [ "SC-07" ], "general-iec-62443-2-1-2024": [ "NET 1.3" ], "general-iec-62443-3-3-2013": [ "SR 5.2" ], "general-iec-62443-4-2-2019": [ "CR 5.2", "NDR 5.2" ], "general-iso-27002-2022": [ "8.2", "8.21" ], "general-iso-27017-2015": [ "13.1.1", "13.1.2" ], "general-iso-27018-2025": [ "8.20", "8.21" ], "general-mitre-att&ck-16-1": [ "T1001", "T1001.001", "T1001.002", "T1001.003", "T1008", "T1020.001", "T1021.001", "T1021.002", "T1021.003", "T1021.005", "T1021.006", "T1029", "T1030", "T1036.008", "T1041", "T1046", "T1048", "T1048.001", "T1048.002", "T1048.003", "T1055", "T1055.001", "T1055.002", "T1055.003", "T1055.004", "T1055.005", "T1055.008", "T1055.009", "T1055.011", "T1055.012", "T1055.013", "T1055.014", "T1068", "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1071.005", "T1072", "T1078", "T1080", "T1090", "T1090.001", "T1090.002", "T1090.003", "T1095", "T1098", "T1098.001", "T1102", "T1102.001", "T1102.002", "T1102.003", "T1104", "T1105", "T1114", "T1114.003", "T1132", "T1132.001", "T1132.002", "T1133", "T1136", "T1136.002", "T1136.003", "T1176", "T1187", "T1189", "T1190", "T1197", "T1199", "T1203", "T1204", "T1204.001", "T1204.002", "T1204.003", "T1205", "T1205.001", "T1210", "T1211", "T1212", "T1218", "T1218.012", "T1218.015", "T1219", "T1221", "T1482", "T1489", "T1498", "T1498.001", "T1498.002", "T1499", "T1499.001", "T1499.002", "T1499.003", "T1499.004", "T1505.004", "T1530", "T1537", "T1542", "T1542.004", "T1542.005", "T1552", "T1552.001", "T1552.004", "T1552.005", "T1552.007", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1557.004", "T1559", "T1559.001", "T1559.002", "T1560", "T1560.001", "T1563", "T1563.002", "T1565", "T1565.001", "T1565.003", "T1566", "T1566.001", "T1566.002", "T1566.003", "T1567", "T1567.001", "T1567.002", "T1567.003", "T1567.004", "T1568", "T1568.002", "T1570", "T1571", "T1572", "T1573", "T1573.001", "T1573.002", "T1590.002", "T1598", "T1598.001", "T1598.002", "T1598.003", "T1599", "T1599.001", "T1602", "T1602.001", "T1602.002", "T1609", "T1610", "T1611", "T1612", "T1613", "T1622", "T1648", "T1659" ], "general-mpa-csbp-5-3-1": [ "TS-2.0" ], "general-nist-800-53-r4": [ "SC-7", "SC-7(9)", "SC-7(11)" ], "general-nist-800-53-r5-2": [ "SC-07", "SC-07(09)", "SC-07(11)" ], "general-nist-800-53-r5-2-privacy": [ "SC-07(09)", "SC-07(11)" ], "general-nist-800-53-r5-2-low": [ "SC-07" ], "general-nist-800-82-r3": [ "SC-07", "SC-07(09)", "SC-07(11)" ], "general-nist-800-82-r3-low": [ "SC-07" ], "general-nist-800-82-r3-mod": [ "SC-07" ], "general-nist-800-82-r3-high": [ "SC-07" ], "general-nist-800-160-vol-2-r1": [ "SC-07", "SC-07(11)" ], "general-nist-800-161-r1": [ "SC-7" ], "general-nist-800-161-r1-cscrm": [ "SC-7" ], "general-nist-800-161-r1-flowdown": [ "SC-7" ], "general-nist-800-161-r1-level-2": [ "SC-7" ], "general-nist-800-171-r2": [ "3.13.1" ], "general-nist-800-171-r3": [ "03.01.12.a", "03.13.01.a", "03.13.01.b", "03.13.01.c" ], "general-nist-800-171a": [ "3.13.1[a]", "3.13.1[b]", "3.13.1[c]", "3.13.1[d]", "3.13.1[e]", "3.13.1[f]", "3.13.1[g]", "3.13.1[h]" ], "general-nist-800-171a-r3": [ "A.03.01.18.a[03]", "A.03.13.01.a[02]", "A.03.13.01.a[04]", "A.03.13.01.c" ], "general-pci-dss-4-0-1": [ "1.3.3", "1.4", "1.4.1", "1.4.2", "11.5.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.3.3", "1.4.1", "1.4.2", "11.5.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-c": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.3.3", "1.4.1", "1.4.2", "11.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.3.3", "1.4.1", "1.4.2", "11.5.1" ], "general-swift-cscf-2025": [ "1.5" ], "usa-federal-fbi-cjis-6-0": [ "SC-7" ], "usa-federal-dow-cmmc-2-level-1": [ "SC.L1-B.1.X" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "SC.L1-B.1.X[a]", "SC.L1-B.1.X[b]", "SC.L1-B.1.X[c]", "SC.L1-B.1.X[d]", "SC.L1-B.1.X[e]", "SC.L1-B.1.X[f]", "SC.L1-B.1.X[g]", "SC.L1-B.1.X[h]" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.1" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(x)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-07", "SC-07(09)", "SC-07(11)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07", "SC-07(09)", "SC-07(11)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07", "SC-07(09)", "SC-07(11)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-07", "SC-07(09)", "SC-07(11)" ], "usa-federal-irs-1075-2021": [ "SC-7", "SC-7(CE-9)", "SC-7(CE-9).a", "SC-7(CE-9).b", "SC-7(CE-11)", "SC-7(IRS-Defined)-1", "SC-7(IRS-Defined)-2" ], "usa-federal-cms-marse-2-0": [ "SC-7", "SC-7.a", "SC-7.b", "SC-7.c", "SC-7-IS.1", "SC-7-IS.2", "SC-7-IS.3" ], "usa-federal-nerc-cip-2024": [ "CIP-005-7 1.5" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B.1.c" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)", "7123(c)(8)(A)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-07" ], "usa-state-tx-txramp-2-0-level-1": [ "SC-07" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-07" ], "emea-deu-c5-2020": [ "COS-04", "PSS-10" ], "emea-isr-cmo-1-0": [ "9.3", "9.18", "9.23", "10.9", "11.8", "16.4" ], "emea-sau-cgiot-2024": [ "2-4-5" ], "emea-sau-otcc-1-2022": [ "2-3-1-1", "2-4-1-2", "2-4-1-6" ], "emea-sau-sacs-002-2022": [ "TPC-76" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "1" ], "emea-gbr-def-stan-05-138-2024": [ "2427" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2427" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2427" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2427" ], "apac-aus-ism-2024-june": [ "ISM-0611", "ISM-0612", "ISM-0613", "ISM-0616", "ISM-0619", "ISM-0622", "ISM-0628", "ISM-0629", "ISM-0631", "ISM-0634", "ISM-0637", "ISM-0639", "ISM-1037", "ISM-1192", "ISM-1284", "ISM-1286", "ISM-1287", "ISM-1288", "ISM-1289", "ISM-1293", "ISM-1389", "ISM-1427", "ISM-1520", "ISM-1521", "ISM-1522", "ISM-1528" ], "apac-nzl-ism-3-9": [ "19.1.10.C.01", "19.1.11.C.01", "19.1.11.C.02", "19.1.12.C.01", "19.1.13.C.01", "19.1.14.C.01", "19.1.14.C.02", "19.1.15.C.01", "19.1.16.C.01", "19.1.16.C.02", "19.1.17.C.01", "19.1.17.C.02", "19.1.18.C.01", "19.1.18.C.02", "19.1.19.C.01", "19.1.19.C.02", "19.1.19.C.03", "19.1.19.C.04", "19.1.19.C.05", "19.1.20.C.01", "19.1.20.C.02", "19.1.20.C.03", "19.1.21.C.01", "19.1.22.C.01", "19.1.22.C.02", "19.1.22.C.03", "19.1.23.C.01", "19.3.8.C.01", "19.3.8.C.02", "19.3.8.C.03", "19.3.8.C.04", "19.3.9.C.01", "19.3.9.C.02", "19.3.9.C.03", "19.4.4.C.01", "19.4.5.C.01", "19.4.5.C.02", "19.4.5.C.03", "19.4.6.C.01", "19.5.24.C.01", "19.5.24.C.02", "19.5.24.C.03", "19.5.24.C.04", "19.5.24.C.05", "19.5.24.C.06", "19.5.24.C.07", "19.5.24.C.08", "19.5.25.C.01", "19.5.26.C.01", "19.5.26.C.02", "19.5.26.C.03", "19.5.26.C.04", "19.5.26.C.05", "19.5.26.C.06", "19.5.26.C.07", "19.5.26.C.08", "19.5.26.C.09", "19.5.26.C.10", "19.5.26.C.11", "19.5.26.C.12", "19.5.27.C.01", "19.5.27.C.02", "19.5.27.C.03", "19.5.27.C.04", "19.5.27.C.05", "19.5.27.C.06", "19.5.28.C.01", "19.5.28.C.02", "19.5.28.C.03", "19.5.28.C.04", "19.5.28.C.05", "19.5.28.C.06", "19.5.28.C.07", "19.5.29.C.01" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.4" ], "apac-sgp-mas-trm-2021": [ "11.2.5", "11.2.6" ], "americas-can-itsp-10-171-2025": [ "03.01.12.A", "03.13.01.A", "03.13.01.B", "03.13.01.C" ] } }, { "control_id": "NET-03.1", "title": "Limit Network Connections", "family": "NET", "description": "Mechanisms exist to limit the number of concurrent external network connections to its Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization limit the number of concurrent external network connections to its Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to limit the number of concurrent external network connections to its Technology Assets, Applications and/or Services (TAAS).", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Firewall rules to limit inbound/outbound connections", "small": "∙ Firewall rules limiting connections to business need\n∙ Deny-by-default policy", "medium": "∙ Formal network connection policy\n∙ Firewall rule review process\n∙ Least-privilege network access", "large": "∙ Enterprise firewall management\n∙ Automated firewall rule review\n∙ Network access control (NAC)", "enterprise": "∙ Enterprise firewall management platform (e.g., Tufin, FireMon)\n∙ Zero-trust network access (ZTNA)\n∙ Automated rule optimization" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1", "CC6.6" ], "general-csa-iot-2": [ "SWS-04" ], "general-govramp": [ "SC-07(03)" ], "general-govramp-core": [ "SC-07(03)" ], "general-govramp-mod": [ "SC-07(03)" ], "general-govramp-high": [ "SC-07(03)" ], "general-nist-800-53-r4": [ "SC-7(3)" ], "general-nist-800-53-r5-2": [ "SC-07(03)", "SI-04(25)" ], "general-nist-800-53-r5-2-privacy": [ "SI-04(25)" ], "general-nist-800-53-r5-2-mod": [ "SC-07(03)" ], "general-nist-800-82-r3": [ "SC-07(03)", "SI-04(25)" ], "general-nist-800-82-r3-mod": [ "SC-07(03)" ], "general-nist-800-82-r3-high": [ "SC-07(03)" ], "general-nist-800-160-vol-2-r1": [ "SI-04(25)" ], "general-nist-800-171-r2": [ "NFO - SC-7(3)" ], "general-pci-dss-4-0-1": [ "1.4.2", "11.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.4.2" ], "general-pci-dss-4-0-1-saq-c": [ "11.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.4.2", "11.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.4.2", "11.2.1" ], "general-shared-assessments-sig-2025": [ "N.5" ], "usa-federal-fbi-cjis-6-0": [ "SC-7(3)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-04(25)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07(03)", "SI-04(25)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(03)", "SI-04(25)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-04(25)" ], "usa-federal-irs-1075-2021": [ "SC-7(CE-3)" ], "usa-federal-cms-marse-2-0": [ "SC-7(3)" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-07 (03)" ], "emea-deu-c5-2020": [ "COS-04" ], "emea-isr-cmo-1-0": [ "9.10", "9.11", "16.4" ], "apac-aus-ism-2024-june": [ "ISM-1314" ] } }, { "control_id": "NET-03.2", "title": "External Telecommunications Services", "family": "NET", "description": "Mechanisms exist to maintain a managed interface for each external telecommunication service that protects the confidentiality and integrity of the information being transmitted across each interface.", "scf_question": "Does the organization maintain a managed interface for each external telecommunication service that protects the confidentiality and integrity of the information being transmitted across each interface?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to maintain a managed interface for each external telecommunication service that protects the confidentiality and integrity of the information being transmitted across each interface.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document external telecom services and provider contacts", "small": "∙ External telecom service inventory\n∙ SLA requirements in provider agreements", "medium": "∙ Formal external telecom management policy\n∙ Provider security requirements\n∙ Redundant connections", "large": "∙ Telecommunications governance program\n∙ Redundant ISP connections\n∙ Provider SLA monitoring", "enterprise": "∙ Enterprise telecom governance framework\n∙ Redundant multi-provider architecture\n∙ Automated failover\n∙ Provider security assessments" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "SC-07(04)" ], "general-govramp-mod": [ "SC-07(04)" ], "general-govramp-high": [ "SC-07(04)" ], "general-nist-800-53-r4": [ "SC-7(4)", "SC-7(9)" ], "general-nist-800-53-r5-2": [ "SC-07(04)", "SC-07(09)" ], "general-nist-800-53-r5-2-privacy": [ "SC-07(09)" ], "general-nist-800-53-r5-2-mod": [ "SC-07(04)" ], "general-nist-800-82-r3": [ "SC-07(04)", "SC-07(09)" ], "general-nist-800-82-r3-mod": [ "SC-07(04)" ], "general-nist-800-82-r3-high": [ "SC-07(04)" ], "general-nist-800-171-r2": [ "NFO - SC-7(4)" ], "general-shared-assessments-sig-2025": [ "N.5" ], "usa-federal-fbi-cjis-6-0": [ "SC-7(4)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-07(09)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07(04)", "SC-07(09)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(04)", "SC-07(09)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-07(09)" ], "usa-federal-irs-1075-2021": [ "SC-7(CE-4)", "SC-7(CE-4).a", "SC-7(CE-4).b", "SC-7(CE-4).c", "SC-7(CE-4).d", "SC-7(CE-4).e", "SC-7(CE-4).f", "SC-7(CE-4).g", "SC-7(CE-4).h" ], "usa-federal-cms-marse-2-0": [ "SC-7(4)", "SC-7(4).a", "SC-7(4).b", "SC-7(4).c", "SC-7(4).d", "SC-7(4).e", "SC-7(4).f" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "12-2.a" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-07 (04)" ], "emea-deu-c5-2020": [ "COS-03" ], "emea-isr-cmo-1-0": [ "9.5" ], "apac-aus-ism-2024-june": [ "ISM-0546", "ISM-1562" ] } }, { "control_id": "NET-03.3", "title": "Prevent Discovery of Internal Information", "family": "NET", "description": "Mechanisms exist to prevent the public disclosure of internal network information.", "scf_question": "Does the organization prevent the public disclosure of internal network information?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to prevent the public disclosure of internal network information.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Configure firewall to block external probing of internal network info", "small": "∙ Firewall rules preventing internal network enumeration\n∙ Disable unnecessary banners", "medium": "∙ Network hardening to prevent internal network discovery\n∙ OSINT monitoring for leaked network info", "large": "∙ Network obfuscation controls\n∙ Active response to network scanning\n∙ Firewall rules blocking enumeration", "enterprise": "∙ Enterprise network obfuscation and deception (e.g., deception technology)\n∙ Automated blocking of reconnaissance\n∙ Network information leakage monitoring" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4", "R-EX-4", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-iso-27002-2022": [ "8.12" ], "general-iso-27018-2025": [ "8.12" ], "general-mitre-att&ck-16-1": [ "T1590.001", "T1590.003", "T1590.004", "T1590.005", "T1590.006", "T1592", "T1592.001", "T1592.002", "T1592.003", "T1592.004" ], "general-nist-800-53-r4": [ "SC-7(16)" ], "general-nist-800-53-r5-2": [ "SC-07(16)" ], "general-nist-800-82-r3": [ "SC-07(16)" ], "general-nist-800-160-vol-2-r1": [ "SC-07(16)" ], "general-pci-dss-4-0-1": [ "1.4.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.4.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.4.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.4.5" ], "emea-isr-cmo-1-0": [ "9.19" ], "apac-jpn-ismap": [ "14.1.1.23" ] } }, { "control_id": "NET-03.4", "title": "Personal Data (PD)", "family": "NET", "description": "Mechanisms exist to apply network-based processing rules to data elements of Personal Data (PD).", "scf_question": "Does the organization apply network-based processing rules to data elements of Personal Data (PD)?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to apply network-based processing rules to data elements of Personal Data (PD).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic firewall\n∙ Network security policy", "small": "∙ Small business firewall (e.g., Cisco Meraki)\n∙ Network security policy", "medium": "∙ Data Loss Prevention (DLP)", "large": "∙ Data Loss Prevention (DLP)", "enterprise": "∙ Data Loss Prevention (DLP)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-nist-800-53-r5-2": [ "SC-07(24)" ], "general-nist-800-53-r5-2-privacy": [ "SC-07(24)" ], "general-nist-800-82-r3": [ "SC-07(24)" ], "emea-gbr-def-stan-05-138-2024": [ "2316" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2316" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2316" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2316" ] } }, { "control_id": "NET-03.5", "title": "Prevent Unauthorized Exfiltration", "family": "NET", "description": "Automated mechanisms exist to prevent the unauthorized exfiltration of sensitive/regulated data across managed interfaces.", "scf_question": "Does the organization use automated mechanisms to prevent the unauthorized exfiltration of sensitive/regulated data across managed interfaces?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically prevent the unauthorized exfiltration of sensitive/regulated data across managed interfaces.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Basic firewall\n∙ Network security policy", "small": "∙ Small business firewall (e.g., Cisco Meraki)\n∙ Network security policy", "medium": "∙ Data Loss Prevention (DLP)", "large": "∙ Data Loss Prevention (DLP)", "enterprise": "∙ Data Loss Prevention (DLP)" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.7-POF1" ], "general-govramp": [ "SC-07(10)" ], "general-govramp-high": [ "SC-07(10)" ], "general-iso-27002-2022": [ "8.12" ], "general-iso-27018-2025": [ "8.12" ], "general-nist-800-53-r4": [ "SC-7(10)" ], "general-nist-800-53-r5-2": [ "SC-07(10)" ], "general-nist-800-53-r5-2-privacy": [ "SC-07(10)" ], "general-nist-800-82-r3": [ "SC-07(10)" ], "general-nist-800-160-vol-2-r1": [ "SC-07(10)" ], "general-pci-dss-4-0-1": [ "1.3.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.3.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.3.2" ], "general-pci-dss-4-0-1-saq-c": [ "1.3.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.3.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.3.2" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-5f" ], "usa-federal-gsa-fedramp-5-low": [ "SC-07(10)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07(10)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(10)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-07(10)" ], "usa-federal-irs-1075-2021": [ "SC-7(CE-10)", "SC-7(CE-10).a", "SC-7(CE-10).b" ], "apac-ind-sebi-2024": [ "PR.DS.S4" ] } }, { "control_id": "NET-03.6", "title": "Dynamic Isolation & Segregation (Sandboxing)", "family": "NET", "description": "Automated mechanisms exist to dynamically isolate (e.g., sandbox) untrusted components during runtime, where the component is isolated in a fault-contained environment but it can still collaborate with the application.", "scf_question": "Does the organization use automated mechanisms to dynamically isolate (e.g., sandbox) untrusted components during runtime, where the component is isolated in a fault-contained environment but it can still collaborate with the application?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically dynamically isolate (e.g., sandbox) untrusted components during runtime, where the component is isolated in a fault-contained environment but it can still collaborate with the application.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Use sandbox environment for testing suspicious files/code", "small": "∙ Sandbox analysis tool (e.g., Any.run, free tiers)\n∙ Isolation policy for suspicious activity", "medium": "∙ Dynamic sandboxing solution (e.g., Cuckoo Sandbox)\n∙ Network isolation for suspected threats", "large": "∙ Enterprise sandbox platform (e.g., Palo Alto WildFire, Cisco Threat Grid)\n∙ Automated isolation workflows", "enterprise": "∙ Enterprise sandboxing and dynamic isolation platform\n∙ Automated containment via SOAR\n∙ Network quarantine capabilities" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "SC-07(20)" ], "general-govramp-high": [ "SC-07(20)" ], "general-nist-800-53-r4": [ "SC-7(20)" ], "general-nist-800-53-r5-2": [ "SC-07(20)" ], "general-nist-800-82-r3": [ "SC-07(20)" ], "general-nist-800-160-vol-2-r1": [ "SC-07(20)" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-2l" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(20)" ], "emea-sau-sacs-002-2022": [ "TPC-38" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "4" ] } }, { "control_id": "NET-03.7", "title": "Isolation of System Components", "family": "NET", "description": "Mechanisms exist to employ boundary protections to isolate Technology Assets, Applications and/or Services (TAAS) that support critical missions and/or business functions.", "scf_question": "Does the organization employ boundary protections to isolate Technology Assets, Applications and/or Services (TAAS) that support critical missions and/or business functions?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to employ boundary protections to isolate Technology Assets, Applications and/or Services (TAAS) that support critical missions and/or business functions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Use VLANs or separate physical networks for sensitive systems", "small": "∙ VLAN segmentation for critical systems\n∙ Network isolation policy", "medium": "∙ Network segmentation with VLANs\n∙ Isolated segments for sensitive systems\n∙ Inter-VLAN firewall rules", "large": "∙ Enterprise network segmentation program\n∙ Microsegmentation for sensitive workloads\n∙ SDN-based isolation", "enterprise": "∙ Enterprise microsegmentation platform (e.g., Illumio, VMware NSX)\n∙ Zero-trust workload isolation\n∙ Automated policy enforcement" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "SC-07(21)" ], "general-govramp-high": [ "SC-07(21)" ], "general-iec-62443-2-1-2024": [ "NET 1.3", "NET 1.7" ], "general-nist-800-53-r4": [ "SC-7(21)" ], "general-nist-800-53-r5-2": [ "SC-07(21)" ], "general-nist-800-53-r5-2-high": [ "SC-07(21)" ], "general-nist-800-82-r3": [ "SC-07(21)" ], "general-nist-800-82-r3-high": [ "SC-07(21)" ], "general-nist-800-160-vol-2-r1": [ "SC-07(21)" ], "general-nist-800-172": [ "3.13.4e" ], "general-pci-dss-4-0-1": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-c": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.3.3" ], "usa-federal-dow-cmmc-2-level-3": [ "SC.L3-3.13.4E" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(21)" ], "emea-sau-ecc-1-2018": [ "5-1-3-4" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP43", "HHSP55", "HML43", "HML55" ], "apac-nzl-hisf-microsmall-2023": [ "HMS16" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP47" ], "apac-sgp-mas-trm-2021": [ "11.2.6" ] } }, { "control_id": "NET-03.8", "title": "Separate Subnet for Connecting to Different Security Domains", "family": "NET", "description": "Mechanisms exist to implement separate network addresses (e.g., different subnets) to connect to systems in different security domains.", "scf_question": "Does the organization implement separate network addresses (e.g., different subnets) to connect to systems in different security domains?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to implement separate network addresses (e.g., different subnets) to connect to systems in different security domains.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Separate network segment for systems with different security requirements", "small": "∙ VLAN-based subnet separation for different security domains", "medium": "∙ Formal network segmentation policy\n∙ Separate subnets per security domain\n∙ Inter-segment access controls", "large": "∙ Enterprise network segmentation with dedicated subnets per security zone", "enterprise": "∙ Enterprise network architecture with security-domain-based subnets\n∙ Automated firewall policy enforcement between zones" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-iec-62443-2-1-2024": [ "NET 1.3" ], "general-nist-800-53-r4": [ "SC-7(22)" ], "general-nist-800-53-r5-2": [ "SC-07(22)", "SC-07(29)" ], "general-nist-800-53-r5-2-privacy": [ "SC-07(29)" ], "general-nist-800-82-r3": [ "SC-07(22)", "SC-07(29)" ], "general-nist-800-160-vol-2-r1": [ "SC-07(22)", "SC-07(29)" ], "general-nist-800-171-r3": [ "03.13.01.b" ], "general-pci-dss-4-0-1": [ "1.4", "1.4.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.4.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.4.1" ], "usa-federal-gsa-fedramp-5-low": [ "SC-07(29)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07(29)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(29)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-07(29)" ], "emea-sau-otcc-1-2022": [ "2-4-1-2" ], "emea-sau-sacs-002-2022": [ "TPC-38", "TPC-40" ], "apac-nzl-ism-3-9": [ "14.1.11.C.01" ], "americas-can-itsp-10-171-2025": [ "03.13.01.B" ] } }, { "control_id": "NET-04", "title": "Data Flow Enforcement – Access Control Lists (ACLs)", "family": "NET", "description": "Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.", "scf_question": "Does the organization implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-12", "E-AST-19", "E-NET-06", "E-NET-07", "E-NET-10" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Administrative processes enforce the use of human reviews for Access Control Lists (ACLs) and similar rulesets on a routine basis.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Access Control Lists (ACLs)", "small": "∙ Access Control Lists (ACLs)", "medium": "∙ Access Control Lists (ACLs)", "large": "∙ Access Control Lists (ACLs)", "enterprise": "∙ Access Control Lists (ACLs)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1", "CC6.1-POF6", "CC6.6", "CC6.6-POF1" ], "general-cis-csc-8-1": [ "3.3", "4.6", "12.6", "13.4" ], "general-cis-csc-8-1-ig1": [ "3.3", "4.6" ], "general-cis-csc-8-1-ig2": [ "3.3", "4.6", "12.6", "13.4" ], "general-cis-csc-8-1-ig3": [ "3.3", "4.6", "12.6", "13.4" ], "general-csa-iot-2": [ "CLS-12", "SWS-05" ], "general-govramp": [ "AC-04" ], "general-govramp-core": [ "AC-04" ], "general-govramp-low-plus": [ "AC-04" ], "general-govramp-mod": [ "AC-04" ], "general-govramp-high": [ "AC-04" ], "general-iec-62443-2-1-2024": [ "NET 1.6", "NET 1.8" ], "general-iec-62443-3-3-2013": [ "SR 1.13 RE 1", "SR 5.3" ], "general-iec-62443-4-2-2019": [ "NDR 1.13(1)" ], "general-iso-27002-2022": [ "5.14", "8.3", "8.2" ], "general-iso-27017-2015": [ "9.4.1", "13.1.1", "13.2.1" ], "general-iso-27018-2025": [ "5.14", "8.3", "8.20" ], "general-mitre-att&ck-16-1": [ "T1001", "T1001.001", "T1001.002", "T1001.003", "T1003", "T1003.001", "T1003.005", "T1003.006", "T1008", "T1020.001", "T1021.001", "T1021.002", "T1021.003", "T1021.005", "T1021.006", "T1029", "T1030", "T1041", "T1046", "T1048", "T1048.001", "T1048.002", "T1048.003", "T1068", "T1070.008", "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1071.005", "T1072", "T1090", "T1090.001", "T1090.002", "T1090.003", "T1095", "T1098", "T1098.001", "T1098.007", "T1102", "T1102.001", "T1102.002", "T1102.003", "T1104", "T1105", "T1114", "T1114.001", "T1114.002", "T1114.003", "T1132", "T1132.001", "T1132.002", "T1133", "T1134.005", "T1136", "T1136.002", "T1136.003", "T1187", "T1189", "T1190", "T1197", "T1199", "T1203", "T1204", "T1204.001", "T1204.002", "T1204.003", "T1205", "T1205.001", "T1205.002", "T1210", "T1211", "T1212", "T1213", "T1213.001", "T1213.002", "T1213.004", "T1213.005", "T1218", "T1218.012", "T1219", "T1482", "T1484", "T1489", "T1498", "T1498.001", "T1498.002", "T1499", "T1499.001", "T1499.002", "T1499.003", "T1499.004", "T1505.004", "T1528", "T1530", "T1537", "T1547.003", "T1552", "T1552.001", "T1552.005", "T1552.007", "T1552.008", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1557.004", "T1559", "T1559.001", "T1559.002", "T1563", "T1563.002", "T1564.008", "T1565", "T1565.003", "T1566", "T1566.001", "T1566.002", "T1566.003", "T1567", "T1567.001", "T1567.002", "T1567.003", "T1567.004", "T1568", "T1568.002", "T1570", "T1571", "T1572", "T1573", "T1573.001", "T1573.002", "T1574", "T1574.004", "T1574.005", "T1574.007", "T1574.008", "T1574.009", "T1574.010", "T1590.002", "T1598", "T1598.001", "T1598.002", "T1598.003", "T1599", "T1599.001", "T1601", "T1601.001", "T1601.002", "T1602", "T1602.001", "T1602.002", "T1609", "T1611", "T1622", "T1654", "T1659" ], "general-mpa-csbp-5-3-1": [ "TS-1.0", "TS-2.0", "TS-2.4" ], "general-nist-800-53-r4": [ "AC-4" ], "general-nist-800-53-r5-2": [ "AC-04" ], "general-nist-800-53-r5-2-mod": [ "AC-04" ], "general-nist-800-82-r3": [ "AC-04" ], "general-nist-800-82-r3-mod": [ "AC-04" ], "general-nist-800-82-r3-high": [ "AC-04" ], "general-nist-800-161-r1": [ "AC-4" ], "general-nist-800-161-r1-flowdown": [ "AC-4" ], "general-nist-800-161-r1-level-2": [ "AC-4" ], "general-nist-800-161-r1-level-3": [ "AC-4" ], "general-nist-800-171-r2": [ "3.1.3" ], "general-nist-800-171-r3": [ "03.01.03", "03.13.01.a", "03.13.01.c" ], "general-nist-800-171a": [ "3.1.3[a]", "3.1.3[b]", "3.1.3[c]", "3.1.3[d]", "3.1.3[e]" ], "general-nist-800-171a-r3": [ "A.03.01.03[02]" ], "general-nist-800-172": [ "3.1.3e" ], "general-nist-800-207": [ "NIST Tenet 4" ], "general-pci-dss-4-0-1": [ "1.1", "1.3", "1.3.1", "1.3.2", "1.4.2", "1.4.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.3.1", "1.3.2", "1.4.2", "1.4.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.3.1", "1.3.2", "1.4.3" ], "general-pci-dss-4-0-1-saq-c": [ "1.3.1", "1.3.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.3.1", "1.3.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.3.1", "1.3.2", "1.4.2", "1.4.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.3.1", "1.3.2", "1.4.2", "1.4.3" ], "general-swift-cscf-2025": [ "1.1", "1.5", "2.4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.F", "2.W", "2.X" ], "usa-federal-fbi-cjis-6-0": [ "AC-4" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-2e" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.3" ], "usa-federal-dow-cmmc-2-level-3": [ "AC.L3-3.1.3E" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-04" ], "usa-federal-gsa-fedramp-5-high": [ "AC-04" ], "usa-federal-irs-1075-2021": [ "AC-4" ], "usa-federal-cms-marse-2-0": [ "AC-4" ], "usa-federal-nerc-cip-2024": [ "CIP-005-7 1.3" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B.1.d" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-04" ], "emea-eu-nis2-annex-2024": [ "6.7.2(c)", "6.7.2(f)", "6.7.2(g)" ], "emea-deu-c5-2020": [ "COS-03" ], "emea-isr-cmo-1-0": [ "9.12", "9.16", "10.9", "12.11" ], "emea-sau-cscc-1-2019": [ "2-4-1-4", "2-4-1-6", "2-4-1-7", "2-4-1-9" ], "emea-sau-ecc-1-2018": [ "2-5-3-5" ], "emea-sau-otcc-1-2022": [ "2-4-1-6", "2-4-1-7", "2-4-1-8", "2-4-1-10", "2-4-1-14", "2-4-1-16" ], "emea-gbr-def-stan-05-138-2024": [ "2316", "2428" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2316", "2428" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2316", "2428" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2316", "2428" ], "apac-aus-ism-2024-june": [ "ISM-0643", "ISM-0645", "ISM-1157", "ISM-1158", "ISM-1386" ], "apac-nzl-ism-3-9": [ "18.1.13.C.01", "18.1.13.C.02", "18.1.14.C.01" ], "americas-can-itsp-10-171-2025": [ "03.01.03", "03.13.01.A", "03.13.01.C" ] } }, { "control_id": "NET-04.1", "title": "Deny Traffic by Default & Allow Traffic by Exception", "family": "NET", "description": "Mechanisms exist to configure firewall and router configurations to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).", "scf_question": "Does the organization configure firewall and router configurations to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-12", "E-AST-19", "E-NET-07", "E-NET-10" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to configure firewall and router configurations to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Access Control Lists (ACLs)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Access Control Lists (ACLs)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Access Control Lists (ACLs)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Access Control Lists (ACLs)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Access Control Lists (ACLs)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.6", "CC6.6-POF1", "CC6.6-POF3", "CC6.7-POF1" ], "general-cis-csc-8-1": [ "13.4" ], "general-cis-csc-8-1-ig2": [ "13.4" ], "general-cis-csc-8-1-ig3": [ "13.4" ], "general-csa-iot-2": [ "SWS-05" ], "general-govramp": [ "SC-07(05)" ], "general-govramp-low-plus": [ "SC-07(05)" ], "general-govramp-mod": [ "SC-07(05)" ], "general-govramp-high": [ "SC-07(05)" ], "general-iec-62443-2-1-2024": [ "NET 1.7" ], "general-iec-62443-3-3-2013": [ "SR 5.2 RE 1", "SR 5.3 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 5.3", "NDR 1.13(1)", "NDR 5.2(1)", "NDR 5.2(2)", "NDR 5.3" ], "general-iso-27002-2022": [ "5.14", "8.2" ], "general-iso-27017-2015": [ "13.1.1", "13.2.1" ], "general-iso-27018-2025": [ "5.14", "8.20" ], "general-mpa-csbp-5-3-1": [ "TS-1.0", "TS-2.4" ], "general-nist-800-53-r4": [ "CA-3(5)", "SC-7(5)", "SC-7(11)" ], "general-nist-800-53-r5-2": [ "SC-07(05)", "SC-07(11)" ], "general-nist-800-53-r5-2-privacy": [ "SC-07(11)" ], "general-nist-800-53-r5-2-mod": [ "SC-07(05)" ], "general-nist-800-82-r3": [ "SC-07(05)", "SC-07(11)" ], "general-nist-800-82-r3-mod": [ "SC-07(05)" ], "general-nist-800-82-r3-high": [ "SC-07(05)" ], "general-nist-800-160-vol-2-r1": [ "SC-07(11)" ], "general-nist-800-171-r2": [ "3.13.6", "NFO - CA-3(5)" ], "general-nist-800-171-r3": [ "03.13.01.a", "03.13.06" ], "general-nist-800-171a": [ "3.13.6[a]", "3.13.6[b]" ], "general-nist-800-171a-r3": [ "A.03.13.06[01]", "A.03.13.06[02]" ], "general-nist-800-207": [ "NIST Tenet 4" ], "general-pci-dss-4-0-1": [ "1.3", "1.3.1", "1.3.2", "1.3.3", "1.4.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.3.1", "1.3.2", "1.3.3", "1.4.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.3.1", "1.3.2", "1.3.3" ], "general-pci-dss-4-0-1-saq-c": [ "1.3.1", "1.3.2", "1.3.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.3.1", "1.3.2", "1.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.3.1", "1.3.2", "1.3.3", "1.4.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.3.1", "1.3.2", "1.3.3", "1.4.2" ], "general-swift-cscf-2025": [ "1.1", "1.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.F", "2.W", "2.X" ], "usa-federal-fbi-cjis-6-0": [ "SC-7(5)" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-2e" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.6" ], "usa-federal-gsa-fedramp-5-low": [ "SC-07(11)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07(05)", "SC-07(11)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(05)", "SC-07(11)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-07(11)" ], "usa-federal-irs-1075-2021": [ "SC-7(CE-5)", "SC-7(CE-11)" ], "usa-federal-cms-marse-2-0": [ "SC-7(5)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-07 (05)" ], "emea-isr-cmo-1-0": [ "9.12", "12.9" ], "emea-sau-cscc-1-2019": [ "2-4-1-4", "2-4-1-6", "2-4-1-7", "2-4-1-9" ], "emea-sau-otcc-1-2022": [ "2-4-1-6", "2-4-1-8", "2-4-1-14" ], "emea-sau-sacs-002-2022": [ "TPC-36" ], "emea-gbr-def-stan-05-138-2024": [ "2507" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2507" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2507" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2507" ], "apac-nzl-ism-3-9": [ "18.1.13.C.01", "18.1.13.C.02", "18.1.14.C.01" ], "americas-can-itsp-10-171-2025": [ "03.13.01.A", "03.13.06" ] } }, { "control_id": "NET-04.2", "title": "Object Security Attributes", "family": "NET", "description": "Mechanisms exist to associate security attributes with information, source and destination objects to enforce defined information flow control configurations as a basis for flow control decisions.", "scf_question": "Does the organization associate security attributes with information, source and destination objects to enforce defined information flow control configurations as a basis for flow control decisions?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to associate security attributes with information, source and destination objects to enforce defined information flow control configurations as a basis for flow control decisions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Tag files with classification labels before transferring", "small": "∙ Data classification labels applied to objects in transit\n∙ DLP policy for classified data", "medium": "∙ Object-level security attributes policy\n∙ DLP enforcement based on attributes", "large": "∙ Enterprise DLP with object-level classification enforcement\n∙ Rights management (IRM)", "enterprise": "∙ Enterprise DLP platform (e.g., Microsoft Purview, Symantec DLP)\n∙ IRM/DRM\n∙ Automated classification and enforcement" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-nist-800-53-r4": [ "AC-4(1)" ], "general-nist-800-53-r5-2": [ "AC-04(01)" ], "general-nist-800-82-r3": [ "AC-04(01)" ] } }, { "control_id": "NET-04.3", "title": "Content Check for Encrypted Data", "family": "NET", "description": "Mechanisms exist to prevent encrypted data from bypassing content-checking mechanisms.", "scf_question": "Does the organization prevent encrypted data from bypassing content-checking mechanisms?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to prevent encrypted data from bypassing content-checking mechanisms.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Enable TLS inspection on firewall if available", "small": "∙ TLS inspection on gateway firewall\n∙ Policy for inspecting encrypted traffic", "medium": "∙ SSL/TLS inspection on NGFW or proxy\n∙ Policy defining inspection rules", "large": "∙ Enterprise TLS inspection platform\n∙ Decryption policy for high-risk traffic categories", "enterprise": "∙ Enterprise SSL/TLS inspection with NGFW or dedicated proxy (e.g., Zscaler)\n∙ Selective decryption policies\n∙ Privacy compliance for inspection" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-nist-800-53-r4": [ "AC-4(4)" ], "general-nist-800-53-r5-2": [ "AC-04(04)" ], "general-nist-800-53-r5-2-high": [ "AC-04(04)" ], "general-nist-800-82-r3": [ "AC-04(04)" ], "general-nist-800-82-r3-high": [ "AC-04(04)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-04(04)" ], "emea-isr-cmo-1-0": [ "9.16" ] } }, { "control_id": "NET-04.4", "title": "Embedded Data Types", "family": "NET", "description": "Mechanisms exist to enforce limitations on embedding data within other data types.", "scf_question": "Does the organization enforce limitations on embedding data within other data types?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to enforce limitations on embedding data within other data types.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Block unauthorized file types at email gateway", "small": "∙ Email gateway file type filtering\n∙ Web proxy content type controls", "medium": "∙ Content inspection policy for embedded data types\n∙ Gateway filtering for prohibited file types", "large": "∙ Enterprise content inspection solution\n∙ NGFW application layer filtering\n∙ Data type policies", "enterprise": "∙ Enterprise content inspection platform\n∙ NGFW with application-layer DPI\n∙ DLP for embedded data types\n∙ CASB for cloud content" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-nist-800-53-r4": [ "AC-4(5)" ], "general-nist-800-53-r5-2": [ "AC-04(05)" ], "general-nist-800-82-r3": [ "AC-04(05)" ], "emea-isr-cmo-1-0": [ "9.16" ] } }, { "control_id": "NET-04.5", "title": "Metadata", "family": "NET", "description": "Mechanisms exist to enforce information flow controls based on metadata.", "scf_question": "Does the organization enforce information flow controls based on metadata?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to enforce information flow controls based on metadata.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Review metadata in files before sharing externally", "small": "∙ Policy requiring metadata review/stripping before external sharing", "medium": "∙ Metadata scrubbing tools\n∙ Policy for metadata controls on shared files", "large": "∙ Enterprise metadata management tools\n∙ Automated metadata stripping for external sharing", "enterprise": "∙ Enterprise metadata management and DLP platform\n∙ Automated metadata classification and stripping\n∙ DLP integration" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-csa-iot-2": [ "DAT-01", "GVN-06" ], "general-nist-800-53-r4": [ "AC-4(6)" ], "general-nist-800-53-r5-2": [ "AC-04(06)" ], "general-nist-800-82-r3": [ "AC-04(06)" ], "general-nist-800-161-r1": [ "AC-4(6)" ], "general-nist-800-161-r1-level-2": [ "AC-4(6)" ], "general-nist-800-161-r1-level-3": [ "AC-4(6)" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.4" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(A)" ] } }, { "control_id": "NET-04.6", "title": "Human Reviews", "family": "NET", "description": "Mechanisms exist to enforce the use of human reviews for Access Control Lists (ACLs) and similar rulesets on a routine basis.", "scf_question": "Does the organization enforce the use of human reviews for Access Control Lists (ACLs) and similar rulesets on a routine basis?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-12" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to enforce the use of human reviews for Access Control Lists (ACLs) and similar rulesets on a routine basis.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Human review of flagged data transfers", "small": "∙ Policy requiring human review of sensitive data transfers", "medium": "∙ Human review process for cross-boundary data transfers\n∙ DLP alert review procedures", "large": "∙ DLP alert triage workflow with human review\n∙ Dedicated review team", "enterprise": "∙ Enterprise DLP with human review workflow (SOC integration)\n∙ SOAR-assisted triage\n∙ 24/7 human review for critical transfers" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-mpa-csbp-5-3-1": [ "TS-2.4" ], "general-nist-800-53-r4": [ "AC-4(9)" ], "general-nist-800-53-r5-2": [ "AC-04(09)" ], "general-nist-800-82-r3": [ "AC-04(09)" ], "general-pci-dss-4-0-1": [ "1.2.7" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.7" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.7" ], "emea-deu-c5-2020": [ "COS-03" ], "emea-isr-cmo-1-0": [ "9.24" ], "emea-sau-cscc-1-2019": [ "2-3-1-6", "2-4-1-2" ], "apac-sgp-mas-trm-2021": [ "11.2.5" ] } }, { "control_id": "NET-04.7", "title": "Policy Decision Point (PDP)", "family": "NET", "description": "Automated mechanisms exist to evaluate access requests against established criteria to dynamically and uniformly enforce access rights and permissions.", "scf_question": "Does the organization evaluate access requests against established criteria to dynamically and uniformly enforce access rights and permissions?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically evaluate access requests against established criteria to dynamically and uniformly enforce access rights and permissions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Document policy decision points for network access control", "large": "∙ Policy Decision Point (PDP) implemented in firewall/NAC\n∙ Access policy centralization", "enterprise": "∙ Enterprise PDP implementation (e.g., XACML, Zero Trust policy engine)\n∙ Centralized access policy management" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "AC-04(08)" ], "general-govramp-high": [ "AC-04(08)" ], "general-nist-800-53-r4": [ "AC-4(8)" ], "general-nist-800-53-r5-2": [ "AC-04(08)" ], "general-nist-800-82-r3": [ "AC-04(08)" ], "general-nist-800-160-vol-2-r1": [ "AC-04(08)" ], "general-nist-800-207": [ "NIST Tenet 4" ], "general-pci-dss-4-0-1": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-c": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.3.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.3.3" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.4.2", "5.1.2", "5.2", "5.2.2", "6.1" ] } }, { "control_id": "NET-04.8", "title": "Data Type Identifiers", "family": "NET", "description": "Automated mechanisms exist to utilize data type identifiers to validate data essential for information flow decisions when transferring information between different security domains.", "scf_question": "Does the organization use automated mechanisms to utilize data type identifiers to validate data essential for information flow decisions when transferring information between different security domains?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically utilize data type identifiers to validate data essential for information flow decisions when transferring information between different security domains.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Use file extension controls to restrict unauthorized data types", "small": "∙ File type controls at email and web gateways", "medium": "∙ Data type identifier policy\n∙ Content inspection with data type identification", "large": "∙ Enterprise DLP with data type identification capabilities", "enterprise": "∙ Enterprise DLP with advanced data type identification (e.g., Symantec DLP, Forcepoint)\n∙ Pattern-based detection" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-nist-800-53-r4": [ "AC-4(12)" ], "general-nist-800-53-r5-2": [ "AC-04(12)" ], "general-nist-800-82-r3": [ "AC-04(12)" ], "general-nist-800-160-vol-2-r1": [ "AC-04(12)" ] } }, { "control_id": "NET-04.9", "title": "Decomposition Into Policy-Related Subcomponents", "family": "NET", "description": "Automated mechanisms exist to decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms, when transferring information between different security domains.", "scf_question": "Does the organization use automated mechanisms to decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms, when transferring information between different security domains?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms, when transferring information between different security domains.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Documented policy decomposition approach for network access", "large": "∙ Formal policy decomposition methodology\n∙ Modular policy design", "enterprise": "∙ Enterprise policy framework with decomposed network access policies\n∙ Automated policy engine" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-nist-800-53-r4": [ "AC-4(13)" ], "general-nist-800-53-r5-2": [ "AC-04(13)" ], "general-nist-800-82-r3": [ "AC-04(13)" ] } }, { "control_id": "NET-04.10", "title": "Detection of Unsanctioned Information", "family": "NET", "description": "Automated mechanisms exist to implement security policy filters requiring fully enumerated formats that restrict data structure and content, when transferring information between different security domains.", "scf_question": "Does the organization use automated mechanisms to implement security policy filters requiring fully enumerated formats that restrict data structure and content, when transferring information between different security domains?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically implement security policy filters requiring fully enumerated formats that restrict data structure and content, when transferring information between different security domains.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "small": "∙ DLP rules for detecting unsanctioned data in transfers", "medium": "∙ DLP solution with content inspection for unsanctioned information detection", "large": "∙ Enterprise DLP with keyword and pattern matching for unsanctioned info", "enterprise": "∙ Enterprise DLP platform (e.g., Microsoft Purview, Forcepoint)\n∙ ML-based unsanctioned information detection" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-nist-800-53-r4": [ "AC-4(15)" ], "general-nist-800-53-r5-2": [ "AC-04(15)" ], "general-nist-800-82-r3": [ "AC-04(15)" ] } }, { "control_id": "NET-04.11", "title": "Approved Solutions", "family": "NET", "description": "Automated mechanisms exist to examine information for the presence of unsanctioned information and prohibits the transfer of such information, when transferring information between different security domains.", "scf_question": "Does the organization use automated mechanisms to examine information for the presence of unsanctioned information and prohibits the transfer of such information, when transferring information between different security domains?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically examine information for the presence of unsanctioned information and prohibits the transfer of such information, when transferring information between different security domains.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Use only approved tools for network data transfer", "small": "∙ Approved network transfer tools list\n∙ Policy prohibiting unapproved transfer methods", "medium": "∙ Approved solutions list for cross-domain data transfer\n∙ Policy enforcement at gateway", "large": "∙ Formal approved solutions program\n∙ Gateway enforcement of approved transfer tools only", "enterprise": "∙ Enterprise approved solutions program with technical enforcement\n∙ CASB for cloud transfer control" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-nist-800-53-r4": [ "AC-4(20)" ], "general-nist-800-53-r5-2": [ "AC-04(20)" ], "general-nist-800-82-r3": [ "AC-04(20)" ], "apac-ind-sebi-2024": [ "ID.AM.S3" ] } }, { "control_id": "NET-04.12", "title": "Cross Domain Authentication", "family": "NET", "description": "Automated mechanisms exist to uniquely identify and authenticate source and destination points for information transfer.", "scf_question": "Does the organization use automated mechanisms to uniquely identify and authenticate source and destination points for information transfer?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically uniquely identify and authenticate source and destination points for information transfer.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Cross-domain authentication policy and procedure", "large": "∙ Federated identity for cross-domain authentication\n∙ Formal cross-domain auth standards", "enterprise": "∙ Enterprise federated identity management (e.g., Okta, Ping Identity)\n∙ Cross-domain authentication standards" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-04(17)" ], "general-nist-800-82-r3": [ "AC-04(17)" ], "general-nist-800-160-vol-2-r1": [ "AC-04(17)" ], "general-nist-800-161-r1": [ "AC-4(17)" ], "general-nist-800-161-r1-level-2": [ "AC-4(17)" ], "general-nist-800-161-r1-level-3": [ "AC-4(17)" ], "general-nist-800-207": [ "NIST Tenet 4" ] } }, { "control_id": "NET-04.13", "title": "Metadata Validation", "family": "NET", "description": "Automated mechanisms exist to apply cybersecurity and/or data protection filters on metadata.", "scf_question": "Does the organization use automated mechanisms to apply cybersecurity and/or data protection filters on metadata?", "relative_weight": 2, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically apply cybersecurity and/or data protection filters on metadata.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Validate metadata integrity for cross-domain transfers", "large": "∙ Metadata validation controls for cross-domain data movement", "enterprise": "∙ Enterprise metadata validation framework\n∙ Automated metadata integrity checking" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-nist-800-53-r5-2": [ "AC-04(19)" ], "general-nist-800-82-r3": [ "AC-04(19)" ], "general-nist-800-161-r1": [ "AC-4(19)" ], "general-nist-800-161-r1-level-2": [ "AC-4(19)" ], "general-nist-800-161-r1-level-3": [ "AC-4(19)" ] } }, { "control_id": "NET-04.14", "title": "Application Proxy", "family": "NET", "description": "Mechanisms exist to terminate, inspect, control and reinitiate application traffic, regardless of the user’s location or the security posture of the surrounding network.", "scf_question": "Does the organization maintain visibility and control over application traffic, regardless of the user’s location or the security posture of the surrounding network?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to terminate, inspect, control and reinitiate application traffic, regardless of the user’s location or the security posture of the surrounding network.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "small": "∙ Web proxy for internet-bound traffic", "medium": "∙ Application proxy for internet-bound traffic (e.g., Squid)\n∙ Proxy policy", "large": "∙ Enterprise proxy solution (e.g., Symantec ProxySG, Zscaler)\n∙ Application-level inspection", "enterprise": "∙ Enterprise Secure Web Gateway (SWG) (e.g., Zscaler, Netskope)\n∙ Application proxy with TLS inspection" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": {} }, { "control_id": "NET-05", "title": "Interconnection Security Agreements (ISAs)", "family": "NET", "description": "Mechanisms exist to authorize connections from systems to other systems using Interconnection Security Agreements (ISAs), or similar methods, that document, for each interconnection:\n(1) Interface characteristics;\n(2) Security, compliance and resilience requirements; and;\n(3) The nature of the information communicated.", "scf_question": "Does the organization authorize connections from systems to other systems using Interconnection Security Agreements (ISAs), or similar methods, that document, for each interconnection:\n(1) Interface characteristics;\n(2) Security, compliance and resilience requirements; and;\n(3) The nature of the information communicated?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-NET-06" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to authorize connections from systems to other systems using Interconnection Security Agreements (ISAs), or similar methods, that document, for each interconnection:\n(1) Interface characteristics;\n(2) Security, compliance and resilience requirements; and;\n(3) The nature of the information communicated.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Interconnection Security Agreement (ISA)\n∙ Information Exchange Security Agreements (IESA)\n∙ Memoranda of Understanding (MOU) / Agreement (MOA)", "small": "∙ Interconnection Security Agreement (ISA)\n∙ Information Exchange Security Agreements (IESA)\n∙ Memoranda of Understanding (MOU) / Agreement (MOA)", "medium": "∙ Interconnection Security Agreement (ISA)\n∙ Information Exchange Security Agreements (IESA)\n∙ Memoranda of Understanding (MOU) / Agreement (MOA)", "large": "∙ Interconnection Security Agreement (ISA)\n∙ Information Exchange Security Agreements (IESA)\n∙ Memoranda of Understanding (MOU) / Agreement (MOA)", "enterprise": "∙ Interconnection Security Agreement (ISA)\n∙ Information Exchange Security Agreements (IESA)\n∙ Memoranda of Understanding (MOU) / Agreement (MOA)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Network Security", "crosswalks": { "general-govramp": [ "CA-03" ], "general-govramp-low": [ "CA-03" ], "general-govramp-low-plus": [ "CA-03" ], "general-govramp-mod": [ "CA-03" ], "general-govramp-high": [ "CA-03" ], "general-iec-62443-2-1-2024": [ "NET 1.2" ], "general-mitre-att&ck-16-1": [ "T1020.001", "T1041", "T1048", "T1048.002", "T1048.003", "T1078", "T1567" ], "general-nist-800-53-r4": [ "CA-3", "CA-3(1)", "CA-3(2)" ], "general-nist-800-53-r5-2": [ "CA-03", "SC-07(25)", "SC-07(26)" ], "general-nist-800-53-r5-2-low": [ "CA-03" ], "general-nist-800-82-r3": [ "CA-03", "SC-07(25)", "SC-07(26)" ], "general-nist-800-82-r3-low": [ "CA-03" ], "general-nist-800-82-r3-mod": [ "CA-03" ], "general-nist-800-82-r3-high": [ "CA-03" ], "general-nist-800-161-r1": [ "CA-3" ], "general-nist-800-161-r1-cscrm": [ "CA-3" ], "general-nist-800-161-r1-flowdown": [ "CA-3" ], "general-nist-800-161-r1-level-3": [ "CA-3" ], "general-nist-800-171-r2": [ "NFO - CA-3" ], "general-nist-800-171-r3": [ "03.01.03", "03.01.20.c.02", "03.12.05.a", "03.12.05.b" ], "general-nist-800-171a-r3": [ "A.03.01.03[02]", "A.03.12.05.ODP[01]", "A.03.12.05.ODP[02]", "A.03.12.05.a[01]", "A.03.12.05.a[02]", "A.03.12.05.b[01]", "A.03.12.05.b[02]", "A.03.12.05.b[03]", "A.03.12.05.c[01]", "A.03.12.05.c[02]" ], "general-swift-cscf-2025": [ "2.4" ], "usa-federal-fbi-cjis-6-0": [ "CA-3" ], "usa-federal-gsa-fedramp-5-low": [ "CA-03" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-03" ], "usa-federal-gsa-fedramp-5-high": [ "CA-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-03" ], "usa-federal-irs-1075-2021": [ "2.E.4.1", "CA-3" ], "usa-federal-cms-marse-2-0": [ "CA-3", "CA-3.a", "CA-3.b", "CA-3.c", "CA-3.d", "CA-3-IS.1", "CA-3-IS.2", "CA-3-IS.3" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B.1.b" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CA-03", "CA-03-SID" ], "usa-state-tx-txramp-2-0-level-1": [ "CA-03" ], "usa-state-tx-txramp-2-0-level-2": [ "CA-03" ], "emea-deu-c5-2020": [ "COS-03" ], "emea-isr-cmo-1-0": [ "16.4" ], "americas-can-itsp-10-171-2025": [ "03.01.03", "03.01.20.C.02", "03.12.05.A", "03.12.05.B" ] } }, { "control_id": "NET-05.1", "title": "External System Connections", "family": "NET", "description": "Mechanisms exist to prohibit the direct connection of a sensitive system to an external network without the use of an organization-defined boundary protection device.", "scf_question": "Does the organization prohibit the direct connection of a sensitive system to an external network without the use of an organization-defined boundary protection device?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-NET-06", "E-NET-09" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to prohibit the direct connection of a sensitive system to an external network without the use of an organization-defined boundary protection device.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document authorized external system connections", "small": "∙ External connection inventory\n∙ Connection approval policy", "medium": "∙ Formal external system connection management process\n∙ Connection authorization records", "large": "∙ External connection governance program\n∙ Automated connection inventory", "enterprise": "∙ Enterprise external connection governance platform\n∙ Automated discovery and authorization of external connections" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1" ], "general-nist-600-1-gen-ai-profile": [ "MP-2.2-002" ], "general-nist-800-53-r4": [ "CA-3(3)" ], "general-nist-800-53-r5-2": [ "SC-07(27)" ], "general-nist-800-82-r3": [ "SC-07(27)" ], "general-pci-dss-4-0-1": [ "1.4.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.4.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.4.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.4.4" ], "general-shared-assessments-sig-2025": [ "N.3.1" ], "usa-federal-cms-marse-2-0": [ "CA-3(5)" ], "emea-isr-cmo-1-0": [ "9.11", "12.8", "16.4" ], "emea-sau-ecc-1-2018": [ "5-1-3-2" ], "emea-sau-otcc-1-2022": [ "2-3-1-13" ], "emea-sau-sacs-002-2022": [ "TPC-36" ], "apac-nzl-ism-3-9": [ "14.1.13.C.01", "14.1.13.C.02", "14.1.13.C.03" ] } }, { "control_id": "NET-05.2", "title": "Internal System Connections", "family": "NET", "description": "Mechanisms exist to control internal system connections through authorizing internal connections of systems and documenting, for each internal connection, the interface characteristics, security requirements and the nature of the information communicated.", "scf_question": "Does the organization control internal system connections through authorizing internal connections of systems and documenting, for each internal connection, the interface characteristics, security requirements and the nature of the information communicated?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to control internal system connections through authorizing internal connections of systems and documenting, for each internal connection, the interface characteristics, security requirements and the nature of the information communicated.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document authorized internal system connections", "small": "∙ Internal network connection documentation\n∙ Connection authorization process", "medium": "∙ Formal internal connection management policy\n∙ Network topology documentation", "large": "∙ Enterprise CMDB with internal connection mapping\n∙ Automated network topology discovery", "enterprise": "∙ Enterprise CMDB (e.g., ServiceNow)\n∙ Automated network discovery (e.g., Nmap, SolarWinds)\n∙ Connection governance program" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "CA-09" ], "general-govramp-low": [ "CA-09" ], "general-govramp-low-plus": [ "CA-09" ], "general-govramp-mod": [ "CA-09" ], "general-govramp-high": [ "CA-09" ], "general-iec-62443-2-1-2024": [ "NET 1.6", "NET 2.1(b)" ], "general-nist-800-53-r4": [ "CA-9" ], "general-nist-800-53-r5-2": [ "CA-09" ], "general-nist-800-53-r5-2-low": [ "CA-09" ], "general-nist-800-82-r3": [ "CA-09" ], "general-nist-800-82-r3-low": [ "CA-09" ], "general-nist-800-82-r3-mod": [ "CA-09" ], "general-nist-800-82-r3-high": [ "CA-09" ], "general-nist-800-171-r2": [ "NFO - CA-9" ], "general-nist-800-171-r3": [ "03.01.03", "03.12.05.a", "03.12.05.b", "03.12.05.c" ], "general-shared-assessments-sig-2025": [ "G.3" ], "general-swift-cscf-2025": [ "2.4" ], "usa-federal-fbi-cjis-6-0": [ "CA-9" ], "usa-federal-gsa-fedramp-5-low": [ "CA-09" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-09" ], "usa-federal-gsa-fedramp-5-high": [ "CA-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-09" ], "usa-federal-irs-1075-2021": [ "CA-9" ], "usa-federal-cms-marse-2-0": [ "CA-9", "CA-9.a", "CA-9.b" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CA-09" ], "usa-state-tx-txramp-2-0-level-1": [ "CA-09" ], "usa-state-tx-txramp-2-0-level-2": [ "CA-09" ], "emea-sau-ecc-1-2018": [ "5-1-3-1" ], "emea-sau-otcc-1-2022": [ "2-3-1-13" ], "apac-jpn-ismap": [ "13.1.1.10" ], "americas-can-itsp-10-171-2025": [ "03.01.03", "03.12.05.A", "03.12.05.B", "03.12.05.C" ] } }, { "control_id": "NET-06", "title": "Network Segmentation (macrosegementation)", "family": "NET", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "scf_question": "Does the organization ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ Network segmentation exists to implement separate network addresses (e.g., different subnets) to connect TAASD in different security domains (e.g., sensitive/regulated data environments).\n▪ IT and/or cybersecurity architects maintain a segmented development network to ensure a secure development environment.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Subnetting\n∙ Virtual Local Area Network (VLAN)", "small": "∙ Subnetting\n∙ Virtual Local Area Network (VLAN)", "medium": "∙ Subnetting\n∙ Virtual Local Area Network (VLAN)", "large": "∙ Subnetting\n∙ Virtual Local Area Network (VLAN)", "enterprise": "∙ Subnetting\n∙ Virtual Local Area Network (VLAN)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.1-POF4" ], "general-aicpa-tsc-2017": [ "CC6.1" ], "general-csa-cmm-4-1-0": [ "I&S-06" ], "general-csa-iot-2": [ "SAP-01" ], "general-govramp": [ "AC-04(21)" ], "general-govramp-mod": [ "AC-04(21)" ], "general-govramp-high": [ "AC-04(21)" ], "general-iec-tr-60601-4-5-2021": [ "5.2 - CR 5.1" ], "general-iec-62443-2-1-2024": [ "NET 1.1", "NET 1.3", "NET 2.2" ], "general-iec-62443-3-3-2013": [ "SR 5.1", "SR 5.1 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 5.1" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.3" ], "general-iso-27002-2022": [ "8.2", "8.22" ], "general-iso-27017-2015": [ "13.1.1", "13.1.3" ], "general-iso-27018-2025": [ "8.20", "8.22" ], "general-mpa-csbp-5-3-1": [ "TS-2.8", "TS-2.11", "TS-8.2" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P5" ], "general-nist-800-53-r4": [ "AC-4(21)" ], "general-nist-800-53-r5-2": [ "AC-04(21)" ], "general-nist-800-82-r3": [ "AC-04(21)" ], "general-nist-800-160-vol-2-r1": [ "AC-04(21)" ], "general-nist-800-161-r1": [ "AC-4(21)" ], "general-nist-800-161-r1-level-3": [ "AC-4(21)" ], "general-nist-800-171-r2": [ "3.13.5" ], "general-nist-800-171-r3": [ "03.13.01.b" ], "general-nist-800-171a": [ "3.13.5[a]", "3.13.5[b]" ], "general-nist-800-171a-r3": [ "A.03.13.01.b" ], "general-nist-800-172": [ "3.14.3e" ], "general-pci-dss-4-0-1": [ "1.2.1", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.4.1", "1.4.2", "11.4.5", "11.4.6", "12.5.2", "A1.1.4", "A3.2.1", "A3.2.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.1", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.3.1", "1.3.2", "1.3.3", "1.4.1", "1.4.2", "11.4.5" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.2.3", "1.2.5", "1.2.6", "1.3.1", "1.3.2", "1.3.3", "11.4.5" ], "general-pci-dss-4-0-1-saq-c": [ "1.3.1", "1.3.2", "1.3.3", "11.4.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.3.1", "1.3.2", "1.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.1", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.3.1", "1.3.2", "1.3.3", "1.4.1", "1.4.2", "11.4.5", "12.5.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.1", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.3.1", "1.3.2", "1.3.3", "1.4.1", "1.4.2", "11.4.5", "11.4.6", "12.5.2", "A1.1.4" ], "general-sparta": [ "CM0038" ], "general-swift-cscf-2025": [ "1.1", "1.4", "1.5" ], "general-tisax-6-0-3": [ "5.2.7" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.NE.NSEGM" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.F" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-2b", "ARCHITECTURE-2d", "ARCHITECTURE-2h" ], "usa-federal-dow-cmmc-2-level-1": [ "SC.L1-B.1.XI" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "SC.L1-B.1.XI[a]", "SC.L1-B.1.XI[b]" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.5" ], "usa-federal-dow-cmmc-2-level-3": [ "SI.L3-3.14.3E" ], "usa-federal-dow-zt-roadmap-1-1": [ "5.2.3", "5.3", "5.3.2" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "3.1" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(xi)" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-04(21)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-04(21)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)", "7123(c)(10)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.4(36)(c)" ], "emea-eu-nis2-annex-2024": [ "6.8.1", "6.8.2(a)", "6.8.2(b)", "6.8.2(c)", "6.8.2(d)", "6.8.2(e)", "6.8.2(f)", "6.8.2(g)", "6.8.2(h)" ], "emea-deu-c5-2020": [ "COS-06" ], "emea-isr-cmo-1-0": [ "9.2", "9.18", "9.19", "10.8", "12.4", "12.5", "12.11" ], "emea-sau-cscc-1-2019": [ "2-3-1-4", "2-4-1-1" ], "emea-sau-cgiot-2024": [ "2-4-4" ], "emea-sau-ecc-1-2018": [ "5-1-3-1", "5-1-3-2" ], "emea-sau-otcc-1-2022": [ "2-4-1-1", "2-4-1-2", "2-4-1-3", "2-4-1-5", "2-4-1-10" ], "emea-sau-sacs-002-2022": [ "TPC-38", "TPC-40" ], "emea-esp-ccn-stic-825-2023": [ "8.4.4 [MP.COM.4]" ], "emea-gbr-def-stan-05-138-2024": [ "2508" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2508" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2508" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2508" ], "apac-aus-ism-2024-june": [ "ISM-1181", "ISM-1269", "ISM-1270", "ISM-1271", "ISM-1577", "ISM-1750" ], "apac-ind-sebi-2024": [ "PR.AA.S2" ], "apac-jpn-ismap": [ "13.1.3", "13.1.3.1", "13.1.3.2", "13.1.3.3", "13.1.3.4", "13.1.3.5", "13.1.3.6", "13.1.3.7", "13.1.3.8", "13.1.3.9", "13.1.3.10.P", "13.1.3.11.P", "13.1.3.12.P", "13.1.4.P" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP55", "HML55" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP47" ], "apac-sgp-mas-trm-2021": [ "11.2.6" ], "americas-can-osfi-b13-2022": [ "3.2.5" ], "americas-can-itsp-10-171-2025": [ "03.13.01.B" ] } }, { "control_id": "NET-06.1", "title": "Security Management Subnets", "family": "NET", "description": "Mechanisms exist to implement security management subnets to isolate security tools and support components from other internal system components by implementing separate subnetworks with managed interfaces to other components of the system.", "scf_question": "Does the organization implement security management subnets to isolate security tools and support components from other internal system components by implementing separate subnetworks with managed interfaces to other components of the system?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ Processing and storage of service location, including a managed security zone to house cybersecurity and data protection tools.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to implement security management subnets to isolate security tools and support components from other internal system components by implementing separate subnetworks with managed interfaces to other components of the system.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "medium": "∙ Separate management network or VLAN for security management", "large": "∙ Dedicated security management subnet\n∙ Out-of-band management access controls", "enterprise": "∙ Enterprise out-of-band management network\n∙ Dedicated jump servers\n∙ Privileged access workstations (PAW)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1" ], "general-csa-iot-2": [ "SAP-01" ], "general-govramp": [ "SC-07(13)" ], "general-govramp-low-plus": [ "SC-07(13)" ], "general-govramp-mod": [ "SC-07(13)" ], "general-govramp-high": [ "SC-07(13)" ], "general-iec-62443-3-3-2013": [ "SR 5.1 RE 2" ], "general-iso-27002-2022": [ "8.22" ], "general-iso-27017-2015": [ "13.1.3" ], "general-iso-27018-2025": [ "8.22" ], "general-nist-800-53-r4": [ "SC-7(13)" ], "general-nist-800-53-r5-2": [ "SC-07(13)", "SC-07(29)" ], "general-nist-800-53-r5-2-privacy": [ "SC-07(29)" ], "general-nist-800-82-r3": [ "SC-07(13)", "SC-07(29)" ], "general-nist-800-160-vol-2-r1": [ "SC-07(13)", "SC-07(29)" ], "general-nist-800-161-r1": [ "SC-7(13)" ], "general-nist-800-161-r1-flowdown": [ "SC-7(13)" ], "general-nist-800-161-r1-level-3": [ "SC-7(13)" ], "general-swift-cscf-2025": [ "1.1" ], "usa-federal-gsa-fedramp-5-low": [ "SC-07(29)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07(29)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(29)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-07(29)" ], "usa-federal-cms-marse-2-0": [ "SC-7(13)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)", "7123(c)(10)" ], "emea-deu-c5-2020": [ "COS-04" ], "emea-isr-cmo-1-0": [ "9.2", "12.4", "12.5" ], "apac-aus-ism-2024-june": [ "ISM-1385", "ISM-1750" ], "apac-jpn-ismap": [ "13.1.4.P" ] } }, { "control_id": "NET-06.2", "title": "Virtual Local Area Network (VLAN) Separation", "family": "NET", "description": "Mechanisms exist to enable Virtual Local Area Networks (VLANs) to limit the ability of devices on a network to directly communicate with other devices on the subnet and limit an attacker's ability to laterally move to compromise neighboring systems.", "scf_question": "Does the organization enable Virtual Local Area Networks (VLANs) to limit the ability of devices on a network to directly communicate with other devices on the subnet and limit an attacker's ability to laterally move to compromise neighboring systems?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ IT and/or cybersecurity personnel enable Virtual Local Area Networks (VLANs) to limit the ability of devices on a network to directly communicate with other devices on the subnet and limit an attacker's ability to laterally move to compromise neighboring systems", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to enable Virtual Local Area Networks (VLANs) to limit the ability of devices on a network to directly communicate with other devices on the subnet and limit an attacker's ability to laterally move to compromise neighboring systems.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Virtual Local Area Network (VLAN)", "small": "∙ Virtual Local Area Network (VLAN)", "medium": "∙ Virtual Local Area Network (VLAN)", "large": "∙ Virtual Local Area Network (VLAN)", "enterprise": "∙ Virtual Local Area Network (VLAN)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "apac-aus-ism-2024-june": [ "ISM-0529", "ISM-0530", "ISM-0535", "ISM-1364", "ISM-1532" ], "apac-jpn-ismap": [ "13.1.4.P" ], "apac-nzl-ism-3-9": [ "22.3.9.C.01", "22.3.9.C.02", "22.3.9.C.03", "22.3.9.C.04", "22.3.10.C.01", "22.3.11.C.01", "22.3.11.C.02" ] } }, { "control_id": "NET-06.3", "title": "Sensitive / Regulated Data Enclave (Secure Zone)", "family": "NET", "description": "Mechanisms exist to implement segmentation controls to restrict inbound and outbound connectivity for sensitive/regulated data enclaves (secure zones).", "scf_question": "Does the organization implement segmentation controls to restrict inbound and outbound connectivity for sensitive/regulated data enclaves (secure zones)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to implement segmentation controls to restrict inbound and outbound connectivity for sensitive/regulated data enclaves (secure zones).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "medium": "∙ Dedicated network segment for sensitive/regulated data systems", "large": "∙ Secure enclave/zone for sensitive data\n∙ Enhanced controls within the zone", "enterprise": "∙ Enterprise secure data enclave with enhanced controls\n∙ Data loss prevention at enclave boundary\n∙ Microsegmentation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-iec-62443-2-1-2024": [ "NET 1.5" ], "general-iec-62443-3-3-2013": [ "SR 5.1 RE 3", "SR 5.2 RE 2" ], "general-nist-800-171-r3": [ "03.13.01.b" ], "general-swift-cscf-2025": [ "1.1", "1.4", "1.5", "2.6" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B.1.c" ], "emea-sau-cscc-1-2019": [ "2-4-1-6", "2-4-1-7" ], "emea-sau-otcc-1-2022": [ "2-4-1-1" ], "emea-sau-sacs-002-2022": [ "TPC-38", "TPC-40" ], "apac-jpn-ismap": [ "13.1.4.P" ], "apac-nzl-hisf-microsmall-2023": [ "HMS15" ], "americas-can-itsp-10-171-2025": [ "03.13.01.B" ] } }, { "control_id": "NET-06.4", "title": "Segregation From Enterprise Services", "family": "NET", "description": "Mechanisms exist to isolate sensitive/regulated data enclaves (secure zones) from corporate-provided IT resources by providing enclave-specific IT services (e.g., directory services, DNS, NTP, ITAM, antimalware, patch management, etc.) to those isolated network segments.", "scf_question": "Does the organization isolate sensitive/regulated data enclaves (secure zones) from corporate-provided IT resources by providing enclave-specific IT services (e.g., directory services, DNS, NTP, ITAM, antimalware, patch management, etc.) to those isolated network segments?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to isolate sensitive/regulated data enclaves (secure zones) from corporate-provided IT resources by providing enclave-specific IT services (e.g., directory services, DNS, NTP, ITAM, antimalware, patch management, etc.) to those isolated network segments.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "medium": "∙ Segregate sensitive systems from general enterprise network services", "large": "∙ Network isolation for sensitive systems from enterprise services\n∙ Controlled access points", "enterprise": "∙ Enterprise network segmentation with isolated sensitive-system zones\n∙ Zero-trust access to sensitive zones" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-csa-iot-2": [ "CCM-06", "SAP-01" ], "general-mpa-csbp-5-3-1": [ "TS-1.0" ], "general-nist-800-172": [ "3.14.3e" ], "general-swift-cscf-2025": [ "1.1" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-2i", "ARCHITECTURE-2j" ], "usa-federal-dow-cmmc-2-level-3": [ "SI.L3-3.14.3E" ], "emea-sau-otcc-1-2022": [ "2-2-1-1", "2-4-1-3", "2-4-1-9", "2-4-1-10", "2-4-1-11", "2-4-1-12", "2-4-1-13" ], "apac-aus-ism-2024-june": [ "ISM-1385" ] } }, { "control_id": "NET-06.5", "title": "Direct Internet Access Restrictions", "family": "NET", "description": "Mechanisms exist to prohibit, or strictly-control, Internet access from sensitive/regulated data enclaves (secure zones).", "scf_question": "Does the organization prohibit, or strictly-control, Internet access from sensitive/regulated data enclaves (secure zones)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to prohibit, or strictly-control, Internet access from sensitive/regulated data enclaves (secure zones).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Access Control Lists (ACLs)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Access Control Lists (ACLs)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Access Control Lists (ACLs)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Access Control Lists (ACLs)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Access Control Lists (ACLs)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-mpa-csbp-5-3-1": [ "TS-2.8" ], "general-nist-800-53-r5-2": [ "SC-07(28)" ], "general-nist-800-82-r3": [ "SC-07(28)" ], "general-nist-800-82-r3-low": [ "SC-07(28)" ], "general-nist-800-82-r3-mod": [ "SC-07(28)" ], "general-nist-800-82-r3-high": [ "SC-07(28)" ], "general-swift-cscf-2025": [ "1.4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.X" ], "emea-sau-cscc-1-2019": [ "2-4-1-3", "2-4-1-6" ], "emea-sau-otcc-1-2022": [ "2-3-1-13", "2-4-1-7" ], "emea-sau-sacs-002-2022": [ "TPC-41" ] } }, { "control_id": "NET-06.6", "title": "Microsegmentation", "family": "NET", "description": "Automated mechanisms exist to enable microsegmentation, either physically or virtually, to divide the network according to application and data workflows communications needs.", "scf_question": "Does the organization use automated mechanisms to enable microsegmentation, either physically or virtually, to divide the network according to application and data workflows communications needs?", "relative_weight": 2, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically enable microsegmentation, either physically or virtually, to divide the network according to application and data workflows communications needs.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "medium": "∙ Plan for microsegmentation as network matures", "large": "∙ Microsegmentation for high-risk workloads (e.g., VMware NSX)\n∙ Segmentation policy", "enterprise": "∙ Enterprise microsegmentation platform (e.g., Illumio, VMware NSX)\n∙ Application-level micro-perimeters\n∙ Zero-trust workload access" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.NE.MICRO" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.4.7", "5.3.1", "5.4", "5.4.1", "5.4.2", "5.4.3" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "3.2" ], "apac-aus-ism-2024-june": [ "ISM-1269", "ISM-1270", "ISM-1271" ] } }, { "control_id": "NET-06.7", "title": "Software Defined Networking (SDN)", "family": "NET", "description": "Automated mechanisms exist to enable dynamic, policy-driven network segmentation, access controls and traffic management with a Software Defined Networking (SDN) architecture.", "scf_question": "Does the organization enable dynamic, policy-driven network segmentation, access controls and traffic management?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically enable dynamic, policy-driven network segmentation, access controls and traffic management with a Software Defined Networking (SDN) architecture.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "large": "∙ Software-defined networking (SDN) evaluation and planning", "enterprise": "∙ Enterprise SDN platform (e.g., Cisco ACI, VMware NSX)\n∙ Centralized network policy management\n∙ Automated network provisioning" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "3.4.7", "5.2.1", "5.2.2", "5.4.2" ] } }, { "control_id": "NET-07", "title": "Network Connection Termination", "family": "NET", "description": "Mechanisms exist to terminate network connections at the end of a session or after an organization-defined time period of inactivity.", "scf_question": "Does the organization terminate network connections at the end of a session or after an organization-defined time period of inactivity?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ SBC enforce network connection terminations at the end of a session or after an entity-defined time period of inactivity.\n▪ SBC terminate remote sessions at the end of the session or after an entity-defined time period of inactivity.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to terminate network connections at the end of a session or after an organization-defined time period of inactivity.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Configure session timeouts on systems and applications", "small": "∙ Session timeout policy\n∙ Configure timeouts on all key systems", "medium": "∙ Formal network session termination policy\n∙ Automated session timeout enforcement", "large": "∙ Enterprise session management controls\n∙ Automated disconnect for idle sessions\n∙ Network access control enforcement", "enterprise": "∙ Enterprise session management platform\n∙ Automated session termination via NAC/IAM\n∙ Zero-trust continuous session validation" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "SC-10" ], "general-govramp-low-plus": [ "SC-10" ], "general-govramp-mod": [ "SC-10" ], "general-govramp-high": [ "SC-10" ], "general-iec-62443-2-1-2024": [ "NET 3.3" ], "general-iec-62443-4-2-2019": [ "CR 2.6" ], "general-mitre-att&ck-16-1": [ "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004" ], "general-nist-800-53-r4": [ "SC-10" ], "general-nist-800-53-r5-2": [ "SC-10" ], "general-nist-800-53-r5-2-mod": [ "SC-10" ], "general-nist-800-82-r3": [ "SC-10" ], "general-nist-800-160-vol-2-r1": [ "SC-10" ], "general-nist-800-171-r2": [ "3.13.9" ], "general-nist-800-171-r3": [ "03.13.09" ], "general-nist-800-171a": [ "3.13.9[a]", "3.13.9[b]", "3.13.9[c]" ], "general-nist-800-171a-r3": [ "A.03.07.05.c[02]", "A.03.13.09.ODP[01]", "A.03.13.09" ], "general-pci-dss-4-0-1": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.8" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.8" ], "usa-federal-fbi-cjis-6-0": [ "SC-10" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.9" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-10" ], "usa-federal-gsa-fedramp-5-high": [ "SC-10" ], "usa-federal-irs-1075-2021": [ "SC-10" ], "usa-federal-cms-marse-2-0": [ "SC-10", "SC-10.a", "SC-10.b" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-10" ], "emea-isr-cmo-1-0": [ "4.16", "9.4" ], "emea-gbr-def-stan-05-138-2024": [ "2303", "2411" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2303", "2411" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2303", "2411" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2303", "2411" ], "americas-can-itsp-10-171-2025": [ "03.13.09" ] } }, { "control_id": "NET-08", "title": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "family": "NET", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "scf_question": "Does the organization employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Network Intrusion Detection System (NIDS)\n∙ Network Intrusion Prevention Systems (NIPS)", "small": "∙ Network Intrusion Detection System (NIDS)\n∙ Network Intrusion Prevention Systems (NIPS)", "medium": "∙ Network Intrusion Detection System (NIDS)\n∙ Network Intrusion Prevention Systems (NIPS)", "large": "∙ Network Intrusion Detection System (NIDS)\n∙ Network Intrusion Prevention Systems (NIPS)", "enterprise": "∙ Network Intrusion Detection System (NIDS)\n∙ Network Intrusion Prevention Systems (NIPS)" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.8" ], "general-cis-csc-8-1": [ "9.6", "13.3", "13.8" ], "general-cis-csc-8-1-ig2": [ "9.6", "13.3" ], "general-cis-csc-8-1-ig3": [ "9.6", "13.3", "13.8" ], "general-iso-27002-2022": [ "8.21" ], "general-iso-27017-2015": [ "13.1.2" ], "general-iso-27018-2025": [ "8.21" ], "general-mpa-csbp-5-3-1": [ "TS-2.7" ], "general-nist-800-171-r2": [ "3.14.6" ], "general-nist-800-171-r3": [ "03.13.01.a", "03.14.06.c" ], "general-pci-dss-4-0-1": [ "1.4.3", "11.5", "11.5.1", "11.5.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.4.3", "11.5.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.4.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.4.3", "11.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.4.3", "11.5.1", "11.5.1.1" ], "general-shared-assessments-sig-2025": [ "N.7" ], "general-sparta": [ "CM0073" ], "general-swift-cscf-2025": [ "6.5A" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.E3AEP", "3.PEP.IN.NDRES" ], "usa-federal-dow-cmmc-2-level-2": [ "SIL2.-3.14.6" ], "usa-federal-nerc-cip-2024": [ "CIP-005-7 1.5" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(8)(A)" ], "emea-eu-dora-2023": [ "Article 10.2" ], "emea-isr-cmo-1-0": [ "7.4", "7.6", "12.18", "23.6" ], "emea-sau-ecc-1-2018": [ "2-5-3-6" ], "emea-sau-sacs-002-2022": [ "TPC-77" ], "emea-esp-ccn-stic-825-2023": [ "7.6.1 [OP.MON.1]" ], "emea-gbr-def-stan-05-138-2024": [ "2411" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2411" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2411" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2411" ], "apac-aus-ism-2024-june": [ "ISM-1028", "ISM-1030", "ISM-1627", "ISM-1628" ], "apac-sgp-mas-trm-2021": [ "11.2.3", "11.2.4" ], "amaericas-can-osfi-self-assessment": [ "4.3", "4.4" ], "americas-can-itsp-10-171-2025": [ "03.13.01.A", "03.14.06.C" ] } }, { "control_id": "NET-08.1", "title": "DMZ Networks", "family": "NET", "description": "Mechanisms exist to monitor De-Militarized Zone (DMZ) network segments to separate untrusted networks from trusted networks.", "scf_question": "Does the organization monitor De-Militarized Zone (DMZ) network segments to separate untrusted networks from trusted networks?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Administrative processes are used to configure boundary devices (e.g., firewalls, routers, etc.) to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception). \n▪ Internet-facing technologies are governed no differently from internal network assets.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to monitor De-Militarized Zone (DMZ) network segments to separate untrusted networks from trusted networks.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ System Security Plan (SSP)", "small": "∙ System Security Plan (SSP)", "medium": "∙ Architectural review board\n∙ System Security Plan (SSP)", "large": "∙ Architectural review board\n∙ System Security Plan (SSP)", "enterprise": "∙ Architectural review board\n∙ System Security Plan (SSP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.6" ], "general-iec-62443-3-3-2013": [ "SR 1.13" ], "general-iso-27002-2022": [ "8.2" ], "general-iso-27017-2015": [ "13.1.1" ], "general-iso-27018-2025": [ "8.20" ], "general-nist-800-171-r3": [ "03.13.01.b" ], "general-pci-dss-4-0-1": [ "1.2.1", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.4", "1.4.1", "1.4.2", "11.4.5", "11.4.6", "12.5.2", "A1.1.4", "A3.2.1", "A3.2.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.1", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.3.1", "1.3.2", "1.3.3", "1.4.1", "1.4.2", "11.4.5" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.2.3", "1.2.5", "1.2.6", "1.3.1", "1.3.2", "1.3.3", "11.4.5" ], "general-pci-dss-4-0-1-saq-c": [ "1.3.1", "1.3.2", "1.3.3", "11.4.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.3.1", "1.3.2", "1.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.1", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.3.1", "1.3.2", "1.3.3", "1.4.1", "1.4.2", "11.4.5", "12.5.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.1", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.3.1", "1.3.2", "1.3.3", "1.4.1", "1.4.2", "11.4.5", "11.4.6", "12.5.2", "A1.1.4" ], "emea-eu-nis2-annex-2024": [ "6.8.2(d)" ], "emea-sau-sacs-002-2022": [ "TPC-41" ], "apac-aus-ism-2024-june": [ "ISM-0637" ], "apac-nzl-ism-3-9": [ "19.1.14.C.01", "19.1.14.C.02" ], "americas-can-itsp-10-171-2025": [ "03.13.01.B" ] } }, { "control_id": "NET-08.2", "title": "Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS) Deployment", "family": "NET", "description": "Mechanisms exist to utilize Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) on wireless network segments.", "scf_question": "Does the organization utilize Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) on wireless network segments?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ IT and/or cybersecurity personnel receive feeds from Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) to identify rogue wireless devices and to detect attack attempts via wireless networks.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to utilize Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) on wireless network segments.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Wireless Intrusion Detection System (WIDS)\n∙ Wireless Intrusion Prevention Systems (WIPS)", "small": "∙ Wireless Intrusion Detection System (WIDS)\n∙ Wireless Intrusion Prevention Systems (WIPS)", "medium": "∙ Wireless Intrusion Detection System (WIDS)\n∙ Wireless Intrusion Prevention Systems (WIPS)", "large": "∙ Wireless Intrusion Detection System (WIDS)\n∙ Wireless Intrusion Prevention Systems (WIPS)", "enterprise": "∙ Wireless Intrusion Detection System (WIDS)\n∙ Wireless Intrusion Prevention Systems (WIPS)" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.2" ], "general-csa-iot-2": [ "MON-08" ], "general-nist-800-53-r4": [ "SI-4(14)", "SI-4(15)" ], "general-nist-800-53-r5-2": [ "SI-04(15)" ], "general-nist-800-82-r3": [ "SI-04(15)" ], "general-pci-dss-4-0-1": [ "1.4.3", "11.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.4.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.4.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.4.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.4.3" ], "general-shared-assessments-sig-2025": [ "N.7" ], "emea-isr-cmo-1-0": [ "4.24", "12.18", "23.6" ], "emea-sau-sacs-002-2022": [ "TPC-77" ], "emea-esp-ccn-stic-825-2023": [ "7.6.1 [OP.MON.1]" ], "apac-nzl-ism-3-9": [ "21.4.12.C.01", "21.4.12.C.02", "21.4.12.C.03" ], "amaericas-can-osfi-self-assessment": [ "4.3", "4.4" ] } }, { "control_id": "NET-08.3", "title": "Host Containment", "family": "NET", "description": "Automated mechanisms exist to enforce host containment protections that revoke or quarantine a host’s access to the network.", "scf_question": "Does the organization use automated mechanisms to enforce host containment protections that revoke or quarantine a host’s access to the network?", "relative_weight": 3, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically enforce host containment protections that revoke or quarantine a host’s access to the network.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Isolate suspected compromised systems from the network immediately", "small": "∙ Host isolation procedure for incident response\n∙ Documented steps to isolate compromised hosts", "medium": "∙ Formal host containment policy and procedure\n∙ EDR-based isolation capability", "large": "∙ EDR with automated host isolation (e.g., CrowdStrike, SentinelOne)\n∙ IR playbook for containment", "enterprise": "∙ Enterprise EDR/XDR with automated host containment\n∙ SOAR-orchestrated isolation workflows" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-cis-csc-8-1": [ "1.2" ], "general-cis-csc-8-1-ig1": [ "1.2" ], "general-cis-csc-8-1-ig2": [ "1.2" ], "general-cis-csc-8-1-ig3": [ "1.2" ], "general-nist-800-207": [ "NIST Tenet 4", "NIST Tenet 5" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.NE.HCONT" ] } }, { "control_id": "NET-08.4", "title": "Resource Containment", "family": "NET", "description": "Automated mechanisms exist to enforce resource containment protections that remove or quarantine a resource’s access to other resources.", "scf_question": "Does the organization use automated mechanisms to enforce resource containment protections that remove or quarantine a resource’s access to other resources?", "relative_weight": 3, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically enforce resource containment protections that remove or quarantine a resource’s access to other resources.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Isolate affected resources during security incidents", "small": "∙ Resource isolation procedure for incidents\n∙ Shutdown/isolate procedures", "medium": "∙ Formal resource containment policy\n∙ Network-level isolation procedures", "large": "∙ Network-level resource containment capabilities\n∙ Automated quarantine via NAC", "enterprise": "∙ Enterprise SOAR with automated resource containment\n∙ Network quarantine via NAC/SDN\n∙ Automated threat response playbooks" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-nist-800-207": [ "NIST Tenet 4", "NIST Tenet 5" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.NE.RCONT" ], "apac-aus-ism-2024-june": [ "ISM-1778", "ISM-1779" ] } }, { "control_id": "NET-09", "title": "Session Integrity", "family": "NET", "description": "Mechanisms exist to protect the authenticity and integrity of communications sessions.", "scf_question": "Does the organization protect the authenticity and integrity of communications sessions?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to protect the authenticity and integrity of communications sessions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Use HTTPS and ensure session cookies are secured", "small": "∙ Session management policy\n∙ Enforce HTTPS\n∙ Secure cookie attributes", "medium": "∙ Formal session integrity controls\n∙ HTTPS enforcement\n∙ Session token management standards", "large": "∙ Web application session integrity controls\n∙ WAF session protection\n∙ Secure cookie policy enforcement", "enterprise": "∙ Enterprise WAF (e.g., Imperva, Cloudflare)\n∙ Application-level session integrity\n∙ Token binding\n∙ Zero-trust session validation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "SC-23" ], "general-govramp-mod": [ "SC-23" ], "general-govramp-high": [ "SC-23" ], "general-iec-62443-2-1-2024": [ "USER 1.16" ], "general-iec-62443-3-3-2013": [ "SR 3.8" ], "general-iec-62443-4-2-2019": [ "CR 3.8", "CR 3.8(a)", "CR 3.8(b)", "CR 3.8(c)" ], "general-mitre-att&ck-16-1": [ "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1185", "T1535", "T1550.004", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1557.004", "T1562.006", "T1562.009", "T1563.001", "T1573", "T1573.001", "T1573.002", "T1622" ], "general-mpa-csbp-5-3-1": [ "TS-8.1" ], "general-nist-800-53-r4": [ "SC-23" ], "general-nist-800-53-r5-2": [ "SC-23" ], "general-nist-800-53-r5-2-mod": [ "SC-23" ], "general-nist-800-82-r3": [ "SC-23" ], "general-nist-800-82-r3-mod": [ "SC-23" ], "general-nist-800-82-r3-high": [ "SC-23" ], "general-nist-800-171-r2": [ "3.13.15" ], "general-nist-800-171-r3": [ "03.13.15" ], "general-nist-800-171a": [ "3.13.15" ], "general-nist-800-171a-r3": [ "A.03.13.15" ], "general-pci-dss-4-0-1": [ "1.4.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.4.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.4.1" ], "usa-federal-fbi-cjis-6-0": [ "SC-23" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.15" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-23" ], "usa-federal-gsa-fedramp-5-high": [ "SC-23" ], "usa-federal-irs-1075-2021": [ "SC-23" ], "usa-federal-cms-marse-2-0": [ "SC-23" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-23" ], "emea-deu-c5-2020": [ "PSS-06" ], "emea-isr-cmo-1-0": [ "17.25" ], "emea-gbr-def-stan-05-138-2024": [ "2414" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2414" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2414" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2414" ], "americas-can-itsp-10-171-2025": [ "03.13.15" ] } }, { "control_id": "NET-09.1", "title": "Invalidate Session Identifiers at Logout", "family": "NET", "description": "Automated mechanisms exist to invalidate session identifiers upon user logout or other session termination.", "scf_question": "Does the organization use automated mechanisms to invalidate session identifiers upon user logout or other session termination?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically invalidate session identifiers upon user logout or other session termination.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Configure applications to invalidate sessions on logout", "small": "∙ Session invalidation policy\n∙ Ensure session tokens expire on logout", "medium": "∙ Formal session management policy\n∙ Application-level session invalidation on logout", "large": "∙ Application session management standards\n∙ Automated testing for session invalidation", "enterprise": "∙ Enterprise application security standards\n∙ Automated session management testing (DAST)\n∙ Session token lifecycle management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "SC-23(01)" ], "general-govramp-high": [ "SC-23(01)" ], "general-iec-62443-3-3-2013": [ "SR 3.8 RE 1" ], "general-nist-800-53-r4": [ "SC-23(1)" ], "general-nist-800-53-r5-2": [ "SC-23(01)" ], "general-nist-800-82-r3": [ "SC-23(01)" ], "usa-federal-irs-1075-2021": [ "SC-23(CE-1)" ], "emea-deu-c5-2020": [ "PSS-06" ] } }, { "control_id": "NET-09.2", "title": "Unique System-Generated Session Identifiers", "family": "NET", "description": "Automated mechanisms exist to generate and recognize unique session identifiers for each session.", "scf_question": "Does the organization use automated mechanisms to generate and recognize unique session identifiers for each session?", "relative_weight": 3, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically generate and recognize unique session identifiers for each session.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Use randomly generated session IDs in applications", "small": "∙ Session ID generation policy\n∙ Use cryptographically random session identifiers", "medium": "∙ Formal session ID management standards\n∙ Cryptographic PRNG for session IDs", "large": "∙ Application security standards for session management\n∙ SAST/DAST testing for session ID generation", "enterprise": "∙ Enterprise application security framework\n∙ SAST/DAST automation (e.g., Veracode, Checkmarx)\n∙ Session management standards" }, "risks": [ "R-AM-3", "R-IR-1", "R-IR-2", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-iec-62443-3-3-2013": [ "SR 3.8 RE 2", "SR 3.8 RE 3" ], "general-mpa-csbp-5-3-1": [ "TS-8.1" ], "general-nist-800-53-r4": [ "SC-23(3)" ], "general-nist-800-53-r5-2": [ "SC-23(03)" ], "general-nist-800-82-r3": [ "SC-23(03)" ], "general-nist-800-160-vol-2-r1": [ "SC-23(03)" ], "usa-federal-irs-1075-2021": [ "SC-23(CE-3)" ] } }, { "control_id": "NET-10", "title": "Domain Name Service (DNS) Resolution", "family": "NET", "description": "Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution.", "scf_question": "Does the organization ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ IT and/or cybersecurity personnel ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-cis-csc-8-1": [ "4.9" ], "general-cis-csc-8-1-ig2": [ "4.9" ], "general-cis-csc-8-1-ig3": [ "4.9" ], "general-govramp": [ "SC-20" ], "general-govramp-low": [ "SC-20" ], "general-govramp-low-plus": [ "SC-20" ], "general-govramp-mod": [ "SC-20" ], "general-govramp-high": [ "SC-20" ], "general-mitre-att&ck-16-1": [ "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1553.004", "T1566", "T1566.001", "T1566.002", "T1568", "T1568.002", "T1598", "T1598.002", "T1598.003" ], "general-nist-800-53-r4": [ "SC-20", "SC-20(2)" ], "general-nist-800-53-r5-2": [ "SC-20", "SC-20(02)" ], "general-nist-800-53-r5-2-low": [ "SC-20" ], "general-nist-800-82-r3": [ "SC-20", "SC-20(02)" ], "general-nist-800-82-r3-low": [ "SC-20" ], "general-nist-800-82-r3-mod": [ "SC-20" ], "general-nist-800-82-r3-high": [ "SC-20" ], "general-nist-800-171-r2": [ "NFO - SC-20" ], "general-shared-assessments-sig-2025": [ "N.8" ], "usa-federal-fbi-cjis-6-0": [ "SC-20" ], "usa-federal-gsa-fedramp-5-low": [ "SC-20" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-20" ], "usa-federal-gsa-fedramp-5-high": [ "SC-20" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-20" ], "usa-federal-irs-1075-2021": [ "SC-20", "SC-20(CE-2)" ], "usa-federal-cms-marse-2-0": [ "SC-20", "SC-20.a", "SC-20.b", "SC-20-IS.1" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-20" ], "usa-state-tx-txramp-2-0-level-1": [ "SC-20" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-20" ], "emea-eu-nis2-annex-2024": [ "6.7.2(l)" ], "emea-isr-cmo-1-0": [ "9.6" ], "emea-sau-ecc-1-2018": [ "2-4-3-5", "2-5-3-7" ], "emea-gbr-def-stan-05-138-2024": [ "2315" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2315" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2315" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2315" ], "apac-aus-ism-2024-june": [ "ISM-0574", "ISM-0861", "ISM-1026", "ISM-1027", "ISM-1151", "ISM-1183", "ISM-1540", "ISM-1782", "ISM-1799" ], "apac-nzl-ism-3-9": [ "15.2.20.C.01", "15.2.20.C.02", "15.2.20.C.03", "15.2.20.C.04", "15.2.20.C.05" ] } }, { "control_id": "NET-10.1", "title": "Architecture & Provisioning for Name / Address Resolution Service", "family": "NET", "description": "Mechanisms exist to ensure systems that collectively provide Domain Name Service (DNS) resolution service are fault-tolerant and implement internal/external role separation.", "scf_question": "Does the organization ensure systems that collectively provide Domain Name Service (DNS) resolution service are fault-tolerant and implement internal/external role separation?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ IT and/or cybersecurity personnel ensure systems that collectively provide Domain Name Service (DNS) resolution service for are fault-tolerant and implement internal/external role separation.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to ensure systems that collectively provide Domain Name Service (DNS) resolution service are fault-tolerant and implement internal/external role separation.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Use redundant DNS providers for availability", "small": "∙ Redundant DNS configuration\n∙ DNS security policy", "medium": "∙ DNS security architecture\n∙ Redundant authoritative DNS\n∙ DNSSEC consideration", "large": "∙ Enterprise DNS management\n∙ DNSSEC implementation\n∙ DNS monitoring\n∙ Redundant DNS infrastructure", "enterprise": "∙ Enterprise DNS security platform (e.g., Infoblox, BlueCat)\n∙ DNSSEC\n∙ DNS firewall\n∙ High-availability DNS architecture" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "SC-22" ], "general-govramp-low": [ "SC-22" ], "general-govramp-low-plus": [ "SC-22" ], "general-govramp-mod": [ "SC-22" ], "general-govramp-high": [ "SC-22" ], "general-mitre-att&ck-16-1": [ "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1568", "T1568.002", "T1583.002", "T1584.002", "T1596.001" ], "general-nist-800-53-r4": [ "SC-22" ], "general-nist-800-53-r5-2": [ "SC-22" ], "general-nist-800-53-r5-2-low": [ "SC-22" ], "general-nist-800-82-r3": [ "SC-22" ], "general-nist-800-82-r3-low": [ "SC-22" ], "general-nist-800-82-r3-mod": [ "SC-22" ], "general-nist-800-82-r3-high": [ "SC-22" ], "general-nist-800-160-vol-2-r1": [ "SC-22" ], "general-nist-800-171-r2": [ "NFO - SC-22" ], "general-shared-assessments-sig-2025": [ "N.8" ], "usa-federal-fbi-cjis-6-0": [ "SC-22" ], "usa-federal-gsa-fedramp-5-low": [ "SC-22" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-22" ], "usa-federal-gsa-fedramp-5-high": [ "SC-22" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-22" ], "usa-federal-irs-1075-2021": [ "SC-22" ], "usa-federal-cms-marse-2-0": [ "SC-22" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-22" ], "usa-state-tx-txramp-2-0-level-1": [ "SC-22" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-22" ], "emea-isr-cmo-1-0": [ "9.7" ], "apac-nzl-ism-3-9": [ "15.2.22.C.01" ] } }, { "control_id": "NET-10.2", "title": "Secure Name / Address Resolution Service (Recursive or Caching Resolver)", "family": "NET", "description": "Mechanisms exist to perform data origin authentication and data integrity verification on the Domain Name Service (DNS) resolution responses received from authoritative sources when requested by client systems.", "scf_question": "Does the organization perform data origin authentication and data integrity verification on the Domain Name Service (DNS) resolution responses received from authoritative sources when requested by client systems?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to perform data origin authentication and data integrity verification on the Domain Name Service (DNS) resolution responses received from authoritative sources when requested by client systems.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use reputable DNS resolver (e.g., Cloudflare 1.1.1.1, Google 8.8.8.8)", "small": "∙ Secure DNS resolver with filtering (e.g., Cisco Umbrella free, Cloudflare Gateway)", "medium": "∙ DNS security service (e.g., Cisco Umbrella, Cloudflare Gateway)\n∙ DNS filtering policy", "large": "∙ Enterprise DNS security service (e.g., Cisco Umbrella, Palo Alto DNS Security)\n∙ DNS-layer threat blocking", "enterprise": "∙ Enterprise DNS security platform with threat intelligence\n∙ Recursive resolver security\n∙ DNSSEC validation\n∙ DNS over HTTPS (DoH)" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "SC-21" ], "general-govramp-core": [ "SC-21" ], "general-govramp-low": [ "SC-21" ], "general-govramp-low-plus": [ "SC-21" ], "general-govramp-mod": [ "SC-21" ], "general-govramp-high": [ "SC-21" ], "general-mitre-att&ck-16-1": [ "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1568", "T1568.002" ], "general-nist-800-53-r4": [ "SC-21" ], "general-nist-800-53-r5-2": [ "SC-21" ], "general-nist-800-53-r5-2-low": [ "SC-21" ], "general-nist-800-82-r3": [ "SC-21" ], "general-nist-800-82-r3-low": [ "SC-21" ], "general-nist-800-82-r3-mod": [ "SC-21" ], "general-nist-800-82-r3-high": [ "SC-21" ], "general-nist-800-171-r2": [ "NFO - SC-21" ], "general-shared-assessments-sig-2025": [ "P.2.4" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DO.DNVAC", "3.PEP.DO.DNVAD" ], "usa-federal-fbi-cjis-6-0": [ "SC-21" ], "usa-federal-gsa-fedramp-5-low": [ "SC-21" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-21" ], "usa-federal-gsa-fedramp-5-high": [ "SC-21" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-21" ], "usa-federal-irs-1075-2021": [ "SC-21" ], "usa-federal-cms-marse-2-0": [ "SC-21" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-21" ], "usa-state-tx-txramp-2-0-level-1": [ "SC-21" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-21" ], "emea-isr-cmo-1-0": [ "9.7" ] } }, { "control_id": "NET-10.3", "title": "Sender Policy Framework (SPF)", "family": "NET", "description": "Mechanisms exist to validate the legitimacy of email communications through configuring a Domain Naming Service (DNS) Sender Policy Framework (SPF) record to specify the IP addresses and/or hostnames that are authorized to send email from the specified domain.", "scf_question": "Does the organization validate the legitimacy of email communications through configuring a Domain Naming Service (DNS) Sender Policy Framework (SPF) record to specify the IP addresses and/or hostnames that are authorized to send email from the specified domain?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to validate the legitimacy of email communications through configuring a Domain Naming Service (DNS) Sender Policy Framework (SPF) record to specify the IP addresses and/or hostnames that are authorized to send email from the specified domain.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-cis-csc-8-1": [ "9.5" ], "general-cis-csc-8-1-ig2": [ "9.5" ], "general-cis-csc-8-1-ig3": [ "9.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.M" ], "emea-sau-sacs-002-2022": [ "TPC-13", "TPC-14", "TPC-15" ], "emea-gbr-def-stan-05-138-2024": [ "2315" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2315" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2315" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2315" ], "apac-aus-ism-2024-june": [ "ISM-0574", "ISM-1151", "ISM-1183", "ISM-1799" ], "apac-nzl-ism-3-9": [ "15.2.20.C.01", "15.2.20.C.02", "15.2.20.C.03", "15.2.20.C.04", "15.2.20.C.05" ] } }, { "control_id": "NET-10.4", "title": "Domain Registrar Security", "family": "NET", "description": "Mechanisms exist to lock the domain name registrar to prevent a denial of service caused by unauthorized deletion, transfer or other unauthorized modification of a domain’s registration details.", "scf_question": "Does the organization lock the domain name registrar to prevent a denial of service caused by unauthorized deletion, transfer or other unauthorized modification of a domain’s registration details?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to lock the domain name registrar to prevent a denial of service caused by unauthorized deletion, transfer or other unauthorized modification of a domain’s registration details.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Enable domain registrar 2FA and lock domain registrations", "small": "∙ Domain registrar security controls\n∙ Enable 2FA, registrar lock, WHOIS privacy", "medium": "∙ Formal domain registrar security program\n∙ Registrar lock, 2FA, monitoring for unauthorized changes", "large": "∙ Enterprise domain management platform\n∙ Registrar lock, MFA, domain change monitoring", "enterprise": "∙ Enterprise domain management platform (e.g., CSC Digital Brand Services, MarkMonitor)\n∙ Domain locking, MFA, real-time change alerts" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1596.002" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DO.DNMON" ], "apac-aus-ism-2024-june": [ "ISM-1432" ] } }, { "control_id": "NET-11", "title": "Out-of-Band Channels", "family": "NET", "description": "Mechanisms exist to utilize out-of-band channels for the electronic transmission of information and/or the physical shipment of system components or devices to authorized individuals.", "scf_question": "Does the organization utilize out-of-band channels for the electronic transmission of information and/or the physical shipment of system components or devices to authorized individuals?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to utilize out-of-band channels for the electronic transmission of information and/or the physical shipment of system components or devices to authorized individuals.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use a separate channel (e.g., phone call) for critical communications", "small": "∙ Out-of-band communication policy for critical operations", "medium": "∙ Formal out-of-band channel for management and security communications\n∙ OOB procedure", "large": "∙ Dedicated out-of-band management channel\n∙ OOB network for critical operations", "enterprise": "∙ Enterprise out-of-band management network (OOBM)\n∙ Dedicated OOB access for critical systems\n∙ Emergency communication protocols" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-csa-iot-2": [ "SWS-09" ], "general-mitre-att&ck-16-1": [ "T1071", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1114", "T1114.001", "T1114.002", "T1114.003", "T1213", "T1213.005", "T1489" ], "general-nist-800-53-r4": [ "SC-37", "SC-37(1)" ], "general-nist-800-53-r5-2": [ "SC-37", "SC-37(01)" ], "general-nist-800-82-r3": [ "SC-37", "SC-37(01)" ], "general-nist-800-160-vol-2-r1": [ "SC-37" ], "general-nist-800-161-r1": [ "SC-37", "SC-37(1)" ], "general-nist-800-161-r1-level-2": [ "SC-37(1)" ], "general-nist-800-161-r1-level-3": [ "SC-37(1)" ], "emea-us-psd2-2015": [ "22" ] } }, { "control_id": "NET-12", "title": "Safeguarding Data Over Open Networks", "family": "NET", "description": "Cryptographic mechanisms exist to implement strong cryptography and security protocols to safeguard sensitive/regulated data during transmission over open, public networks.", "scf_question": "Are cryptographic mechanisms utilized to implement strong cryptography and security protocols to safeguard sensitive/regulated data during transmission over open, public networks?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Network communications containing sensitive/regulated data are protected using a cryptographic mechanism to prevent unauthorized disclosure of information while in transit (e.g., SSH, TLS, VPN, etc.). \n▪ Wireless access is protected via secure authentication and encryption.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ Network communications containing sensitive/regulated data use a cryptographic mechanism to prevent the unauthorized disclosure of information while in transit (e.g., SSH, TLS, VPN, etc.).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational cryptographic capability exists to implement strong cryptography and security protocols to safeguard sensitive/regulated data during transmission over open, public networks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use HTTPS/TLS for all internet-facing communications", "small": "∙ TLS for all internet traffic\n∙ No unencrypted protocols over public networks", "medium": "∙ Encryption-in-transit standards\n∙ TLS 1.2+ enforcement\n∙ Certificate management", "large": "∙ Enterprise encryption-in-transit program\n∙ TLS 1.3 enforcement\n∙ Certificate lifecycle management", "enterprise": "∙ Enterprise encryption governance program\n∙ TLS 1.3+\n∙ Certificate management platform (e.g., Venafi)\n∙ Automated certificate monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.6", "CC6.6-POF2" ], "general-govramp": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-govramp-core": [ "AC-02", "SI-03", "SI-04", "SI-07" ], "general-govramp-low": [ "AC-02", "AC-03", "SI-03", "SI-04", "SI-05" ], "general-govramp-low-plus": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-govramp-mod": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-govramp-high": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-nist-800-53-r5-2": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-nist-800-53-r5-2-privacy": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-nist-800-53-r5-2-low": [ "AC-02", "AC-03", "SI-03", "SI-04", "SI-05" ], "general-nist-800-53-r5-2-mod": [ "AC-05", "SI-07", "SI-10" ], "general-nist-800-82-r3": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-nist-800-82-r3-low": [ "AC-02", "AC-03", "SI-03", "SI-04", "SI-05" ], "general-nist-800-82-r3-mod": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-nist-800-82-r3-high": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-nist-800-160-vol-2-r1": [ "SI-07" ], "general-nist-800-161-r1": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7" ], "general-nist-800-161-r1-cscrm": [ "AC-2", "AC-3", "SI-3", "SI-4", "SI-5", "SI-7" ], "general-nist-800-161-r1-flowdown": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7" ], "general-nist-800-161-r1-level-1": [ "SI-4", "SI-5" ], "general-nist-800-161-r1-level-2": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7" ], "general-nist-800-161-r1-level-3": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7" ], "general-pci-dss-4-0-1": [ "4.1", "4.2.1", "11.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "4.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "4.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "4.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "4.2.1" ], "usa-federal-fbi-cjis-6-0": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7", "SI-10" ], "usa-federal-gsa-fedramp-5-low": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "usa-federal-irs-1075-2021": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7", "SI-10" ], "usa-federal-cms-marse-2-0": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7", "SI-10" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-10" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-02", "AC-03", "SI-03", "SI-04", "SI-05" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-02", "AC-03", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "emea-isr-cmo-1-0": [ "8.4", "8.6", "9.20", "13.6" ], "emea-gbr-def-stan-05-138-2024": [ "2305" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2305" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2305" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2305" ], "apac-jpn-ismap": [ "13.1.1.4", "14.1.2", "14.1.2.1", "14.1.2.2", "14.1.2.3", "14.1.2.4", "14.1.2.5", "14.1.2.6", "14.1.2.7", "14.1.2.8", "14.1.2.9", "14.1.2.10", "14.1.2.11", "14.1.2.12", "14.1.2.13", "14.1.2.14", "14.1.2.15" ], "apac-nzl-hisf-microsmall-2023": [ "HMS17" ] } }, { "control_id": "NET-12.1", "title": "Wireless Link Protection", "family": "NET", "description": "Mechanisms exist to protect external and internal wireless links from signal parameter attacks through monitoring for unauthorized wireless connections, including scanning for unauthorized wireless access points and taking appropriate action, if an unauthorized connection is discovered.", "scf_question": "Does the organization protect external and internal wireless links from signal parameter attacks through monitoring for unauthorized wireless connections, including scanning for unauthorized wireless access points and taking appropriate action, if an unauthorized connection is discovered?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Network communications containing sensitive/regulated data are protected using a cryptographic mechanism to prevent unauthorized disclosure of information while in transit (e.g., SSH, TLS, VPN, etc.). \n▪ Wireless access is protected via secure authentication and encryption.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ Network communications containing sensitive/regulated data use a cryptographic mechanism to prevent the unauthorized disclosure of information while in transit (e.g., SSH, TLS, VPN, etc.).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to protect external and internal wireless links from signal parameter attacks through monitoring for unauthorized wireless connections, including scanning for unauthorized wireless access points and taking appropriate action, if an unauthorized connection is discovered.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use WPA2/WPA3 encryption on all Wi-Fi networks", "small": "∙ WPA3 Wi-Fi encryption\n∙ Wireless security policy", "medium": "∙ Enterprise wireless security standard\n∙ WPA3-Enterprise\n∙ 802.1X authentication", "large": "∙ Enterprise wireless security (WPA3-Enterprise + 802.1X)\n∙ Wireless IDS/IPS\n∙ RF monitoring", "enterprise": "∙ Enterprise WLAN security platform\n∙ WPA3-Enterprise with RADIUS\n∙ Wireless IDS/IPS (e.g., Cisco Wireless, Aruba)\n∙ RF scanning" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.6" ], "general-csa-iot-2": [ "SWS-07" ], "general-mitre-att&ck-16-1": [ "T1557.004" ], "general-nist-800-53-r4": [ "SC-40" ], "general-nist-800-53-r5-2": [ "SC-40" ], "general-nist-800-53-r5-2-privacy": [ "SC-40" ], "general-nist-800-82-r3": [ "SC-40" ], "general-pci-dss-4-0-1": [ "1.2.3", "1.3.3", "2.3", "2.3.1", "2.3.2", "4.2.1.2", "11.2", "11.2.1", "11.2.2", "12.10.1", "12.10.5" ], "general-pci-dss-4-0-1-saq-a": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.3", "1.3.3", "12.10.1" ], "general-pci-dss-4-0-1-saq-b": [ "12.10.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.2.3", "1.3.3", "2.3.1", "2.3.2", "12.10.1" ], "general-pci-dss-4-0-1-saq-c": [ "1.3.3", "2.3.1", "2.3.2", "4.2.1.2", "11.2.1", "11.2.2", "12.10.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "1.3.3", "2.3.1", "2.3.2", "4.2.1.2", "12.10.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.3", "1.3.3", "2.3.1", "2.3.2", "4.2.1.2", "11.2.1", "11.2.2", "12.10.1", "12.10.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.3", "1.3.3", "2.3.1", "2.3.2", "4.2.1.2", "11.2.1", "11.2.2", "12.10.1", "12.10.5" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.10.1" ], "usa-federal-gsa-fedramp-5-low": [ "SC-40" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-40" ], "usa-federal-gsa-fedramp-5-high": [ "SC-40" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-40" ] } }, { "control_id": "NET-12.2", "title": "End-User Messaging Technologies", "family": "NET", "description": "Mechanisms exist to prohibit the transmission of unprotected sensitive/regulated data by end-user messaging technologies.", "scf_question": "Does the organization prohibit the transmission of unprotected sensitive/regulated data by end-user messaging technologies?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Network communications containing sensitive/regulated data are protected using a cryptographic mechanism to prevent unauthorized disclosure of information while in transit (e.g., SSH, TLS, VPN, etc.).", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to prohibit the transmission of unprotected sensitive/regulated data by end-user messaging technologies.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Acceptable Use Policy (AUP)\n∙ Data Loss Prevention (DLP)", "small": "∙ Acceptable Use Policy (AUP)\n∙ Data Loss Prevention (DLP)", "medium": "∙ Acceptable Use Policy (AUP)\n∙ Data Loss Prevention (DLP)", "large": "∙ Acceptable Use Policy (AUP)\n∙ Data Loss Prevention (DLP)", "enterprise": "∙ Acceptable Use Policy (AUP)\n∙ Data Loss Prevention (DLP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.7-POF1" ], "general-iec-62443-2-1-2024": [ "NET 1.8" ], "general-pci-dss-4-0-1": [ "4.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "4.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "4.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "4.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "4.2.2" ] } }, { "control_id": "NET-13", "title": "Electronic Messaging", "family": "NET", "description": "Mechanisms exist to protect the confidentiality, integrity and availability of electronic messaging communications.", "scf_question": "Does the organization protect the confidentiality, integrity and availability of electronic messaging communications?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Network communications containing sensitive/regulated data are protected using a cryptographic mechanism to prevent unauthorized disclosure of information while in transit (e.g., SSH, TLS, VPN, etc.).", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to protect the confidentiality, integrity and availability of electronic messaging communications.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Acceptable Use Policy (AUP)\n∙ Data Loss Prevention (DLP)", "small": "∙ Acceptable Use Policy (AUP)\n∙ Data Loss Prevention (DLP)", "medium": "∙ Acceptable Use Policy (AUP)\n∙ Data Loss Prevention (DLP)", "large": "∙ Acceptable Use Policy (AUP)\n∙ Data Loss Prevention (DLP)", "enterprise": "∙ Acceptable Use Policy (AUP)\n∙ Data Loss Prevention (DLP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.6", "CC6.6-POF2", "CC6.7" ], "general-iso-27002-2022": [ "5.14" ], "general-iso-27017-2015": [ "13.2.1", "13.2.3" ], "general-iso-27018-2025": [ "5.14" ], "general-nist-800-53-r4": [ "SC-8(3)", "SC-19" ], "general-nist-800-53-r5-2": [ "SC-08(03)" ], "general-nist-800-82-r3": [ "SC-08(03)" ], "general-nist-800-171-r2": [ "3.13.14" ], "general-nist-800-171a": [ "3.13.14[a]", "3.13.14[b]" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.M" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.14" ], "usa-federal-cms-marse-2-0": [ "SC-ACA-1", "SC-ACA-1-IS.a", "SC-ACA-2", "SC-ACA-2.a", "SC-ACA-2-IS.1", "SC-ACA-2-IS.1.a", "SC-ACA-2-IS.1.b", "SC-ACA-2-IS.1.c" ], "emea-sau-cgiot-2024": [ "2-3-1", "2-3-2" ], "emea-esp-ccn-stic-825-2023": [ "8.8.1 [MP.S.1]" ], "apac-aus-ism-2024-june": [ "ISM-0264", "ISM-0267", "ISM-0269", "ISM-0270", "ISM-0271", "ISM-0272", "ISM-0490", "ISM-0494", "ISM-0496", "ISM-0498", "ISM-0565", "ISM-0569", "ISM-0570", "ISM-0571", "ISM-0572", "ISM-0574", "ISM-0861", "ISM-0998", "ISM-0999", "ISM-1000", "ISM-1023", "ISM-1024", "ISM-1026", "ISM-1027", "ISM-1089", "ISM-1151", "ISM-1183", "ISM-1540", "ISM-1589" ], "apac-jpn-ismap": [ "13.2.2.12", "13.2.2.13", "13.2.3", "13.2.3.1", "13.2.3.2", "13.2.3.3", "13.2.3.4", "13.2.3.5", "13.2.3.6", "13.2.3.7.P" ], "apac-nzl-ism-3-9": [ "15.1.7.C.01", "15.1.8.C.01", "15.1.8.C.02", "15.1.9.C.01", "15.1.10.C.01", "15.1.10.C.02", "15.1.10.C.03", "15.1.11.C.01", "15.1.11.C.02", "15.1.11.C.03", "15.1.12.C.01", "15.1.13.C.01", "15.1.14.C.01", "15.1.15.C.01", "15.1.16.C.01", "15.1.17.C.01", "15.1.18.C.01", "15.1.19.C.01", "15.1.19.C.02", "15.1.20.C.01", "15.2.25.C.01", "15.2.25.C.02", "15.2.26.C.01", "15.2.27.C.01", "15.2.28.C.01", "15.2.29.C.01", "15.2.30.C.01", "15.2.30.C.02", "15.2.30.C.03", "15.2.31.C.01", "15.2.31.C.02", "15.2.32.C.01", "15.2.32.C.02", "15.2.32.C.03", "15.2.33.C.01", "15.2.33.C.02", "15.2.33.C.03", "15.2.33.C.04", "16.7.33.C.01", "17.6.6.C.01", "17.6.7.C.01" ] } }, { "control_id": "NET-14", "title": "Remote Access", "family": "NET", "description": "Mechanisms exist to define, control and review organization-approved, secure remote access methods.", "scf_question": "Does the organization define, control and review organization-approved, secure remote access methods?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-NET-03", "E-IAM-14" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to define, control and review organization-approved, secure remote access methods.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ VPN for remote access\n∙ Remote access policy", "small": "∙ VPN with MFA for remote access\n∙ Documented remote access policy", "medium": "∙ Enterprise VPN with MFA\n∙ Remote access policy\n∙ Split tunneling controls", "large": "∙ Enterprise VPN or ZTNA solution\n∙ Remote access monitoring\n∙ MFA enforcement", "enterprise": "∙ Enterprise ZTNA/SASE platform (e.g., Zscaler, Palo Alto Prisma Access)\n∙ VPN with MFA\n∙ Remote access monitoring and logging" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.6", "CC6.6-POF3" ], "general-cis-csc-8-1": [ "12.7" ], "general-cis-csc-8-1-ig2": [ "12.7" ], "general-cis-csc-8-1-ig3": [ "12.7" ], "general-govramp": [ "AC-17" ], "general-govramp-core": [ "AC-17" ], "general-govramp-low": [ "AC-17" ], "general-govramp-low-plus": [ "AC-17" ], "general-govramp-mod": [ "AC-17" ], "general-govramp-high": [ "AC-17" ], "general-iec-62443-2-1-2024": [ "NET 3.1", "NET 3.2", "NET 3.2(a)", "NET 3.2(b)", "NET 3.2(c)", "NET 3.2(d)", "NET 3.2(e)", "NET 3.2(f)", "NET 3.2(g)", "NET 3.2(h)" ], "general-iso-27002-2022": [ "6.7" ], "general-iso-27018-2025": [ "6.7" ], "general-mitre-att&ck-16-1": [ "T1020.001", "T1021", "T1021.001", "T1021.002", "T1021.003", "T1021.004", "T1021.005", "T1021.006", "T1021.008", "T1037", "T1037.001", "T1040", "T1047", "T1059", "T1059.001", "T1059.002", "T1059.003", "T1059.004", "T1059.005", "T1059.006", "T1059.007", "T1059.008", "T1070", "T1070.001", "T1070.002", "T1070.008", "T1114", "T1114.001", "T1114.002", "T1114.003", "T1119", "T1127.002", "T1133", "T1137", "T1137.002", "T1213", "T1213.001", "T1213.002", "T1213.005", "T1219", "T1505.004", "T1505.005", "T1530", "T1537", "T1543", "T1547.003", "T1547.004", "T1547.009", "T1547.012", "T1547.013", "T1550.001", "T1552", "T1552.002", "T1552.004", "T1552.005", "T1552.007", "T1557", "T1557.002", "T1558", "T1558.002", "T1558.003", "T1558.004", "T1563", "T1563.001", "T1563.002", "T1565", "T1565.001", "T1565.002", "T1567.003", "T1567.004", "T1602", "T1602.001", "T1602.002", "T1609", "T1610", "T1612", "T1613", "T1619", "T1647", "T1651", "T1659" ], "general-mpa-csbp-5-3-1": [ "OP-2.1", "TS-2.1", "TS-2.9" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P3" ], "general-nist-800-53-r4": [ "AC-17", "AC-17(6)" ], "general-nist-800-53-r5-2": [ "AC-17", "AC-17(06)" ], "general-nist-800-53-r5-2-low": [ "AC-17" ], "general-nist-800-82-r3": [ "AC-17", "AC-17(06)" ], "general-nist-800-82-r3-low": [ "AC-17" ], "general-nist-800-82-r3-mod": [ "AC-17" ], "general-nist-800-82-r3-high": [ "AC-17" ], "general-nist-800-161-r1": [ "AC-17", "AC-17(6)" ], "general-nist-800-161-r1-cscrm": [ "AC-17" ], "general-nist-800-161-r1-flowdown": [ "AC-17" ], "general-nist-800-161-r1-level-2": [ "AC-17", "AC-17(6)" ], "general-nist-800-161-r1-level-3": [ "AC-17", "AC-17(6)" ], "general-nist-800-171-r2": [ "3.1.12" ], "general-nist-800-171-r3": [ "03.01.12.a", "03.01.12.b", "03.01.12.c", "03.01.12.d" ], "general-nist-800-171a-r3": [ "A.03.01.12.a[01]", "A.03.01.12.a[02]", "A.03.01.12.a[03]", "A.03.01.12.a[04]", "A.03.01.12.b", "A.03.01.12.c[01]", "A.03.01.12.c[02]", "A.03.01.12.d[1]", "A.03.01.12.d[2]" ], "general-pci-dss-4-0-1": [ "3.4.2", "7.2.5", "8.2.3", "8.2.7", "12.8.1" ], "general-pci-dss-4-0-1-saq-a": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "7.2.5", "8.2.7", "12.8.1" ], "general-pci-dss-4-0-1-saq-b": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "8.2.7", "12.8.1" ], "general-pci-dss-4-0-1-saq-c": [ "7.2.5", "8.2.7", "12.8.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.4.2", "7.2.5", "8.2.7", "12.8.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.4.2", "7.2.5", "8.2.3", "8.2.7", "12.8.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.8.1" ], "general-shared-assessments-sig-2025": [ "N.5" ], "general-swift-cscf-2025": [ "1.5" ], "general-tisax-6-0-3": [ "2.1.4" ], "general-ul-2900-2-2-2016": [ "8.2", "8.3" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EN.RDACC", "3.PEP.EN.VPNET" ], "usa-federal-fbi-cjis-6-0": [ "AC-17" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.12" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.4" ], "usa-federal-gsa-fedramp-5-low": [ "AC-17" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-17" ], "usa-federal-gsa-fedramp-5-high": [ "AC-17" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-17" ], "usa-federal-irs-1075-2021": [ "AC-17" ], "usa-federal-cms-marse-2-0": [ "AC-17", "AC-17.a", "AC-17.a.1", "AC-17.a.2", "AC-17.a.3", "AC-17.b", "AC-17-IS.1", "AC-17-IS.3" ], "usa-federal-nerc-cip-2024": [ "CIP-005-7 2.1", "CIP-005-7 2.3", "CIP-005-7 2.4" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-17" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-17" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-17" ], "emea-eu-nis2-annex-2024": [ "6.7.2(d)" ], "emea-isr-cmo-1-0": [ "4.17" ], "emea-sau-cscc-1-2019": [ "2-2-1-1", "2-2-1-2" ], "emea-sau-otcc-1-2022": [ "2-2-1-7" ], "emea-sau-sacs-002-2022": [ "TPC-35" ], "emea-esp-ccn-stic-825-2023": [ "7.2.7 [OP.ACC.7]" ], "emea-gbr-def-stan-05-138-2024": [ "2305" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2305" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2305" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2305" ], "apac-aus-ism-2024-june": [ "ISM-0487", "ISM-0488", "ISM-0489" ], "apac-ind-sebi-2024": [ "PR.AA.S12" ], "apac-nzl-hisf-microsmall-2023": [ "HMS13" ], "apac-nzl-ism-3-9": [ "16.5.10.C.01", "16.5.10.C.02", "16.5.11.C.01", "16.5.11.C.02", "16.5.12.C.01", "17.5.6.C.01", "17.5.7.C.01", "17.5.7.C.02", "17.5.8.C.01", "17.5.8.C.02", "17.5.8.C.03", "17.5.9.C.01", "17.5.10.C.01" ], "apac-sgp-mas-trm-2021": [ "9.3.1", "9.3.2" ], "americas-can-itsp-10-171-2025": [ "03.01.12.A", "03.01.12.B", "03.01.12.C", "03.01.12.D" ] } }, { "control_id": "NET-14.1", "title": "Automated Monitoring & Control", "family": "NET", "description": "Automated mechanisms exist to monitor and control remote access sessions.", "scf_question": "Does the organization use automated mechanisms to monitor and control remote access sessions?", "relative_weight": 1, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically monitor and control remote access sessions.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Monitor VPN usage logs periodically", "small": "∙ Automated monitoring of VPN usage\n∙ Alerting on anomalous remote access", "medium": "∙ Automated monitoring and control of remote access sessions\n∙ SIEM alerts for remote access anomalies", "large": "∙ Enterprise remote access monitoring platform\n∙ Automated session controls\n∙ SIEM integration", "enterprise": "∙ Enterprise SIEM/SOAR with remote access monitoring\n∙ Automated anomaly detection\n∙ Just-in-time access controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-cis-csc-8-1": [ "12.7" ], "general-cis-csc-8-1-ig2": [ "12.7" ], "general-cis-csc-8-1-ig3": [ "12.7" ], "general-govramp": [ "AC-17(01)" ], "general-govramp-low-plus": [ "AC-17(01)" ], "general-govramp-mod": [ "AC-17(01)" ], "general-govramp-high": [ "AC-17(01)" ], "general-nist-800-53-r4": [ "AC-17(1)" ], "general-nist-800-53-r5-2": [ "AC-17(01)" ], "general-nist-800-53-r5-2-mod": [ "AC-17(01)" ], "general-nist-800-82-r3": [ "AC-17(01)" ], "general-nist-800-82-r3-mod": [ "AC-17(01)" ], "general-nist-800-82-r3-high": [ "AC-17(01)" ], "general-nist-800-171-r2": [ "3.1.12" ], "general-nist-800-171-r3": [ "03.01.12.b" ], "general-nist-800-171a": [ "3.1.12[a]", "3.1.12[b]", "3.1.12[c]", "3.1.12[d]" ], "general-nist-800-207": [ "NIST Tenet 5" ], "usa-federal-fbi-cjis-6-0": [ "AC-17(1)" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.12" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-17(01)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-17(01)" ], "usa-federal-irs-1075-2021": [ "AC-17(CE-1)" ], "usa-federal-cms-marse-2-0": [ "AC-17(1)" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-17 (01)" ], "emea-isr-cmo-1-0": [ "4.18" ], "americas-can-itsp-10-171-2025": [ "03.01.12.B" ] } }, { "control_id": "NET-14.2", "title": "Protection of Confidentiality / Integrity Using Encryption", "family": "NET", "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of remote access sessions (e.g., VPN).", "scf_question": "Are cryptographic mechanisms utilized to protect the confidentiality and integrity of remote access sessions (e.g., VPN)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational cryptographic capability exists to protect the confidentiality and integrity of remote access sessions (e.g., VPN).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use VPN with encryption for remote access", "small": "∙ Encrypted VPN (TLS/IPSec) for all remote access", "medium": "∙ Encrypted remote access standard\n∙ TLS/IPSec VPN\n∙ Certificate-based authentication", "large": "∙ Enterprise encrypted VPN with certificate-based auth\n∙ FIPS-compliant encryption", "enterprise": "∙ Enterprise encrypted ZTNA/VPN platform\n∙ FIPS 140-2/140-3 compliant encryption\n∙ End-to-end encryption enforcement" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-cis-csc-8-1": [ "12.7" ], "general-cis-csc-8-1-ig2": [ "12.7" ], "general-cis-csc-8-1-ig3": [ "12.7" ], "general-govramp": [ "AC-17(02)" ], "general-govramp-core": [ "AC-17(02)" ], "general-govramp-low-plus": [ "AC-17(02)" ], "general-govramp-mod": [ "AC-17(02)" ], "general-govramp-high": [ "AC-17(02)" ], "general-nist-800-53-r4": [ "AC-17(2)" ], "general-nist-800-53-r5-2": [ "AC-17(02)" ], "general-nist-800-53-r5-2-mod": [ "AC-17(02)" ], "general-nist-800-82-r3": [ "AC-17(02)" ], "general-nist-800-82-r3-mod": [ "AC-17(02)" ], "general-nist-800-82-r3-high": [ "AC-17(02)" ], "general-nist-800-171-r2": [ "3.1.13" ], "general-nist-800-171-r3": [ "03.01.12.a" ], "general-nist-800-171a": [ "3.1.13[a]", "3.1.13[b]" ], "general-nist-800-207": [ "NIST Tenet 2" ], "usa-federal-fbi-cjis-6-0": [ "AC-17(2)" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.13" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-17(02)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-17(02)" ], "usa-federal-irs-1075-2021": [ "AC-17(CE-2)" ], "usa-federal-cms-marse-2-0": [ "AC-17(2)" ], "usa-federal-nerc-cip-2024": [ "CIP-005-7 2.2" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-17 (02)" ], "emea-isr-cmo-1-0": [ "9.8" ], "emea-gbr-def-stan-05-138-2024": [ "2305", "2306" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2305", "2306" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2305", "2306" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2305", "2306" ], "americas-can-itsp-10-171-2025": [ "03.01.12.A" ] } }, { "control_id": "NET-14.3", "title": "Managed Access Control Points", "family": "NET", "description": "Mechanisms exist to route all remote accesses through managed network access control points (e.g., VPN concentrator).", "scf_question": "Does the organization route all remote accesses through managed network access control points (e.g., VPN concentrator)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-NET-09" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to route all remote accesses through managed network access control points (e.g., VPN concentrator).", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use a single, monitored VPN gateway for remote access", "small": "∙ Consolidated remote access through managed gateway\n∙ Access point documentation", "medium": "∙ Formal managed access control point policy\n∙ Centralized remote access gateway", "large": "∙ Enterprise centralized remote access with monitoring\n∙ Access control enforcement at gateway", "enterprise": "∙ Enterprise centralized remote access platform (ZTNA/VPN)\n∙ All remote access through managed control points\n∙ SIEM monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1-POF5", "CC6.1-POF6", "CC6.6-POF4" ], "general-cis-csc-8-1": [ "12.7" ], "general-cis-csc-8-1-ig2": [ "12.7" ], "general-cis-csc-8-1-ig3": [ "12.7" ], "general-govramp": [ "AC-17(03)" ], "general-govramp-mod": [ "AC-17(03)" ], "general-govramp-high": [ "AC-17(03)" ], "general-nist-800-53-r4": [ "AC-17(3)" ], "general-nist-800-53-r5-2": [ "AC-17(03)" ], "general-nist-800-53-r5-2-mod": [ "AC-17(03)" ], "general-nist-800-82-r3": [ "AC-17(03)" ], "general-nist-800-82-r3-mod": [ "AC-17(03)" ], "general-nist-800-82-r3-high": [ "AC-17(03)" ], "general-nist-800-171-r2": [ "3.1.14" ], "general-nist-800-171-r3": [ "03.01.12.b", "03.01.12.c" ], "general-nist-800-171a": [ "3.1.14[a]", "3.1.14[b]" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EN.VPNET" ], "usa-federal-fbi-cjis-6-0": [ "AC-17(3)" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.14" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.2.2", "2.4.1" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-17(03)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-17(03)" ], "usa-federal-irs-1075-2021": [ "AC-17(CE-3)" ], "usa-federal-cms-marse-2-0": [ "AC-17(3)" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-17 (03)" ], "emea-isr-cmo-1-0": [ "4.19" ], "emea-gbr-def-stan-05-138-2024": [ "2307" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2307" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2307" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2307" ], "americas-can-itsp-10-171-2025": [ "03.01.12.B", "03.01.12.C" ] } }, { "control_id": "NET-14.4", "title": "Remote Privileged Commands & Sensitive Data Access", "family": "NET", "description": "Mechanisms exist to restrict the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs.", "scf_question": "Does the organization restrict the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ Network communications containing sensitive/regulated data use a cryptographic mechanism to prevent the unauthorized disclosure of information while in transit (e.g., SSH, TLS, VPN, etc.).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to restrict the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Require MFA and VPN for privileged remote access", "small": "∙ Policy restricting privileged remote commands to authenticated sessions", "medium": "∙ Formal privileged remote access policy\n∙ Encrypted and authenticated remote privileged sessions", "large": "∙ PAM solution for privileged remote access\n∙ Session recording for privileged commands", "enterprise": "∙ Enterprise PAM with privileged remote access control (e.g., CyberArk)\n∙ Session recording\n∙ Just-in-time privileged access" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "AC-17(04)" ], "general-govramp-mod": [ "AC-17(04)" ], "general-govramp-high": [ "AC-17(04)" ], "general-nist-800-53-r4": [ "AC-17(4)" ], "general-nist-800-53-r5-2": [ "AC-17(04)" ], "general-nist-800-53-r5-2-mod": [ "AC-17(04)" ], "general-nist-800-82-r3": [ "AC-17(04)" ], "general-nist-800-82-r3-mod": [ "AC-17(04)" ], "general-nist-800-82-r3-high": [ "AC-17(04)" ], "general-nist-800-171-r2": [ "3.1.15" ], "general-nist-800-171-r3": [ "03.01.12.d" ], "general-nist-800-171a": [ "3.1.15[a]", "3.1.15[b]", "3.1.15[c]", "3.1.15[d]" ], "general-nist-800-171a-r3": [ "A.03.01.12.d[1]", "A.03.01.12.d[2]" ], "usa-federal-fbi-cjis-6-0": [ "AC-17(4)" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.15" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-17(04)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-17(04)" ], "usa-federal-irs-1075-2021": [ "AC-17(CE-4)", "AC-17(CE-4).a", "AC-17(CE-4).b" ], "usa-federal-cms-marse-2-0": [ "AC-17(4)", "AC-17(4).a", "AC-17(4).b" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-17 (04)" ], "emea-isr-cmo-1-0": [ "4.17", "4.20" ], "emea-sau-sacs-002-2022": [ "TPC-35" ], "emea-gbr-def-stan-05-138-2024": [ "2417" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2417" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2417" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2417" ], "apac-nzl-ism-3-9": [ "16.5.11.C.01", "16.5.11.C.02" ], "americas-can-itsp-10-171-2025": [ "03.01.12.D" ] } }, { "control_id": "NET-14.5", "title": "Work From Anywhere (WFA) - Telecommuting Security", "family": "NET", "description": "Mechanisms exist to define secure telecommuting practices and govern remote access to Technology Assets, Applications, Services and/or Data (TAASD) for remote workers.", "scf_question": "Does the organization define secure telecommuting practices and govern remote access to Technology Assets, Applications, Services and/or Data (TAASD) for remote workers?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-NET-03", "E-IAM-14" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to define secure telecommuting practices and govern remote access to TAASD for remote workers.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Remote work security policy\n∙ VPN requirement for home workers", "small": "∙ Work-from-anywhere security policy\n∙ VPN + MFA for remote workers\n∙ Acceptable use policy", "medium": "∙ Formal WFA security program\n∙ VPN/ZTNA + MFA\n∙ Endpoint security for remote devices", "large": "∙ Enterprise WFA security program\n∙ ZTNA/SASE solution\n∙ Remote endpoint management (MDM/UEM)", "enterprise": "∙ Enterprise WFA security framework\n∙ SASE platform (e.g., Zscaler, Netskope)\n∙ UEM for remote endpoints\n∙ Security awareness training for remote work" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-csa-cmm-4-1-0": [ "HRS-04" ], "general-iso-27002-2022": [ "6.7", "7.9" ], "general-iso-27017-2015": [ "6.2.2", "11.2.6" ], "general-iso-27018-2025": [ "6.7", "7.9" ], "general-mpa-csbp-5-3-1": [ "OP-2.0" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P3" ], "general-nist-800-171-r2": [ "3.1.12", "3.10.6" ], "general-nist-800-171-r3": [ "03.01.12.a", "03.01.12.c", "03.10.06.a", "03.10.06.b" ], "general-nist-800-171a-r3": [ "A.03.10.06.ODP[01]", "A.03.10.06.a", "A.03.10.06.b" ], "general-nist-800-207": [ "NIST Tenet 2" ], "general-swift-cscf-2025": [ "3.1" ], "general-tisax-6-0-3": [ "2.1.4" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EN.VPNET" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.12", "PEL2.-3.10.6" ], "usa-federal-irs-1075-2021": [ "2.B.7" ], "emea-sau-cscc-1-2019": [ "2-2-1-1", "2-2-1-2" ], "emea-esp-ccn-stic-825-2023": [ "7.2.7 [OP.ACC.7]", "9" ], "emea-gbr-def-stan-05-138-2024": [ "2305" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2305" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2305" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2305" ], "apac-jpn-ismap": [ "6.2", "6.2.2", "6.2.2.1", "6.2.2.2", "6.2.2.3", "6.2.2.4", "6.2.2.5", "6.2.2.6", "6.2.2.7", "6.2.2.8", "6.2.2.9", "6.2.2.10", "6.2.2.11", "6.2.2.12", "6.2.2.13", "6.2.2.14", "6.2.2.15", "6.2.2.16", "6.2.2.17", "6.2.2.18", "6.2.2.19", "6.2.2.20", "6.2.2.21" ], "apac-nzl-hisf-microsmall-2023": [ "HMS13" ], "apac-nzl-ism-3-9": [ "21.2.4.C.01", "21.2.4.C.02", "21.2.5.C.01", "21.2.6.C.01", "21.2.7.C.01", "21.2.7.C.02", "21.3.5.C.01", "21.3.6.C.01" ], "apac-sgp-mas-trm-2021": [ "9.3.1", "9.3.2" ], "americas-can-itsp-10-171-2025": [ "03.01.12.A", "03.01.12.C", "03.10.06.A", "03.10.06.B" ] } }, { "control_id": "NET-14.6", "title": "Third-Party Remote Access Governance", "family": "NET", "description": "Mechanisms exist to proactively control and monitor third-party accounts used to access, support, or maintain system components via remote access.", "scf_question": "Does the organization proactively control and monitor third-party accounts used to access, support, or maintain system components via remote access?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-IAM-14" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to proactively control and monitor third-party accounts used to access, support, or maintain system components via remote access.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document and approve all third-party remote access", "small": "∙ Third-party remote access policy\n∙ Require justification and time limits", "medium": "∙ Formal third-party remote access governance policy\n∙ Session monitoring requirements", "large": "∙ Enterprise third-party remote access governance\n∙ PAM-managed third-party sessions\n∙ Session recording", "enterprise": "∙ Enterprise third-party remote access platform (e.g., BeyondTrust, CyberArk)\n∙ Just-in-time access\n∙ Session recording and monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-pci-dss-4-0-1": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-b-ip": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-c": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.2.7" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.7" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EN.VPNET" ], "usa-federal-nerc-cip-2024": [ "CIP-005-7 2.4", "CIP-005-7 2.5", "CIP-005-7 3.1", "CIP-005-7 3.2" ], "emea-sau-sacs-002-2022": [ "TPC-35" ] } }, { "control_id": "NET-14.7", "title": "Endpoint Security Validation", "family": "NET", "description": "Automated mechanisms exist to validate the security posture of the endpoint devices (e.g., software versions, patch levels, etc.) prior to allowing devices to connect to organizational Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization validate the security posture of the endpoint devices (e.g., software versions, patch levels, etc.) prior to allowing devices to connect to organizational Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 6, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically validate the security posture of the endpoint devices (e.g., software versions, patch levels, etc.) prior to allowing devices to connect to organizational Technology Assets, Applications and/or Services (TAAS).", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "small": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "medium": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "large": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)", "enterprise": "∙ Microsoft Entra (https://microsoft.com)\n∙ AWS IAM (https://aws.amazon.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-cis-csc-8-1": [ "13.5" ], "general-cis-csc-8-1-ig2": [ "13.5" ], "general-cis-csc-8-1-ig3": [ "13.5" ], "general-csa-cmm-4-1-0": [ "UEM-14" ], "general-nist-800-53-r5-2": [ "CA-09(01)" ], "general-nist-800-82-r3": [ "CA-09(01)" ], "general-nist-800-207": [ "NIST Tenet 4", "NIST Tenet 5", "NIST Tenet 7" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.2", "2.2.1", "2.2.2", "2.3.5", "2.4", "2.4.1", "2.4.3", "2.4.4", "2.5.1" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "2.2" ], "usa-federal-irs-1075-2021": [ "CA-9(CE-1)" ] } }, { "control_id": "NET-14.8", "title": "Expeditious Disconnect / Disable Capability", "family": "NET", "description": "Mechanisms exist to provide the capability to expeditiously disconnect or disable a user's remote access session.", "scf_question": "Does the organization provide the capability to expeditiously disconnect or disable a user's remote access session?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ IT and/or cybersecurity personnel provide the capability to expeditiously disconnect or disable a user's remote access session.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to provide the capability to expeditiously disconnect or disable a user's remote access session.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document how to disconnect remote sessions immediately when needed", "small": "∙ Remote session termination procedure\n∙ Ability to immediately revoke VPN access", "medium": "∙ Formal remote session termination policy and capability\n∙ Documented procedure for emergency disconnect", "large": "∙ Enterprise remote access platform with immediate termination capability\n∙ Automated session revocation procedures", "enterprise": "∙ Enterprise remote access platform with automated disconnect capability (SOAR integration)\n∙ Zero-trust session termination" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "AC-17(09)" ], "general-govramp-low-plus": [ "AC-17(09)" ], "general-govramp-mod": [ "AC-17(09)" ], "general-govramp-high": [ "AC-17(09)" ], "general-nist-800-53-r4": [ "AC-17(9)" ], "general-nist-800-53-r5-2": [ "AC-17(09)" ], "general-nist-800-82-r3": [ "AC-17(09)" ], "general-nist-800-82-r3-low": [ "AC-17(09)" ], "general-nist-800-82-r3-mod": [ "AC-17(09)" ], "general-nist-800-82-r3-high": [ "AC-17(09)" ], "usa-federal-irs-1075-2021": [ "AC-17(CE-9)" ], "usa-federal-nerc-cip-2024": [ "CIP-005-7 2.5", "CIP-005-7 3.2" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-17 (09)" ], "apac-aus-ism-2024-june": [ "ISM-1591" ] } }, { "control_id": "NET-15", "title": "Wireless Networking", "family": "NET", "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.", "scf_question": "Does the organization control authorized wireless usage and monitor for unauthorized wireless access?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ Wireless access is protected via secure authentication and encryption.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to control authorized wireless usage and monitor for unauthorized wireless access.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "AC-18" ], "general-govramp-low": [ "AC-18" ], "general-govramp-low-plus": [ "AC-18" ], "general-govramp-mod": [ "AC-18" ], "general-govramp-high": [ "AC-18" ], "general-iec-62443-2-1-2024": [ "NET 2.1" ], "general-iec-62443-3-3-2013": [ "SR 1.6 RE 1", "SR 2.2" ], "general-iec-62443-4-2-2019": [ "NDR 1.6" ], "general-iso-27002-2022": [ "8.21" ], "general-iso-27017-2015": [ "13.1.2" ], "general-iso-27018-2025": [ "8.21" ], "general-mitre-att&ck-16-1": [ "T1011", "T1011.001", "T1020.001", "T1040", "T1070", "T1070.001", "T1070.002", "T1070.008", "T1119", "T1530", "T1552", "T1552.004", "T1557", "T1557.002", "T1557.004", "T1558", "T1558.002", "T1558.003", "T1558.004", "T1565", "T1565.001", "T1565.002", "T1602", "T1602.001", "T1602.002" ], "general-mpa-csbp-5-3-1": [ "TS-2.11" ], "general-nist-800-53-r4": [ "AC-18" ], "general-nist-800-53-r5-2": [ "AC-18" ], "general-nist-800-53-r5-2-privacy": [ "AC-18" ], "general-nist-800-53-r5-2-low": [ "AC-18" ], "general-nist-800-82-r3": [ "AC-18" ], "general-nist-800-82-r3-low": [ "AC-18" ], "general-nist-800-82-r3-mod": [ "AC-18" ], "general-nist-800-82-r3-high": [ "AC-18" ], "general-nist-800-161-r1": [ "AC-18" ], "general-nist-800-161-r1-cscrm": [ "AC-18" ], "general-nist-800-161-r1-level-1": [ "AC-18" ], "general-nist-800-161-r1-level-2": [ "AC-18" ], "general-nist-800-161-r1-level-3": [ "AC-18" ], "general-nist-800-171-r2": [ "3.1.16" ], "general-nist-800-171-r3": [ "03.01.16.a", "03.01.16.b" ], "general-nist-800-171a": [ "3.1.16[a]", "3.1.16[b]" ], "general-nist-800-171a-r3": [ "A.03.01.16.a[01]", "A.03.01.16.a[02]", "A.03.01.16.a[04]" ], "general-nist-800-207": [ "NIST Tenet 2" ], "general-pci-dss-4-0-1": [ "2.3", "11.2", "11.2.1", "11.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "11.2.1", "11.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "11.2.1", "11.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "11.2.1", "11.2.2" ], "usa-federal-fbi-cjis-6-0": [ "5.20.1", "5.20.1.1", "AC-18" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.16" ], "usa-federal-gsa-fedramp-5-low": [ "AC-18" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-18" ], "usa-federal-gsa-fedramp-5-high": [ "AC-18" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-18" ], "usa-federal-irs-1075-2021": [ "AC-18(IRS-Defined)-1", "AC-18(IRS-Defined)-2", "AC-18(IRS-Defined)-3", "AC-18(IRS-Defined)-4" ], "usa-federal-cms-marse-2-0": [ "AC-18", "AC-18.a", "AC-18.b", "AC-18.c" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-18" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-18" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-18" ], "emea-isr-cmo-1-0": [ "4.24", "12.12", "12.14" ], "emea-sau-cscc-1-2019": [ "2-3-1-5", "2-4-1-4" ], "emea-sau-otcc-1-2022": [ "2-4-1-4", "2-4-1-5" ], "apac-aus-ism-2024-june": [ "ISM-0225", "ISM-0248", "ISM-0536", "ISM-1314", "ISM-1315", "ISM-1316", "ISM-1317", "ISM-1318", "ISM-1319", "ISM-1320", "ISM-1321", "ISM-1322", "ISM-1323", "ISM-1324", "ISM-1327", "ISM-1330", "ISM-1334", "ISM-1335", "ISM-1454", "ISM-1543" ], "apac-nzl-ism-3-9": [ "18.2.5.C.01", "18.2.5.C.02", "18.2.6.C.01", "18.2.7.C.01", "18.2.8.C.01", "18.2.25.C.01", "18.2.26.C.01", "18.2.27.C.01", "18.2.28.C.01", "18.2.28.C.02", "18.2.29.C.01", "18.2.29.C.02", "18.2.29.C.03", "18.2.30.C.01", "18.2.31.C.01", "18.2.32.C.01", "18.2.34.C.01" ], "americas-can-itsp-10-171-2025": [ "03.01.16.A", "03.01.16.B" ] } }, { "control_id": "NET-15.1", "title": "Authentication & Encryption", "family": "NET", "description": "Mechanisms exist to secure Wi-Fi (e.g., IEEE 802.11) and prevent unauthorized access by:\n(1) Authenticating devices trying to connect; and \n(2) Encrypting transmitted data.", "scf_question": "Does the organization secure Wi-Fi (e.g., IEEE 802.11) and prevent unauthorized access by:\n (1) Authenticating devices trying to connect; and \n (2) Encrypting transmitted data?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Wireless access is protected via secure authentication and encryption.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to secure Wi-Fi (e.g., IEEE 802.11) and prevent unauthorized access by:\n(1) Authenticating devices trying to connect; and \n(2) Encrypting transmitted data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "AC-18(01)" ], "general-govramp-mod": [ "AC-18(01)" ], "general-govramp-high": [ "AC-18(01)" ], "general-iec-62443-4-2-2019": [ "NDR 1.6(1)" ], "general-nist-800-53-r4": [ "AC-18(1)" ], "general-nist-800-53-r5-2": [ "AC-18(01)" ], "general-nist-800-53-r5-2-mod": [ "AC-18(01)" ], "general-nist-800-82-r3": [ "AC-18(01)" ], "general-nist-800-82-r3-mod": [ "AC-18(01)" ], "general-nist-800-82-r3-high": [ "AC-18(01)" ], "general-nist-800-171-r2": [ "3.1.17" ], "general-nist-800-171-r3": [ "03.01.16.a", "03.01.16.b", "03.01.16.d" ], "general-nist-800-171a": [ "3.1.17[a]", "3.1.17[b]" ], "general-nist-800-171a-r3": [ "A.03.01.16.d[01]", "A.03.01.16.d[02]" ], "general-pci-dss-4-0-1": [ "1.3", "2.3.1", "2.3.2", "4.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "4.2.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "2.3.1", "2.3.2" ], "general-pci-dss-4-0-1-saq-c": [ "2.3.1", "2.3.2", "4.2.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.3.1", "2.3.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "2.3.1", "2.3.2", "4.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "2.3.1", "2.3.2", "4.2.1" ], "usa-federal-fbi-cjis-6-0": [ "AC-18(1)" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.17" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-18(01)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-18(01)" ], "usa-federal-irs-1075-2021": [ "AC-18(CE-1)" ], "usa-federal-cms-marse-2-0": [ "AC-18(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-18-SID.2" ], "emea-eu-nis2-annex-2024": [ "11.4.2(c)" ], "emea-isr-cmo-1-0": [ "12.14" ], "emea-gbr-def-stan-05-138-2024": [ "2304" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2304" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2304" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2304" ], "apac-nzl-ism-3-9": [ "18.2.10.C.01", "18.2.10.C.02", "18.2.11.C.01", "18.2.11.C.02", "18.2.11.C.03", "18.2.11.C.04", "18.2.11.C.05", "18.2.12.C.01", "18.2.12.C.02", "18.2.13.C.01", "18.2.14.C.01", "18.2.15.C.01", "18.2.16.C.01", "18.2.17.C.01", "18.2.18.C.01", "18.2.19.C.01", "18.2.20.C.01", "18.2.20.C.02", "18.2.20.C.03", "18.2.21.C.01", "18.2.22.C.01", "18.2.23.C.01", "18.2.23.C.02", "18.2.24.C.01", "18.2.25.C.01" ], "americas-can-itsp-10-171-2025": [ "03.01.16.A", "03.01.16.B", "03.01.16.D" ] } }, { "control_id": "NET-15.2", "title": "Disable Wireless Networking", "family": "NET", "description": "Mechanisms exist to disable unnecessary wireless networking capabilities that are internally embedded within system components prior to issuance to end users.", "scf_question": "Does the organization disable unnecessary wireless networking capabilities that are internally embedded within system components prior to issuance to end users?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to disable unnecessary wireless networking capabilities that are internally embedded within system components prior to issuance to end users.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "AC-18(03)" ], "general-govramp-high": [ "AC-18(03)" ], "general-nist-800-53-r4": [ "AC-18(3)" ], "general-nist-800-53-r5-2": [ "AC-18(03)" ], "general-nist-800-53-r5-2-mod": [ "AC-18(03)" ], "general-nist-800-82-r3": [ "AC-18(03)" ], "general-nist-800-82-r3-mod": [ "AC-18(03)" ], "general-nist-800-82-r3-high": [ "AC-18(03)" ], "general-nist-800-171-r3": [ "03.01.16.c" ], "general-shared-assessments-sig-2025": [ "U.1.2" ], "usa-federal-fbi-cjis-6-0": [ "AC-18(3)" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-18(03)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-18(03)" ], "usa-federal-irs-1075-2021": [ "AC-18(CE-3)" ], "emea-isr-cmo-1-0": [ "4.24" ], "emea-sau-cscc-1-2019": [ "2-4-1-4" ], "apac-nzl-ism-3-9": [ "21.1.16.C.01", "21.1.16.C.02" ], "americas-can-itsp-10-171-2025": [ "03.01.16.C" ] } }, { "control_id": "NET-15.3", "title": "Restrict Configuration By Users", "family": "NET", "description": "Mechanisms exist to identify and explicitly authorize users who are allowed to independently configure wireless networking capabilities.", "scf_question": "Does the organization identify and explicitly authorize users who are allowed to independently configure wireless networking capabilities?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to identify and explicitly authorize users who are allowed to independently configure wireless networking capabilities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "AC-18(04)" ], "general-govramp-high": [ "AC-18(04)" ], "general-nist-800-53-r4": [ "AC-18(4)" ], "general-nist-800-53-r5-2": [ "AC-18(04)" ], "general-nist-800-53-r5-2-high": [ "AC-18(04)" ], "general-nist-800-82-r3": [ "AC-18(04)" ], "general-nist-800-82-r3-high": [ "AC-18(04)" ], "general-nist-800-171-r3": [ "03.01.16.a", "03.01.16.c" ], "usa-federal-gsa-fedramp-5-high": [ "AC-18(04)" ], "emea-isr-cmo-1-0": [ "12.13" ], "americas-can-itsp-10-171-2025": [ "03.01.16.A", "03.01.16.C" ] } }, { "control_id": "NET-15.4", "title": "Wireless Boundaries", "family": "NET", "description": "Mechanisms exist to confine wireless communications to organization-controlled boundaries.", "scf_question": "Does the organization confine wireless communications to organization-controlled boundaries?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to confine wireless communications to organization-controlled boundaries.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Configure Wi-Fi to minimize signal broadcast outside facility", "small": "∙ Wireless signal containment policy\n∙ Antenna placement review", "medium": "∙ Formal wireless boundary policy\n∙ RF signal containment measures\n∙ Wireless site survey", "large": "∙ Enterprise wireless boundary management\n∙ RF planning\n∙ Directional antennas to limit signal leakage", "enterprise": "∙ Enterprise wireless management platform\n∙ RF signal monitoring\n∙ Directional antenna design\n∙ Wireless boundary testing" }, "risks": [ "R-AC-4", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-govramp": [ "AC-18(05)" ], "general-govramp-high": [ "AC-18(05)" ], "general-nist-800-53-r4": [ "AC-18(5)" ], "general-nist-800-53-r5-2": [ "AC-18(05)" ], "general-nist-800-53-r5-2-high": [ "AC-18(05)" ], "general-nist-800-82-r3": [ "AC-18(05)" ], "general-nist-800-82-r3-high": [ "AC-18(05)" ], "usa-federal-gsa-fedramp-5-high": [ "AC-18(05)" ], "emea-isr-cmo-1-0": [ "4.23" ], "apac-aus-ism-2024-june": [ "ISM-1013", "ISM-1338" ], "apac-nzl-ism-3-9": [ "18.2.33.C.01" ] } }, { "control_id": "NET-15.5", "title": "Rogue Wireless Detection", "family": "NET", "description": "Mechanisms exist to test for the presence of Wireless Access Points (WAPs) and identify all authorized and unauthorized WAPs within the facility(ies).", "scf_question": "Does the organization test for the presence of Wireless Access Points (WAPs) and identify all authorized and unauthorized WAPs within the facility(ies)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-NET-02" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to test for the presence of Wireless Access Points (WAPs) and identify all authorized and unauthorized WAPs within the facility(ies).", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Periodically scan for rogue Wi-Fi access points", "small": "∙ Rogue wireless detection scans (e.g., NetStumbler, Kali Linux tools)\n∙ Wireless security policy", "medium": "∙ Wireless IDS for rogue AP detection\n∙ Periodic wireless scanning", "large": "∙ Enterprise wireless IDS/IPS (e.g., Cisco, Aruba) with rogue detection", "enterprise": "∙ Enterprise WIDS/WIPS with automated rogue AP detection and blocking (e.g., Cisco, Aruba, Juniper Mist)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-csa-iot-2": [ "SWS-06" ], "general-pci-dss-4-0-1": [ "11.2", "11.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "11.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "11.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "11.2.1" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-18-SID.3" ], "apac-aus-ism-2024-june": [ "ISM-0829" ] } }, { "control_id": "NET-16", "title": "Intranets", "family": "NET", "description": "Mechanisms exist to establish trust relationships with other organizations owning, operating, and/or maintaining intranet systems, allowing authorized individuals to: \n(1) Access the intranet from external Technology Assets, Applications and/or Services (TAAS); and\n(2) Process, store, and/or transmit organization-controlled information using the external TAAS.", "scf_question": "Does the organization establish trust relationships with other organizations owning, operating, and/or maintaining intranet systems, allowing authorized individuals to: \n (1) Access the intranet from external Technology Assets, Applications and/or Services (TAAS); and\n (2) Process, store, and/or transmit organization-controlled information using the external systems?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to establish trust relationships with other organizations owning, operating, and/or maintaining intranet systems, allowing authorized individuals to: \n(1) Access the intranet from external Technology Assets, Applications and/or Services (TAAS); and\n(2) Process, store, and/or transmit organization-controlled information using the external TAAS.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Password-protect internal network resources", "small": "∙ Intranet security policy\n∙ Authentication for internal resources", "medium": "∙ Intranet security standards\n∙ Authentication controls\n∙ Internal TLS", "large": "∙ Enterprise intranet security program\n∙ SSO for intranet resources\n∙ Internal TLS enforcement", "enterprise": "∙ Enterprise intranet security framework\n∙ Zero-trust for internal applications\n∙ Internal PKI\n∙ SSO integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": {} }, { "control_id": "NET-17", "title": "Data Loss Prevention (DLP)", "family": "NET", "description": "Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.", "scf_question": "Does the organization use automated mechanisms to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ Data Loss Prevention (DLP), or similar technologies, prevent unauthorized devices from connecting to endpoint devices to control the distribution of sensitive/regulated data.\n▪ DLP prevents unauthorized devices from connecting to endpoint devices to control the distribution of sensitive/regulated data.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data Loss Prevention (DLP)", "small": "∙ Data Loss Prevention (DLP)", "medium": "∙ Data Loss Prevention (DLP)", "large": "∙ Data Loss Prevention (DLP)", "enterprise": "∙ Data Loss Prevention (DLP)" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-GV-1", "R-GV-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.3-POF1" ], "general-aicpa-tsc-2017": [ "CC6.7-POF1" ], "general-cis-csc-8-1": [ "3.13" ], "general-cis-csc-8-1-ig3": [ "3.13" ], "general-csa-cmm-4-1-0": [ "UEM-11" ], "general-csa-iot-2": [ "DAT-02" ], "general-govramp": [ "SC-07(10)", "SI-04(18)" ], "general-govramp-high": [ "SC-07(10)", "SI-04(18)" ], "general-mpa-csbp-5-3-1": [ "TS-1.9" ], "general-nist-800-53-r4": [ "SC-7(10)" ], "general-nist-800-53-r5-2": [ "SC-07(10)", "SI-04(18)" ], "general-nist-800-53-r5-2-privacy": [ "SC-07(10)", "SI-04(18)" ], "general-nist-800-82-r3": [ "SC-07(10)", "SI-04(18)" ], "general-nist-800-160-vol-2-r1": [ "SC-07(10)", "SI-04(18)" ], "general-pci-dss-4-0-1": [ "A3.2.6" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DA.DLPRE", "3.PEP.EM.DLPRE", "3.PEP.FI.DLPRE", "3.PEP.SE.DLPRE", "3.PEP.UN.DLPRE", "3.PEP.WE.DLPRE" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-5f" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.3.4", "4.4.1", "4.6", "4.6.1", "4.6.2", "4.6.3", "4.6.4", "4.7.4", "4.7.6", "4.7.7" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "5.4" ], "usa-federal-gsa-fedramp-5-low": [ "SC-07(10)", "SI-04(18)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07(10)", "SI-04(18)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(10)", "SI-04(18)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-07(10)", "SI-04(18)" ], "usa-federal-irs-1075-2021": [ "SI-4(CE-18)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(8)(B)" ], "emea-sau-otcc-1-2022": [ "2-6-1-2" ], "emea-gbr-def-stan-05-138-2024": [ "2320" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2320" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2320" ], "apac-ind-sebi-2024": [ "PR.DS.S4" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP63", "HML69" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP55" ], "amaericas-can-osfi-self-assessment": [ "4.1", "4.2" ], "americas-can-osfi-b13-2022": [ "3.2.5" ] } }, { "control_id": "NET-18", "title": "DNS & Content Filtering", "family": "NET", "description": "Mechanisms exist to force Internet-bound network traffic through a proxy device (e.g., Policy Enforcement Point (PEP)) for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites.", "scf_question": "Does the organization force Internet-bound network traffic through a proxy device (e.g., Policy Enforcement Point (PEP)) for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-NET-01" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ SBC enforce Internet-bound network traffic routing through a proxy device for URL content filtering to limit a user's ability to connect to prohibited content.\n▪ Content filtering blocks users from performing ad hoc file transfers through unapproved file transfer services (e.g., Box, Dropbox, Google Drive, etc.).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to force Internet-bound network traffic through a proxy device (e.g., Policy Enforcement Point (PEP)) for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites.", "4": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Network Security (NET) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-cis-csc-8-1": [ "9.0", "9.2", "9.3", "13.1" ], "general-cis-csc-8-1-ig1": [ "9.2" ], "general-cis-csc-8-1-ig2": [ "9.2", "9.3" ], "general-cis-csc-8-1-ig3": [ "9.2", "9.3", "13.1" ], "general-govramp": [ "SC-07(08)" ], "general-govramp-mod": [ "SC-07(08)" ], "general-govramp-high": [ "SC-07(08)" ], "general-iso-27002-2022": [ "5.14", "8.23" ], "general-iso-27017-2015": [ "13.2.1" ], "general-iso-27018-2025": [ "5.14", "8.23" ], "general-mpa-csbp-5-3-1": [ "TS-2.8", "TS-2.10" ], "general-nist-800-53-r4": [ "SC-7(8)", "SC-18(3)" ], "general-nist-800-53-r5-2": [ "SC-07(08)", "SC-18(03)" ], "general-nist-800-53-r5-2-privacy": [ "SC-07(08)", "SC-18(03)" ], "general-nist-800-53-r5-2-mod": [ "SC-07(08)" ], "general-nist-800-82-r3": [ "SC-07(08)", "SC-18(03)" ], "general-nist-800-82-r3-mod": [ "SC-07(08)" ], "general-nist-800-82-r3-high": [ "SC-07(08)" ], "general-nist-800-171-r2": [ "3.1.3" ], "general-nist-800-171-r3": [ "03.14.06.c" ], "general-nist-csf-2-0": [ "DE.CM-03" ], "general-swift-cscf-2025": [ "1.4" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DO.DNSIN", "3.PEP.DO.PDSER", "3.PEP.EM.CFILT", "3.PEP.EM.LCTPR", "3.PEP.EM.MLPRO", "3.PEP.SE.MCFIL", "3.PEP.WE.CFILT", "3.PEP.WE.DCFIL", "3.PEP.WE.DREPF", "3.PEP.WE.DRESF", "3.PEP.WE.MCFIL" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.M" ], "usa-federal-fbi-cjis-6-0": [ "SC-7(8)" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-2g", "ARCHITECTURE-5f" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.3" ], "usa-federal-gsa-fedramp-5-low": [ "SC-07(08)", "SC-18(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07(08)", "SC-18(03)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(08)", "SC-18(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-07(08)", "SC-18(03)" ], "usa-federal-irs-1075-2021": [ "SC-7(CE-8)" ], "usa-federal-cms-marse-2-0": [ "SC-7(8)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.1.b", "III.D.1.c", "III.D.1.e", "III.D.2.a" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.14(a)(2)" ], "emea-eu-nis2-annex-2024": [ "6.7.2(l)" ], "emea-isr-cmo-1-0": [ "9.14" ], "emea-sau-ecc-1-2018": [ "2-5-3-3", "2-5-3-8" ], "emea-sau-sacs-002-2022": [ "TPC-57" ], "emea-gbr-def-stan-05-138-2024": [ "2411" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2411" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2411" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2411" ], "apac-aus-ism-2024-june": [ "ISM-0267", "ISM-0649", "ISM-0659", "ISM-0958", "ISM-0961", "ISM-0963", "ISM-1171", "ISM-1234", "ISM-1236", "ISM-1237", "ISM-1275", "ISM-1287", "ISM-1293", "ISM-1502", "ISM-1524" ], "apac-nzl-ism-3-9": [ "9.3.6.C.01", "14.3.6.C.01", "14.3.6.C.02", "14.3.6.C.03", "14.3.10.C.01", "14.3.10.C.02", "14.3.10.C.03", "14.3.10.C.04", "14.3.11.C.01", "14.3.11.C.02", "14.3.12.C.01", "20.3.4.C.01", "20.3.4.C.02", "20.3.5.C.01", "20.3.5.C.02", "20.3.6.C.01", "20.3.7.C.01", "20.3.7.C.02", "20.3.8.C.01", "20.3.9.C.01", "20.3.10.C.01", "20.3.11.C.01", "20.3.11.C.02", "20.3.11.C.03", "20.3.12.C.01", "20.3.12.C.02", "20.3.13.C.01", "20.3.13.C.02", "20.3.14.C.01", "20.3.15.C.01", "20.3.15.C.02", "20.3.16.C.01" ], "americas-can-itsp-10-171-2025": [ "03.14.06.C" ] } }, { "control_id": "NET-18.1", "title": "Route Internal Traffic to Proxy Servers", "family": "NET", "description": "Mechanisms exist to route internal communications traffic to external networks through organization-approved proxy servers at managed interfaces.", "scf_question": "Does the organization route internal communications traffic to external networks through organization-approved proxy servers at managed interfaces?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-NET-01" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ SBC enforce Internet-bound network traffic routing through a proxy device for URL content filtering to limit a user's ability to connect to prohibited content.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to route internal communications traffic to external networks through organization-approved proxy servers at managed interfaces.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Route internet traffic through a web proxy/filter", "small": "∙ Web proxy for internet traffic (e.g., Squid)\n∙ Proxy usage policy", "medium": "∙ Secure web proxy for internet traffic routing\n∙ Proxy policy enforcement", "large": "∙ Enterprise secure web gateway (SWG) with proxy (e.g., Symantec, Zscaler)", "enterprise": "∙ Enterprise SWG (e.g., Zscaler, Netskope, Symantec Web Security)\n∙ All internet traffic routed through proxy\n∙ SSL inspection" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-cis-csc-8-1": [ "13.1" ], "general-cis-csc-8-1-ig3": [ "13.1" ], "general-govramp": [ "SC-07(08)" ], "general-govramp-mod": [ "SC-07(08)" ], "general-govramp-high": [ "SC-07(08)" ], "general-nist-800-53-r4": [ "SC-7(8)" ], "general-nist-800-53-r5-2": [ "SC-07(08)" ], "general-nist-800-53-r5-2-privacy": [ "SC-07(08)" ], "general-nist-800-53-r5-2-mod": [ "SC-07(08)" ], "general-nist-800-82-r3": [ "SC-07(08)" ], "general-nist-800-82-r3-mod": [ "SC-07(08)" ], "general-nist-800-82-r3-high": [ "SC-07(08)" ], "general-swift-cscf-2025": [ "1.4" ], "usa-federal-fbi-cjis-6-0": [ "SC-7(8)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-07(08)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07(08)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(08)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-07(08)" ], "usa-federal-irs-1075-2021": [ "SC-7(CE-8)" ], "usa-federal-cms-marse-2-0": [ "SC-7(8)", "SC-7(8)-IS.1" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.1.b" ], "emea-isr-cmo-1-0": [ "9.14" ], "emea-sau-cscc-1-2019": [ "2-4-1-3" ], "emea-sau-ecc-1-2018": [ "2-5-3-8" ], "apac-aus-ism-2024-june": [ "ISM-0260", "ISM-0570", "ISM-1237" ], "apac-nzl-ism-3-9": [ "14.3.6.C.01", "14.3.6.C.02", "14.3.6.C.03" ] } }, { "control_id": "NET-18.2", "title": "Visibility of Encrypted Communications", "family": "NET", "description": "Mechanisms exist to configure the proxy to make encrypted communications traffic visible to monitoring tools and mechanisms.", "scf_question": "Does the organization configure the proxy to make encrypted communications traffic visible to monitoring tools and mechanisms?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to configure the proxy to make encrypted communications traffic visible to monitoring tools and mechanisms.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Enable TLS inspection on proxy/firewall if supported", "small": "∙ TLS inspection on web proxy or NGFW", "medium": "∙ SSL/TLS inspection policy and implementation on SWG/NGFW", "large": "∙ Enterprise TLS inspection solution with privacy controls", "enterprise": "∙ Enterprise SSL/TLS inspection platform (e.g., Zscaler, BlueCoat)\n∙ Selective decryption policy\n∙ Privacy compliance for inspection" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-nist-800-53-r5-2": [ "SI-04(10)" ], "general-nist-800-53-r5-2-high": [ "SI-04(10)" ], "general-nist-800-82-r3": [ "SI-04(10)" ], "general-nist-800-82-r3-high": [ "SI-04(10)" ], "general-nist-800-160-vol-2-r1": [ "SI-04(10)" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.WE.BINSP" ], "usa-federal-gsa-fedramp-5-high": [ "SI-04(10)" ], "usa-federal-irs-1075-2021": [ "SI-4(CE-10)" ], "apac-aus-ism-2024-june": [ "ISM-0263" ], "apac-nzl-ism-3-9": [ "14.3.8.C.01", "14.3.9.C.01", "20.3.14.C.01" ] } }, { "control_id": "NET-18.3", "title": "Route Privileged Network Access", "family": "NET", "description": "Automated mechanisms exist to route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.", "scf_question": "Does the organization use automated mechanisms to route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing?", "relative_weight": 1, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Route admin/privileged access through a separate, secured path", "small": "∙ Separate network path for privileged/administrative access", "medium": "∙ Formal privileged network access routing policy\n∙ Dedicated administrative access path", "large": "∙ Dedicated administrative network segment\n∙ Jump servers for privileged access routing", "enterprise": "∙ Enterprise privileged access workstations (PAW)\n∙ Dedicated admin network\n∙ Just-in-time privileged access (e.g., CyberArk, BeyondTrust)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-nist-800-53-r5-2": [ "SC-07(15)" ], "general-nist-800-82-r3": [ "SC-07(15)" ], "general-nist-800-160-vol-2-r1": [ "SC-07(15)" ], "usa-federal-irs-1075-2021": [ "SC-7(CE-15)" ] } }, { "control_id": "NET-18.4", "title": "Protocol Compliance Enforcement", "family": "NET", "description": "Automated mechanisms exist to ensure network traffic complies with Internet Engineering Task Force (IETF) protocol specifications.", "scf_question": "Does the organization use automated mechanisms to ensure network traffic complies with Internet Engineering Task Force (IETF) protocol specifications?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically ensure network traffic complies with Internet Engineering Task Force (IETF) protocol specifications.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Configure firewall to enforce protocol compliance", "small": "∙ Firewall rules enforcing protocol compliance\n∙ Block non-standard protocol usage", "medium": "∙ Protocol compliance enforcement at network gateway\n∙ Application-layer filtering", "large": "∙ Enterprise NGFW with deep packet inspection (DPI) for protocol compliance", "enterprise": "∙ Enterprise NGFW with DPI and protocol anomaly detection (e.g., Palo Alto, Fortinet)\n∙ Automated protocol enforcement" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.SE.PCENF", "3.PEP.WE.PCENF" ] } }, { "control_id": "NET-18.5", "title": "Domain Name Verification", "family": "NET", "description": "Mechanisms exist to ensure that domain name lookups, whether for internal or external domains, are validated according to Domain Name System Security Extensions (DNSSEC).", "scf_question": "Does the organization ensure that domain name lookups, whether for internal or external domains, are validated according to Domain Name System Security Extensions (DNSSEC)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to ensure that domain name lookups, whether for internal or external domains, are validated according to Domain Name System Security Extensions (DNSSEC).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Verify domain names before clicking links or navigating to sites", "small": "∙ DNS filtering to block malicious/spoofed domains\n∙ User awareness training", "medium": "∙ DNS security service with domain verification (e.g., Cisco Umbrella)", "large": "∙ Enterprise DNS security service\n∙ Domain reputation filtering\n∙ Browser isolation for high-risk sites", "enterprise": "∙ Enterprise DNS security platform with domain verification\n∙ Real-time domain reputation\n∙ Browser isolation (e.g., Menlo Security)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.DO.DNVAC" ] } }, { "control_id": "NET-18.6", "title": "Internet Address Denylisting", "family": "NET", "description": "Mechanisms exist to implement Internet address denylisting protections that blocks traffic received from or destined to a denylisted Internet address.", "scf_question": "Does the organization implement Internet address denylisting protections that blocks traffic received from or destined to a denylisted Internet address?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to implement Internet address denylisting protections that blocks traffic received from or destined to a denylisted Internet address.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Block known malicious IP addresses on firewall", "small": "∙ Threat intelligence-based IP denylisting on firewall", "medium": "∙ Automated threat intelligence feed integration for IP denylisting", "large": "∙ Enterprise threat intelligence platform with automated IP denylisting\n∙ SIEM integration", "enterprise": "∙ Enterprise TIP with automated denylisting (e.g., Anomali, Recorded Future)\n∙ SOAR integration for automated blocking" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.NE.IADEN" ] } }, { "control_id": "NET-18.7", "title": "Bandwidth Control", "family": "NET", "description": "Mechanisms exist to implement bandwidth control technologies to limit the amount of bandwidth used by categories of domains that are bandwidth-intensive.", "scf_question": "Does the organization implement bandwidth control technologies to limit the amount of bandwidth used by categories of domains that are bandwidth-intensive?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to implement bandwidth control technologies to limit the amount of bandwidth used by categories of domains that are bandwidth-intensive.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "medium": "∙ Bandwidth management policy for critical services", "large": "∙ Enterprise bandwidth management/QoS solution\n∙ Critical service prioritization", "enterprise": "∙ Enterprise bandwidth management platform (e.g., Palo Alto QoS, Cisco NBAR)\n∙ Traffic shaping for critical services" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.WE.BCONT" ] } }, { "control_id": "NET-18.8", "title": "Authenticated Proxy", "family": "NET", "description": "Mechanisms exist to force systems and processes to authenticate Internet-bound traffic with a proxy to enable user, group and/or location-aware security controls.", "scf_question": "Does the organization force systems and processes to authenticate Internet-bound traffic with a proxy to enable user, group and/or location-aware security controls?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to force systems and processes to authenticate Internet-bound traffic with a proxy to enable user, group and/or location-aware security controls.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "medium": "∙ Authenticated proxy for sensitive network access", "large": "∙ Enterprise authenticated proxy with user-level access controls", "enterprise": "∙ Enterprise authenticated proxy platform (e.g., Zscaler, Bluecoat)\n∙ User-level policy enforcement\n∙ SSO integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.WE.APROX" ] } }, { "control_id": "NET-18.9", "title": "Certificate Denylisting", "family": "NET", "description": "Mechanisms exist to prevent communication with Technology Assets, Applications and/or Services (TAAS) that use a set of known bad certificates.", "scf_question": "Does the organization prevent communication with Technology Assets, Applications and/or Services (TAAS) that use a set of known bad certificates?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to prevent communication with Technology Assets, Applications and/or Services (TAAS) that use a set of known bad certificates.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Check SSL certificate validity before trusting websites", "small": "∙ Certificate revocation checking policy\n∙ Browser settings for certificate validation", "medium": "∙ Certificate denylisting enforcement at proxy/gateway\n∙ CRL/OCSP validation", "large": "∙ Enterprise certificate revocation management\n∙ CRL/OCSP enforcement at gateway", "enterprise": "∙ Enterprise certificate management platform (e.g., Venafi, DigiCert CertCentral)\n∙ Automated revocation checking\n∙ OCSP stapling enforcement" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.WE.CDENY" ] } }, { "control_id": "NET-19", "title": "Content Disarm and Reconstruction (CDR)", "family": "NET", "description": "Automated Content Disarm and Reconstruction (CDR) mechanisms exist to detect the presence of unapproved active content and facilitate its removal, resulting in content with only known safe elements.", "scf_question": "Automated Content Disarm and Reconstruction (CDR) Does the organization detect the presence of unapproved active content and facilitate its removal, resulting in content with only known safe elements?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational Content Disarm and Reconstruction (CDR) capability detects the presence of unapproved active content and facilitates its removal, resulting in content with only known safe elements.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Use email gateway with attachment sandboxing", "small": "∙ Email and web gateway with CDR capability (e.g., Proofpoint, Mimecast)", "medium": "∙ Content disarm and reconstruction (CDR) solution for email and web", "large": "∙ Enterprise CDR solution (e.g., OPSWAT MetaDefender, Deep Secure)\n∙ Integration with email and web gateways", "enterprise": "∙ Enterprise CDR platform (e.g., OPSWAT MetaDefender, Deep Secure)\n∙ Multi-engine scanning\n∙ Sanitization for all inbound content" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.FI.CDREC" ] } }, { "control_id": "NET-20", "title": "Email Content Protections", "family": "NET", "description": "Mechanisms exist to implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them.", "scf_question": "Does the organization implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Use email service with built-in spam/phishing filtering", "small": "∙ Email security solution (e.g., Microsoft Defender for Office 365, Google Workspace)\n∙ Anti-spam and anti-phishing", "medium": "∙ Formal email security program\n∙ Anti-spam, anti-phishing, anti-malware email filtering", "large": "∙ Enterprise email security platform (e.g., Proofpoint, Mimecast)\n∙ Advanced threat protection", "enterprise": "∙ Enterprise email security platform (e.g., Proofpoint TAP, Mimecast)\n∙ Advanced threat protection\n∙ URL rewriting\n∙ Sandboxing\n∙ DLP" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.MFPRO" ] } }, { "control_id": "NET-20.1", "title": "Email Domain Reputation Protections", "family": "NET", "description": "Mechanisms exist to monitor the organization's email domain’s reputation and protect the email domain’s reputation.", "scf_question": "Does the organization monitor its email domain’s reputation and protect the email domain’s reputation?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to monitor the organization's email domain’s reputation and protect the email domain’s reputation.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Configure SPF record for email domain", "small": "∙ SPF, DKIM, DMARC configuration for email domain", "medium": "∙ Email domain reputation controls: SPF, DKIM, DMARC\n∙ Reputation monitoring", "large": "∙ Enterprise email authentication (SPF, DKIM, DMARC)\n∙ Domain reputation monitoring", "enterprise": "∙ Enterprise email authentication program\n∙ SPF, DKIM, DMARC enforcement\n∙ Automated reputation monitoring\n∙ BIMI implementation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PE P.EM.EDRPR" ] } }, { "control_id": "NET-20.2", "title": "Sender Denylisting", "family": "NET", "description": "Mechanisms exist to implement sender denylisting protections that prevent the reception of email from denylisted senders, domains and/or email servers.", "scf_question": "Does the organization implement sender denylisting protections that prevent the reception of email from denylisted senders, domains and/or email servers?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to implement sender denylisting protections that prevent the reception of email from denylisted senders, domains and/or email servers.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Use email provider's built-in sender blocking/spam filtering", "small": "∙ Email gateway sender denylisting\n∙ Spam filter configuration", "medium": "∙ Email security gateway with sender reputation-based denylisting", "large": "∙ Enterprise email security with automated sender denylisting\n∙ Threat intelligence integration", "enterprise": "∙ Enterprise email security platform (e.g., Proofpoint, Mimecast)\n∙ Automated sender denylisting with threat intelligence feeds" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.SDENY" ] } }, { "control_id": "NET-20.3", "title": "Authenticated Received Chain (ARC)", "family": "NET", "description": "Mechanisms exist to utilize an authenticated received chain that allows for an intermediary to sign its own authentication of the original email, allowing downstream entities to accept the intermediary’s authentication even if the email was changed.", "scf_question": "Does the organization utilize an authenticated received chain that allows for an intermediary to sign its own authentication of the original email, allowing downstream entities to accept the intermediary’s authentication even if the email was changed?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to utilize an authenticated received chain that allows for an intermediary to sign its own authentication of the original email, allowing downstream entities to accept the intermediary’s authentication even if the email was changed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "medium": "∙ Implement ARC for email forwarding authentication chains", "large": "∙ Enterprise email platform with ARC support (e.g., Microsoft Exchange Online)", "enterprise": "∙ Enterprise email platform with full ARC implementation\n∙ Monitoring of ARC chain failures" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.ARCHA" ] } }, { "control_id": "NET-20.4", "title": "Domain-Based Message Authentication Reporting and Conformance (DMARC)", "family": "NET", "description": "Mechanisms exist to implement domain signature verification protections that authenticate incoming email according to the Domain-based Message Authentication Reporting and Conformance (DMARC).", "scf_question": "Does the organization implement domain signature verification protections that authenticate incoming email according to the Domain-based Message Authentication Reporting and Conformance (DMARC)?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to implement domain signature verification protections that authenticate incoming email according to the Domain-based Message Authentication Reporting and Conformance (DMARC).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Configure DMARC record for email domain (p=none to start)", "small": "∙ DMARC policy implementation (p=quarantine or p=reject)\n∙ DMARC report monitoring", "medium": "∙ DMARC enforcement (p=reject)\n∙ DMARC aggregate report monitoring", "large": "∙ Enterprise DMARC enforcement\n∙ DMARC analytics platform (e.g., Dmarcian, Agari)\n∙ Automated alerting", "enterprise": "∙ Enterprise DMARC program\n∙ p=reject policy\n∙ DMARC analytics (e.g., Dmarcian, Valimail)\n∙ Full domain protection\n∙ BIMI implementation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "general-cis-csc-8-1": [ "9.5" ], "general-cis-csc-8-1-ig2": [ "9.5" ], "general-cis-csc-8-1-ig3": [ "9.5" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.DSVIE" ], "emea-gbr-def-stan-05-138-2024": [ "2315" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2315" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2315" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2315" ], "apac-aus-ism-2024-june": [ "ISM-1540" ] } }, { "control_id": "NET-20.5", "title": "User Digital Signatures for Outgoing Email", "family": "NET", "description": "Mechanisms exist to enable users to digitally sign their emails, allowing external parties to authenticate the email’s sender and its contents according to the Domain-based Message Authentication Reporting and Conformance (DMARC) email authentication protocol.", "scf_question": "Does the organization enable users to digitally sign their emails, allowing external parties to authenticate the email’s sender and its contents according to the Domain-based Message Authentication Reporting and Conformance (DMARC) email authentication protocol?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to enable users to digitally sign their emails, allowing external parties to authenticate the email’s sender and its contents according to the Domain-based Message Authentication Reporting and Conformance (DMARC) email authentication protocol.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "medium": "∙ S/MIME or PGP digital signatures for sensitive email", "large": "∙ Enterprise S/MIME email signing for official communications", "enterprise": "∙ Enterprise email digital signature program\n∙ S/MIME certificate management\n∙ Automated signing integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.DSOEM", "3.PEP.EM.UDSOE" ] } }, { "control_id": "NET-20.6", "title": "Encryption for Outgoing Email", "family": "NET", "description": "Mechanisms exist to enable the encryption of outgoing emails using organization-approved cryptographic means.", "scf_question": "Does the organization enable the encryption of outgoing emails using organization-approved cryptographic means?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to enable the encryption of outgoing emails using organization-approved cryptographic means.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Use encrypted email (e.g., ProtonMail) for sensitive communications", "small": "∙ Email encryption for sensitive outgoing communications (e.g., TLS, S/MIME)", "medium": "∙ Outgoing email encryption policy\n∙ TLS + S/MIME for sensitive emails", "large": "∙ Enterprise outgoing email encryption\n∙ S/MIME or PGP for sensitive communications\n∙ Policy-based encryption", "enterprise": "∙ Enterprise email encryption platform (e.g., Proofpoint Email Encryption, Zix)\n∙ Automated policy-based encryption\n∙ End-to-end encryption for sensitive messages" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.EOEMA" ] } }, { "control_id": "NET-20.7", "title": "Adaptive Email Protections", "family": "NET", "description": "Mechanisms exist to utilize adaptive email protections that involve employing risk-based analysis in the application and enforcement of email protections.", "scf_question": "Does the organization utilize adaptive email protections that involve employing risk-based analysis in the application and enforcement of email protections?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to utilize adaptive email protections that involve employing risk-based analysis in the application and enforcement of email protections.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Use email service with adaptive threat protection", "small": "∙ Email security platform with adaptive threat protection", "medium": "∙ Adaptive email threat protection (e.g., Proofpoint, Mimecast Advanced)\n∙ AI-based threat detection", "large": "∙ Enterprise adaptive email protection platform\n∙ ML-based phishing detection\n∙ Real-time URL analysis", "enterprise": "∙ Enterprise adaptive email security (e.g., Proofpoint TAP, Microsoft Defender)\n∙ ML-based zero-day phishing detection\n∙ Automated threat response" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.AEPRO" ], "emea-gbr-def-stan-05-138-2024": [ "2509" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2509" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2509" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2509" ], "apac-aus-ism-2024-june": [ "ISM-0567" ] } }, { "control_id": "NET-20.8", "title": "Email Labeling", "family": "NET", "description": "Automated mechanisms exist to implement email labeling that apply organization-defined tags to incoming or outgoing email.", "scf_question": "Does the organization use automated mechanisms to implement email labeling that apply organization-defined tags to incoming or outgoing email?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to automatically implement email labeling that apply organization-defined tags to incoming or outgoing email.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Add external email label/banner to emails from outside the organization", "small": "∙ [EXTERNAL] label policy for inbound emails from outside the organization", "medium": "∙ Formal email labeling policy for external messages\n∙ Automated external email banners", "large": "∙ Enterprise email gateway configured to label external/high-risk emails", "enterprise": "∙ Enterprise email security platform with automated labeling\n∙ User awareness integration\n∙ Risk-based labeling policies" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.ELABE" ] } }, { "control_id": "NET-20.9", "title": "User Threat Reporting", "family": "NET", "description": "Mechanisms exist to incorporate submissions from users of phishing attempts, spam or otherwise malicious actions to better protect the organization.", "scf_question": "Does the organization incorporate submissions from users of phishing attempts, spam or otherwise malicious actions to better protect the organization?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Network Security (NET) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with NET domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Network security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Network Security (NET) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Network security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Network security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT personnel define secure networking practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.", "3": "Network Security (NET) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with NET domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with NET domain capabilities are well-documented and kept current by process owners.\n▪ A network security management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of network security operations (e.g., network management solution, log aggregator, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with NET domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the principles of least privileges and least functionality for boundary protection technologies.\n▪ An implemented and operational capability exists to incorporate submissions from users of phishing attempts, spam or otherwise malicious actions to better protect the organization.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Provide staff with a way to report phishing emails", "small": "∙ Phishing report button (e.g., Outlook add-in)\n∙ User reporting procedure", "medium": "∙ User threat reporting capability (e.g., Proofpoint PhishAlarm, KnowBe4 PAB)\n∙ SOC triage process", "large": "∙ Enterprise phishing reporting platform with automated triage\n∙ SOC review workflow", "enterprise": "∙ Enterprise user threat reporting (e.g., Cofense, Proofpoint)\n∙ Automated triage and response\n∙ SOAR integration\n∙ Feedback loop to users" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Network Security", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EM.UTIPP" ] } }, { "control_id": "PES-01", "title": "Physical & Environmental Protections", "family": "PES", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "scf_question": "Does the organization facilitate the operation of physical and environmental protection controls?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-PES-01", "E-PES-05" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ The Human Resources (HR) department maintains a current list of personnel with authorized access to organizational facilities and facilitates the implementation of physical access management controls.\n▪ Physical security controls and technologies ensure that only authorized personnel are allowed access to secure areas.\n▪ A facilities maintenance team, or similar function, manages the operation of automated physical and environmental protection controls.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the operation of physical and environmental protection controls.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Physical security policy\n∙ Door locks and key management", "small": "∙ Physical security policy\n∙ Access log\n∙ Visitor sign-in procedure", "medium": "∙ Formal physical security program\n∙ Card-based access control\n∙ CCTV", "large": "∙ Enterprise physical security program\n∙ Multi-zone card access\n∙ CCTV monitoring\n∙ Security guard coverage", "enterprise": "∙ Enterprise physical security platform (e.g., Lenel, Genetec)\n∙ Integrated access control/CCTV\n∙ 24/7 security operations\n∙ Environmental monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.1-POF2", "S7.1-POF6" ], "general-aicpa-tsc-2017": [ "A1.2", "A1.2-POF1", "A1.2-POF2", "A1.2-POF3", "A1.2-POF4", "A1.2-POF5", "A1.2-POF6", "A1.2-POF7", "A1.2-POF9", "CC6.4", "CC6.4-POF1", "CC6.4-POF2" ], "general-cobit-2019": [ "DSS01.04", "DSS01.05", "DSS05.05" ], "general-csa-cmm-4-1-0": [ "DCS-01" ], "general-csa-iot-2": [ "PHY-01" ], "general-govramp": [ "PE-01" ], "general-govramp-low": [ "PE-01" ], "general-govramp-low-plus": [ "PE-01" ], "general-govramp-mod": [ "PE-01" ], "general-govramp-high": [ "PE-01" ], "general-iec-62443-2-1-2024": [ "ORG 3.1" ], "general-iso-27002-2022": [ "5.14", "5.15", "5.18", "7.1", "7.5" ], "general-iso-27017-2015": [ "9.1.1", "11.1.4", "13.2.1" ], "general-iso-27018-2025": [ "5.14", "5.15", "5.18", "7.1", "7.5" ], "general-mpa-csbp-5-3-1": [ "OP-2.1", "PS-1.5" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(b)", "4.D(2)(c)", "4.D(2)(j)" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P4", "PR.AC-P2" ], "general-nist-800-53-r4": [ "PE-1" ], "general-nist-800-53-r5-2": [ "PE-01", "PE-23" ], "general-nist-800-53-r5-2-privacy": [ "PE-01", "PE-23" ], "general-nist-800-53-r5-2-low": [ "PE-01" ], "general-nist-800-66-r2": [ "164.310(a)" ], "general-nist-800-82-r3": [ "PE-01", "PE-23" ], "general-nist-800-82-r3-low": [ "PE-01" ], "general-nist-800-82-r3-mod": [ "PE-01" ], "general-nist-800-82-r3-high": [ "PE-01" ], "general-nist-800-161-r1": [ "PE-1", "PE-23" ], "general-nist-800-161-r1-cscrm": [ "PE-1" ], "general-nist-800-161-r1-flowdown": [ "PE-23" ], "general-nist-800-161-r1-level-1": [ "PE-1" ], "general-nist-800-161-r1-level-2": [ "PE-1", "PE-23" ], "general-nist-800-161-r1-level-3": [ "PE-1", "PE-23" ], "general-nist-800-171-r2": [ "3.10.2", "NFO - PE-1" ], "general-nist-800-171-r3": [ "03.08.01", "03.08.02", "03.10.01.a", "03.10.07.a" ], "general-nist-800-171a": [ "3.10.2[a]", "3.10.2[b]", "3.10.2[c]", "3.10.2[d]" ], "general-nist-csf-2-0": [ "ID.AM", "PR.AA", "PR.AA-06", "PR.IR-02", "DE.CM-02" ], "general-pci-dss-4-0-1": [ "9.1", "9.1.1", "9.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.1.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.1.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.1.1" ], "general-scf-dpmp-2025": [ "7.3" ], "general-sparta": [ "CM0053" ], "general-swift-cscf-2025": [ "3.1" ], "general-tisax-6-0-3": [ "8.1.2" ], "usa-federal-dow-cert-rmm-1-2": [ "EC:SG4", "EC:SG4.SP2", "EC:GG1.GP1", "EC:GG2", "EC:GG2.GP2" ], "usa-federal-fbi-cjis-6-0": [ "PE-1" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-3a", "ACCESS-3d", "ARCHITECTURE-3a", "ARCHITECTURE-3j" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.2" ], "usa-federal-gsa-fedramp-5-low": [ "PE-01", "PE-23" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-01", "PE-23" ], "usa-federal-gsa-fedramp-5-high": [ "PE-01", "PE-23" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-01", "PE-23" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(a)(1)", "164.310(a)(2)(ii)", "164.310(a)(2)(iv)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(a)(1)", "164.310(a)(2)(ii)", "164.310(a)(2)(iv)" ], "usa-federal-irs-1075-2021": [ "2.B.2", "PE-1", "PE-1(IRS-Defined)-1", "PE-1(IRS-Defined)-2", "PE-1(IRS-Defined)-3" ], "usa-federal-cms-marse-2-0": [ "PE-1" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.3", "CIP-003-8 1.2.2" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.C" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(D)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.3(j)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(C)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PE-01" ], "usa-state-tx-txramp-2-0-level-1": [ "PE-01" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-01" ], "emea-eu-eba-ict-srm-2025": [ "3.4.3(33)" ], "emea-eu-nis2-annex-2024": [ "13.1.1", "13.1.3", "13.2.1", "13.2.2(a)", "13.2.3", "13.3.2(a)", "13.3.3" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-c5-2020": [ "PS-01" ], "emea-isr-cmo-1-0": [ "9.15", "12.27", "18.1", "18.2", "18.10" ], "emea-sau-cscc-1-2019": [ "2-3" ], "emea-sau-ecc-1-2018": [ "2-3-1", "2-3-2", "2-3-4", "2-14-1", "2-14-2", "2-14-3", "2-14-4" ], "emea-sau-otcc-1-2022": [ "2-13", "2-13-1", "2-13-1-8", "2-13-1-9", "2-13-2" ], "emea-sau-sacs-002-2022": [ "TPC-46" ], "emea-sau-sama-csf-1-2017": [ "3.3.2" ], "emea-zaf-popia-2013": [ "19" ], "emea-esp-boe-a-2022-7191": [ "Article 18" ], "emea-esp-decree-311-2022": [ "18" ], "emea-uae-niaf-2023": [ "3.2.2" ], "emea-gbr-def-stan-05-138-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1500" ], "apac-aus-ism-2024-june": [ "ISM-0810" ], "apac-ind-sebi-2024": [ "PR.AA.S10", "PR.IP.S9" ], "apac-jpn-ismap": [ "5.1.1.11", "11", "11.1", "11.1.4", "11.1.4.1", "11.2.1.3" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP47", "HML47" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP11", "HSUP39" ], "apac-nzl-ism-3-9": [ "5.7.4.C.01", "8.1.10.C.01" ], "apac-sgp-mas-trm-2021": [ "8.5.1", "8.5.2", "8.5.5", "8.5.6(a)", "8.5.6(b)", "8.5.6(c)", "8.5.6(d)", "8.5.6(e)", "8.5.6(f)" ], "americas-can-osfi-b13-2022": [ "3.2.10" ], "americas-can-itsp-10-171-2025": [ "03.08.01", "03.08.02", "03.10.01.A", "03.10.07.A" ] } }, { "control_id": "PES-01.1", "title": "Physical Security Plan (PSP)", "family": "PES", "description": "Mechanisms exist to document a Physical Security Plan (PSP), or similar document, to summarize the implemented security controls to protect physical access to technology assets, as well as applicable risks and threats.", "scf_question": "Does the organization document a Site Security Plan (SitePlan) for each server and communications room to summarize the implemented security controls to protect physical access to technology assets, as well as applicable risks and threats?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [ "E-PES-04" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document a Physical Security Plan (PSP), or similar document, to summarize the implemented security controls to protect physical access to technology assets, as well as applicable risks and threats.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS" ], "possible_solutions": { "micro_small": "∙ Physical security policy\n∙ Door locks and key management", "small": "∙ Physical security policy\n∙ Access log\n∙ Visitor procedures", "medium": "∙ Documented Site Security Plan (SitePlan)", "large": "∙ Documented Site Security Plan (SitePlan)", "enterprise": "∙ Documented Site Security Plan (SitePlan)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-tisax-6-0-3": [ "8.1.1" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 R1", "CIP-006-6 1.1" ], "emea-esp-ccn-stic-825-2023": [ "8.1.1 [MP.IF.1]" ], "apac-ind-sebi-2024": [ "PR.IP.S9" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP13", "HML13" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP11" ], "apac-nzl-ism-3-9": [ "8.2.7.C.01" ] } }, { "control_id": "PES-01.2", "title": "Zone-Based Physical Security", "family": "PES", "description": "Mechanisms exist to implement a zone-based approach to physical security.", "scf_question": "Does the organization implement a zone-based approach to physical security?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [ "E-PES-11" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement a zone-based approach to physical security.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS" ], "possible_solutions": { "micro_small": "∙ Physical security policy with basic controls documented", "small": "∙ Documented physical security procedures\n∙ Review annually", "medium": "∙ Formal physical security procedures for all zones\n∙ Training for relevant staff", "large": "∙ Enterprise physical security procedures\n∙ Regular drills and exercises", "enterprise": "∙ Enterprise physical security program with comprehensive procedures\n∙ Regular exercises and audits\n∙ Third-party security assessments" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-tisax-6-0-3": [ "3.1.1" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.2" ] } }, { "control_id": "PES-02", "title": "Physical Access Authorizations", "family": "PES", "description": "Physical access control mechanisms exist to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible).", "scf_question": "Does the organization maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible)?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-28", "E-PES-03", "E-PES-05", "E-PES-10" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ The Human Resources (HR) department maintains a current list of personnel with authorized access to organizational facilities and facilitates the implementation of physical access management controls.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible).", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Lock server room/data closet, limit key holders", "small": "∙ Physical access controls to IT equipment locations\n∙ Visitor escort policy", "medium": "∙ Formal physical access control program\n∙ Card access for sensitive areas\n∙ Visitor management", "large": "∙ Enterprise physical access management\n∙ Multi-factor physical access for sensitive zones\n∙ Mantrap / tailgating controls", "enterprise": "∙ Enterprise physical access platform (e.g., Lenel S2, Genetec)\n∙ Multi-factor physical auth\n∙ Mantrap\n∙ Anti-tailgating controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2-POF1", "S7.2-POF3" ], "general-aicpa-tsc-2017": [ "CC6.4", "CC6.4-POF1", "CC6.4-POF2" ], "general-cobit-2019": [ "DSS05.05" ], "general-govramp": [ "PE-02" ], "general-govramp-low": [ "PE-02" ], "general-govramp-low-plus": [ "PE-02" ], "general-govramp-mod": [ "PE-02" ], "general-govramp-high": [ "PE-02" ], "general-iso-27002-2022": [ "5.15", "5.18", "7.1" ], "general-iso-27017-2015": [ "9.1.1", "11.1.1" ], "general-iso-27018-2025": [ "5.15", "5.18", "7.1" ], "general-mpa-csbp-5-3-1": [ "PS-1.1", "PS-1.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(c)" ], "general-nist-800-53-r4": [ "PE-2" ], "general-nist-800-53-r5-2": [ "PE-02" ], "general-nist-800-53-r5-2-low": [ "PE-02" ], "general-nist-800-66-r2": [ "164.310(a)" ], "general-nist-800-82-r3": [ "PE-02" ], "general-nist-800-82-r3-low": [ "PE-02" ], "general-nist-800-82-r3-mod": [ "PE-02" ], "general-nist-800-82-r3-high": [ "PE-02" ], "general-nist-800-161-r1": [ "PE-2" ], "general-nist-800-161-r1-cscrm": [ "PE-2" ], "general-nist-800-161-r1-flowdown": [ "PE-2" ], "general-nist-800-161-r1-level-2": [ "PE-2" ], "general-nist-800-161-r1-level-3": [ "PE-2" ], "general-nist-800-171-r2": [ "3.10.1" ], "general-nist-800-171-r3": [ "03.08.01", "03.08.02", "03.10.01.a", "03.10.01.b", "03.10.01.c", "03.10.01.d", "03.10.07.a" ], "general-nist-800-171a": [ "3.10.1[a]", "3.10.1[b]", "3.10.1[c]", "3.10.1[d]" ], "general-nist-800-171a-r3": [ "A.03.04.05[02]", "A.03.10.01.ODP[01]", "A.03.10.01.a[01]", "A.03.10.01.a[02]", "A.03.10.01.a[03]", "A.03.10.01.c", "A.03.10.01.d", "A.03.10.07.a.01" ], "general-nist-csf-2-0": [ "PR.AA", "PR.AA-06" ], "general-pci-dss-4-0-1": [ "8.3.11", "9.1", "9.2", "9.2.1", "9.3", "9.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.11", "9.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.2.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.3.11", "9.2.1", "9.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.3.11", "9.2.1", "9.3.1" ], "general-scf-dpmp-2025": [ "7.3" ], "general-swift-cscf-2025": [ "3.1" ], "usa-federal-fbi-cjis-6-0": [ "PE-2" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-3b", "ACCESS-3d", "ACCESS-3f", "ACCESS-3g", "ACCESS-3i" ], "usa-federal-dow-cmmc-2-level-1": [ "PE.L1-B.1.VIII" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "PE.L1-B.1.VIII[a]", "PE.L1-B.1.VIII[b]", "PE.L1-B.1.VIII[c]", "PE.L1-B.1.VIII[d]" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.1" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(viii)" ], "usa-federal-gsa-fedramp-5-low": [ "PE-02" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-02" ], "usa-federal-gsa-fedramp-5-high": [ "PE-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-02" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(a)(2)(i)", "164.310(a)(2)(iii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(a)(2)(i)", "164.310(a)(2)(iii)" ], "usa-federal-irs-1075-2021": [ "2.B.3.2", "2.B.3.2-1", "2.B.3.2-2", "2.B.3.2-3", "2.B.3.2-4", "2.B.3.2-5", "PE-2" ], "usa-federal-cms-marse-2-0": [ "PE-2", "PE-2.a", "PE-2.b", "PE-2.c", "PE-2-IS.1", "PE-2-IS.2", "PE-3-IS.3" ], "usa-federal-nerc-cip-2024": [ "CIP-004-7 4.1.2", "CIP-004-7 4.2", "CIP-004-7 6.1.2" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(D)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PE-02" ], "usa-state-tx-txramp-2-0-level-1": [ "PE-02" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-02" ], "emea-eu-nis2-annex-2024": [ "13.3.1" ], "emea-isr-cmo-1-0": [ "12.27", "18.3" ], "emea-sau-ecc-1-2018": [ "2-14-3-1" ], "emea-sau-otcc-1-2022": [ "2-13-1-1" ], "emea-sau-sacs-002-2022": [ "TPC-86" ], "emea-esp-ccn-stic-825-2023": [ "8.1.1 [MP.IF.1]" ], "emea-gbr-def-stan-05-138-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1500" ], "apac-jpn-ismap": [ "11.1.2.3", "11.1.2.12" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP04", "HML04" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP04" ], "apac-nzl-ism-3-9": [ "8.1.11.C.01", "8.1.11.C.02" ], "apac-sgp-mas-trm-2021": [ "8.5.6(a)" ], "americas-can-itsp-10-171-2025": [ "03.08.01", "03.08.02", "03.10.01.A", "03.10.01.B", "03.10.01.C", "03.10.01.D", "03.10.07.A" ] } }, { "control_id": "PES-02.1", "title": "Role-Based Physical Access", "family": "PES", "description": "Physical access control mechanisms exist to authorize physical access to facilities based on the position or role of the individual.", "scf_question": "Does the organization authorize physical access to facilities based on the position or role of the individual?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-PES-03", "E-PES-05", "E-PES-10" ], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ The Human Resources (HR) department maintains a current list of personnel with authorized access to organizational facilities and facilitates the implementation of physical access management controls.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to authorize physical access to facilities based on the position or role of the individual.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Visitor sign-in log and escort policy", "small": "∙ Visitor management policy\n∙ Escort requirement for all visitors in sensitive areas", "medium": "∙ Formal visitor management program\n∙ Visitor registration, badging, and escort", "large": "∙ Enterprise visitor management system (e.g., Envoy, Proxyclick)\n∙ Escort enforcement\n∙ Badge issuance", "enterprise": "∙ Enterprise visitor management platform (e.g., Lenel/Envoy integration)\n∙ Automated visitor pre-registration\n∙ Background check integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2", "S7.2-POF3" ], "general-aicpa-tsc-2017": [ "CC6.4", "CC6.4-POF1", "CC6.4-POF2" ], "general-cobit-2019": [ "DSS05.05" ], "general-iso-27002-2022": [ "5.15", "5.18" ], "general-iso-27017-2015": [ "9.1.1" ], "general-iso-27018-2025": [ "5.15", "5.18" ], "general-nist-800-53-r4": [ "PE-2(1)" ], "general-nist-800-53-r5-2": [ "PE-02(01)" ], "general-nist-800-66-r2": [ "164.310(a)" ], "general-nist-800-82-r3": [ "PE-02(01)" ], "general-nist-800-161-r1": [ "PE-2(1)" ], "general-nist-800-161-r1-level-2": [ "PE-2(1)" ], "general-nist-800-161-r1-level-3": [ "PE-2(1)" ], "general-nist-800-171-r2": [ "3.10.1" ], "general-nist-800-171-r3": [ "03.08.01", "03.08.02", "03.10.01.b", "03.10.01.d" ], "general-nist-800-171a-r3": [ "A.03.04.05[01]", "A.03.10.01.ODP[01]", "A.03.10.01.b" ], "general-nist-csf-2-0": [ "PR.AA-06" ], "general-pci-dss-4-0-1": [ "8.3.11", "9.1", "9.2", "9.2.1", "9.3", "9.3.1", "9.3.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.11", "9.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.2.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.3.11", "9.2.1", "9.3.1", "9.3.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.3.11", "9.2.1", "9.3.1", "9.3.1.1" ], "general-scf-dpmp-2025": [ "7.3" ], "general-swift-cscf-2025": [ "3.1" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-3e", "ACCESS-3f" ], "usa-federal-dow-cmmc-2-level-1": [ "PE.L1-B.1.VIII" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.1" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(viii)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(a)(2)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(a)(2)(i)" ], "usa-federal-cms-marse-2-0": [ "PE-2(1)" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.2" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(D)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.3(34)" ], "emea-isr-cmo-1-0": [ "12.27", "18.4" ], "emea-sau-sacs-002-2022": [ "TPC-86" ], "emea-esp-ccn-stic-825-2023": [ "8.1.1 [MP.IF.1]" ], "emea-gbr-def-stan-05-138-2024": [ "1502", "2422" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1502", "2422" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1502", "2422" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1502", "2422" ], "apac-chn-data-security-law-2021": [ "27" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP04" ], "americas-can-itsp-10-171-2025": [ "03.08.01", "03.08.02", "03.10.01.B", "03.10.01.D" ] } }, { "control_id": "PES-02.2", "title": "Dual Authorization for Physical Access", "family": "PES", "description": "Mechanisms exist to enforce a \"two-person rule\" for physical access by requiring two authorized individuals with separate access cards, keys or PINs, to access highly-sensitive areas (e.g., safe, high-security cage, etc.).", "scf_question": "Does the organization enforce a \"two-person rule\" for physical access by requiring two authorized individuals with separate access cards, keys or PINs, to access highly-sensitive areas (e.g., safe, high-security cage, etc.)?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enforce a \"two-person rule\" for physical access by requiring two authorized individuals with separate access cards, keys or PINs, to access highly-sensitive areas (e.g., safe, high-security cage, etc.).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Require visitors to sign out when leaving", "small": "∙ Visitor sign-out procedure\n∙ Retrieve visitor badge upon departure", "medium": "∙ Formal visitor checkout procedure\n∙ Badge return verification", "large": "∙ Enterprise visitor management with automated checkout tracking", "enterprise": "∙ Enterprise visitor management platform with automated checkout workflows and real-time occupancy tracking" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "usa-federal-doe-c2m2-2-1": [ "ACCESS-3f" ], "apac-nzl-ism-3-9": [ "8.2.8.C.01" ] } }, { "control_id": "PES-03", "title": "Physical Access Control", "family": "PES", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "scf_question": "Does the organization enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-PES-05", "E-PES-06", "E-PES-07", "E-PES-08", "E-PES-09" ], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Physical security controls and technologies ensure that only authorized personnel are allowed access to secure areas.\n▪ A facilities maintenance team, or similar function, manages the operation of automated physical and environmental protection controls.\n▪ Physical security controls and technologies are configured to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Physical security policy\n∙ Door locks and key management", "small": "∙ Physical security policy\n∙ Access log\n∙ Visitor procedures", "medium": "∙ Staffed lobby (receptionist)\n∙ Physical security guards\n∙ Verify individual access authorizations before granting access to the facility.\n∙ Control entry to the facility containing the system using physical access devices and/or guards.\n∙ Control access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk.\n∙ Secure keys, combinations and other physical access devices.", "large": "∙ Staffed lobby (receptionist)\n∙ Physical security guards\n∙ Verify individual access authorizations before granting access to the facility.\n∙ Control entry to the facility containing the system using physical access devices and/or guards.\n∙ Control access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk.\n∙ Secure keys, combinations and other physical access devices.", "enterprise": "∙ Staffed lobby (receptionist)\n∙ Physical security guards\n∙ Verify individual access authorizations before granting access to the facility.\n∙ Control entry to the facility containing the system using physical access devices and/or guards.\n∙ Control access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk.\n∙ Secure keys, combinations and other physical access devices." }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2", "S7.2-POF4", "S7.2-POF5" ], "general-aicpa-tsc-2017": [ "CC6.4", "CC6.4-POF1", "CC6.4-POF2" ], "general-cobit-2019": [ "DSS05.05" ], "general-csa-cmm-4-1-0": [ "DCS-08" ], "general-csa-iot-2": [ "PHY-01" ], "general-govramp": [ "PE-03" ], "general-govramp-low": [ "PE-03" ], "general-govramp-low-plus": [ "PE-03" ], "general-govramp-mod": [ "PE-03" ], "general-govramp-high": [ "PE-03" ], "general-iso-27002-2022": [ "5.15", "5.18", "7.1", "7.4" ], "general-iso-27017-2015": [ "9.1.1", "11.1.1" ], "general-iso-27018-2025": [ "5.15", "5.18", "7.1", "7.4" ], "general-mpa-csbp-5-3-1": [ "OP-1.0", "PS-1.0", "PS-1.2" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P2" ], "general-nist-800-53-r4": [ "PE-3", "PE-3(2)", "PE-3(3)" ], "general-nist-800-53-r5-2": [ "PE-03", "PE-03(02)", "PE-03(03)" ], "general-nist-800-53-r5-2-low": [ "PE-03" ], "general-nist-800-66-r2": [ "164.310(a)", "164.310(c)" ], "general-nist-800-82-r3": [ "PE-03", "PE-03(02)", "PE-03(03)" ], "general-nist-800-82-r3-low": [ "PE-03" ], "general-nist-800-82-r3-mod": [ "PE-03" ], "general-nist-800-82-r3-high": [ "PE-03" ], "general-nist-800-161-r1": [ "PE-3", "PE-3(2)" ], "general-nist-800-161-r1-cscrm": [ "PE-3" ], "general-nist-800-161-r1-level-2": [ "PE-3", "PE-3(2)" ], "general-nist-800-161-r1-level-3": [ "PE-3", "PE-3(2)" ], "general-nist-800-171-r2": [ "3.10.3", "3.10.5" ], "general-nist-800-171-r3": [ "03.10.02.a", "03.10.07.a", "03.10.07.a.01", "03.10.07.a.02", "03.10.07.d" ], "general-nist-800-171a": [ "3.10.5[a]", "3.10.5[b]", "3.10.5[c]" ], "general-nist-800-171a-r3": [ "A.03.04.05[03]", "A.03.10.07.a.02", "A.03.10.07.d" ], "general-nist-800-172": [ "3.1.2e" ], "general-nist-csf-2-0": [ "PR.AA", "PR.AA-06", "DE.CM-02" ], "general-pci-dss-4-0-1": [ "9.1", "9.1.2", "9.2", "9.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.2.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.1.2", "9.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.1.2", "9.2.1" ], "general-scf-dpmp-2025": [ "7.3" ], "general-swift-cscf-2025": [ "3.1" ], "general-tisax-6-0-3": [ "8.1.3" ], "usa-federal-fbi-cjis-6-0": [ "PE-3" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-3a", "ACCESS-3d", "ACCESS-3e", "ACCESS-3f", "ACCESS-3g", "ACCESS-3j" ], "usa-federal-dow-cmmc-2-level-1": [ "PE.L1-B.1.IX" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "PE.L1-B.1.IX[a]", "PE.L1-B.1.IX[d]", "PE.L1-B.1.IX[e]", "PE.L1-B.1.IX[f]" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.3", "PEL2.-3.10.5" ], "usa-federal-dow-cmmc-2-level-3": [ "AC.L3-3.1.2E" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(ix)" ], "usa-federal-gsa-fedramp-5-low": [ "PE-03" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-03" ], "usa-federal-gsa-fedramp-5-high": [ "PE-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-03" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(a)(2)(ii)", "164.310(a)(2)(iii)", "164.310(c)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(a)(2)(ii)", "164.310(a)(2)(iii)", "164.310(c)" ], "usa-federal-irs-1075-2021": [ "2.B.3.4", "PE-3", "PE-3(CE-2)" ], "usa-federal-cms-marse-2-0": [ "PE-3", "PE-3.a", "PE-3.b", "PE-3.c", "PE-3.d", "PE-3.e", "PE-3.f", "PE-3.g", "PE-3.h", "PE-3.i", "PE-3-IS.1", "PE-3-IS.4" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.1", "CIP-006-6 1.3", "CIP-006-6 1.5", "CIP-006-6 1.10" ], "usa-federal-nispom-2020": [ "§117.15(e)(4)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(D)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(g)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PE-03" ], "usa-state-tx-txramp-2-0-level-1": [ "PE-03" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-03" ], "usa-state-vt-act-171-2018": [ "2447(b)(7)" ], "emea-eu-nis2-annex-2024": [ "13.1.2(c)", "13.3.1", "13.3.2(b)" ], "emea-deu-c5-2020": [ "PS-03", "PS-04" ], "emea-isr-cmo-1-0": [ "9.15", "12.27", "18.4" ], "emea-sau-ecc-1-2018": [ "2-14-3-1" ], "emea-sau-otcc-1-2022": [ "2-13-1-3" ], "emea-sau-sacs-002-2022": [ "TPC-47", "TPC-82", "TPC-86" ], "emea-esp-ccn-stic-825-2023": [ "8.1.1 [MP.IF.1]" ], "emea-uae-niaf-2023": [ "3.2.2" ], "emea-gbr-def-stan-05-138-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1500" ], "apac-aus-ism-2024-june": [ "ISM-1296" ], "apac-ind-sebi-2024": [ "PR.AA.S10" ], "apac-jpn-ismap": [ "11.1.1", "11.1.1.1", "11.1.1.2", "11.1.1.3", "11.1.1.4", "11.1.1.5", "11.1.1.6", "11.1.1.7", "11.1.2", "11.1.2.1", "11.1.2.2", "11.1.2.5", "11.1.2.10" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP48", "HML48" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP40" ], "apac-sgp-mas-trm-2021": [ "8.5.6(c)", "5.5.6(f)" ], "americas-can-osfi-b13-2022": [ "3.2.10" ], "americas-can-itsp-10-171-2025": [ "03.10.02.A", "03.10.07.A", "03.10.07.A.01", "03.10.07.A.02", "03.10.07.D" ] } }, { "control_id": "PES-03.1", "title": "Controlled Ingress & Egress Points", "family": "PES", "description": "Physical access control mechanisms exist to limit and monitor physical access through controlled ingress and egress points.", "scf_question": "Does the organization limit and monitor physical access through controlled ingress and egress points?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-PES-12" ], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Physical security controls and technologies ensure that only authorized personnel are allowed access to secure areas.\n▪ Physical security controls and technologies are configured to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).\n▪ Where applicable, physical security controls and technologies are configured to generate a log entry for each access attempt through controlled ingress and egress points.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to limit and monitor physical access through controlled ingress and egress points.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Physical security policy\n∙ Door locks and key management", "small": "∙ Physical security policy\n∙ Access log\n∙ Visitor procedures", "medium": "∙ Control entry to the facility containing the system using physical access devices and/or guards.\n∙ Control access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk.", "large": "∙ Control entry to the facility containing the system using physical access devices and/or guards.\n∙ Control access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk.", "enterprise": "∙ Control entry to the facility containing the system using physical access devices and/or guards.\n∙ Control access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk." }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-cobit-2019": [ "DSS05.05" ], "general-csa-cmm-4-1-0": [ "DCS-08" ], "general-iso-27002-2022": [ "7.1", "7.2" ], "general-iso-27018-2025": [ "7.1", "7.2" ], "general-mpa-csbp-5-3-1": [ "OP-1.0", "PS-1.0", "PS-1.2" ], "general-nist-800-171-r3": [ "03.10.02.a", "03.10.07.a", "03.10.07.a.02" ], "general-pci-dss-4-0-1": [ "9.2", "9.2.1", "9.3", "9.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.2.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.2.1", "9.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.2.1", "9.3.1" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.5" ], "emea-eu-nis2-annex-2024": [ "13.3.2(b)" ], "emea-deu-c5-2020": [ "PS-03" ], "emea-isr-cmo-1-0": [ "12.27", "18.6", "18.8" ], "emea-sau-ecc-1-2018": [ "2-14-3-1" ], "emea-sau-otcc-1-2022": [ "2-13-1-3" ], "emea-sau-sacs-002-2022": [ "TPC-82" ], "apac-sgp-mas-trm-2021": [ "5.5.6(f)" ], "americas-can-itsp-10-171-2025": [ "03.10.02.A", "03.10.07.A", "03.10.07.A.02" ] } }, { "control_id": "PES-03.2", "title": "Lockable Physical Casings", "family": "PES", "description": "Physical access control mechanisms exist to protect system components from unauthorized physical access (e.g., lockable physical casings).", "scf_question": "Does the organization protect system components from unauthorized physical access (e.g., lockable physical casings)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to protect system components from unauthorized physical access (e.g., lockable physical casings).", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Keep server room cool and document temperature requirements", "small": "∙ Temperature and humidity monitoring for IT equipment rooms", "medium": "∙ Environmental monitoring system for temperature and humidity", "large": "∙ Enterprise environmental monitoring system (e.g., APC, Schneider Electric)\n∙ Automated alerting", "enterprise": "∙ Enterprise DCIM/environmental monitoring platform (e.g., Nlyte, Schneider EcoStruxure)\n∙ Redundant sensors\n∙ Automated HVAC controls" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2-POF5" ], "general-nist-800-53-r4": [ "PE-3(4)", "SC-7(14)" ], "general-nist-800-53-r5-2": [ "PE-03(04)", "SC-07(14)" ], "general-nist-800-53-r5-2-privacy": [ "SC-07(14)" ], "general-nist-800-82-r3": [ "PE-03(04)", "SC-07(14)" ], "general-nist-800-161-r1": [ "SC-7(14)" ], "general-nist-800-161-r1-level-2": [ "SC-7(14)" ], "general-nist-800-161-r1-level-3": [ "SC-7(14)" ], "general-pci-dss-4-0-1": [ "9.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.2.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.2.4" ], "usa-federal-gsa-fedramp-5-low": [ "SC-07(14)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-07(14)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-07(14)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-07(14)" ], "emea-isr-cmo-1-0": [ "18.6", "18.11" ], "emea-sau-otcc-1-2022": [ "2-13-1-4" ], "emea-sau-sacs-002-2022": [ "TPC-46" ], "apac-nzl-ism-3-9": [ "8.2.5.C.01" ], "apac-sgp-mas-trm-2021": [ "8.5.6(d)" ] } }, { "control_id": "PES-03.3", "title": "Physical Access Logs", "family": "PES", "description": "Physical access control mechanisms generate a log entry for each access attempt through controlled ingress and egress points.", "scf_question": "Does the organization generate a log entry for each access attempt through controlled ingress and egress points?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-PES-02" ], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Where applicable, physical security controls and technologies are configured to generate a log entry for each access attempt through controlled ingress and egress points.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to generate a log entry for each access attempt through controlled ingress and egress points.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Visitor logbook\n∙ iLobby (https://goilobby.com)\n∙ The Receptionist (https://thereceptionist.com)\n∙ LobbyGuard (http://lobbyguard.com)", "small": "∙ Visitor logbook\n∙ iLobby (https://goilobby.com)\n∙ The Receptionist (https://thereceptionist.com)\n∙ LobbyGuard (http://lobbyguard.com)", "medium": "∙ Visitor logbook\n∙ iLobby (https://goilobby.com)\n∙ The Receptionist (https://thereceptionist.com)\n∙ LobbyGuard (http://lobbyguard.com)", "large": "∙ Staffed lobby (receptionist)\n∙ Visitor logbook", "enterprise": "∙ Staffed lobby (receptionist)\n∙ Visitor logbook" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.4-POF4" ], "general-csa-cmm-4-1-0": [ "LOG-13" ], "general-govramp": [ "PE-08" ], "general-govramp-low": [ "PE-08" ], "general-govramp-low-plus": [ "PE-08" ], "general-govramp-mod": [ "PE-08" ], "general-govramp-high": [ "PE-08" ], "general-iso-27002-2022": [ "7.2" ], "general-iso-27017-2015": [ "11.1.2" ], "general-iso-27018-2025": [ "7.2" ], "general-mpa-csbp-5-3-1": [ "PS-1.1", "PS-1.2", "PS-1.3" ], "general-nist-800-53-r4": [ "PE-8" ], "general-nist-800-53-r5-2": [ "PE-08" ], "general-nist-800-53-r5-2-low": [ "PE-08" ], "general-nist-800-82-r3": [ "PE-08" ], "general-nist-800-82-r3-low": [ "PE-08" ], "general-nist-800-82-r3-mod": [ "PE-08" ], "general-nist-800-82-r3-high": [ "PE-08" ], "general-nist-800-171-r2": [ "3.10.4", "NFO - PE-8" ], "general-nist-800-171-r3": [ "03.10.02.a", "03.10.07.b" ], "general-nist-800-171a": [ "3.10.4" ], "general-nist-800-171a-r3": [ "A.03.10.07.b" ], "general-nist-csf-2-0": [ "DE.CM-02" ], "general-pci-dss-4-0-1": [ "9.2.1", "9.2.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.2.1", "9.2.1.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.2.1", "9.2.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.2.1", "9.2.1.1" ], "usa-federal-fbi-cjis-6-0": [ "PE-8" ], "usa-federal-doe-c2m2-2-1": [ "ACCESS-3c" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "PE.L1-B.1.IX[c]" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.4" ], "usa-federal-gsa-fedramp-5-low": [ "PE-08" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-08" ], "usa-federal-gsa-fedramp-5-high": [ "PE-08" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-08" ], "usa-federal-irs-1075-2021": [ "2.B.3.5", "2.B.3.5-1", "2.B.3.5-2", "2.B.3.5-3", "PE-8" ], "usa-federal-cms-marse-2-0": [ "PE-8", "PE-8.a", "PE-8.b" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.4", "CIP-006-6 1.8" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PE-08" ], "usa-state-tx-txramp-2-0-level-1": [ "PE-08" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-08" ], "emea-eu-nis2-annex-2024": [ "13.3.2(d)" ], "emea-isr-cmo-1-0": [ "18.5" ], "emea-sau-ecc-1-2018": [ "2-14-3-3" ], "emea-gbr-def-stan-05-138-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1500" ], "apac-jpn-ismap": [ "11.1.2.7" ], "americas-can-itsp-10-171-2025": [ "03.10.02.A", "03.10.07.B" ] } }, { "control_id": "PES-03.4", "title": "Access To Critical Systems", "family": "PES", "description": "Physical access control mechanisms exist to enforce physical access to critical systems or sensitive/regulated data, in addition to the physical access controls for the facility.", "scf_question": "Does the organization enforce physical access to critical systems or sensitive/regulated data, in addition to the physical access controls for the facility?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Where applicable, physical security controls and technologies are configured to generate a log entry for each access attempt through controlled ingress and egress points.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to enforce physical access to critical systems or sensitive/regulated data, in addition to the physical access controls for the facility.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Ensure adequate power for IT equipment with UPS backup", "small": "∙ UPS for critical IT equipment\n∙ Power protection policy", "medium": "∙ UPS and generator backup for critical IT systems\n∙ Power protection plan", "large": "∙ Enterprise power protection (UPS + generator)\n∙ Redundant power feeds\n∙ Power monitoring", "enterprise": "∙ Enterprise power management (UPS, generators, PDU monitoring)\n∙ N+1 redundancy\n∙ DCIM integration\n∙ Automated failover" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2-POF5" ], "general-cobit-2019": [ "DSS05.05" ], "general-govramp": [ "PE-03(01)" ], "general-govramp-high": [ "PE-03(01)" ], "general-mpa-csbp-5-3-1": [ "PS-1.0" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P2" ], "general-nist-800-53-r4": [ "PE-3(1)" ], "general-nist-800-53-r5-2": [ "PE-03(01)" ], "general-nist-800-53-r5-2-high": [ "PE-03(01)" ], "general-nist-800-66-r2": [ "164.310(b)", "164.310(c)" ], "general-nist-800-82-r3": [ "PE-03(01)" ], "general-nist-800-82-r3-high": [ "PE-03(01)" ], "general-nist-800-161-r1": [ "PE-3(1)" ], "general-nist-800-161-r1-level-2": [ "PE-3(1)" ], "general-nist-800-161-r1-level-3": [ "PE-3(1)" ], "general-nist-800-171-r2": [ "3.10.1" ], "general-nist-800-171-r3": [ "03.10.07.a.01", "03.10.07.a.02" ], "general-tisax-6-0-3": [ "5.3.4" ], "usa-federal-dow-cmmc-2-level-1": [ "PE.L1-B.1.VIII" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.1" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(viii)" ], "usa-federal-gsa-fedramp-5-high": [ "PE-03(01)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(b)", "164.310(c)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(b)", "164.310(c)" ], "usa-federal-cms-marse-2-0": [ "PE-3-IS.2" ], "emea-deu-c5-2020": [ "PS-04" ], "emea-sau-ecc-1-2018": [ "2-3-3-2" ], "emea-sau-otcc-1-2022": [ "2-13-1-5" ], "emea-sau-sacs-002-2022": [ "TPC-46", "TPC-49" ], "emea-gbr-def-stan-05-138-2024": [ "1502" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1502" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1502" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1502" ], "apac-aus-ism-2024-june": [ "ISM-0813", "ISM-1053", "ISM-1074", "ISM-1530" ], "apac-ind-sebi-2024": [ "PR.AA.S10" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP10", "HML10" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP09" ], "apac-nzl-ism-3-9": [ "8.3.3.C.01", "8.3.4.C.01", "8.3.4.C.02", "8.3.5.C.01" ], "apac-sgp-mas-trm-2021": [ "8.5.6(d)" ], "americas-can-itsp-10-171-2025": [ "03.10.07.A.01", "03.10.07.A.02" ] } }, { "control_id": "PES-04", "title": "Physical Security of Offices, Rooms & Facilities", "family": "PES", "description": "Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.", "scf_question": "Does the organization identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Physical security controls and technologies are primarily designed and implemented for offices, rooms and facilities that focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ \"clean desk\" requirements\n∙ Personnel manager spot checks", "small": "∙ \"clean desk\" requirements\n∙ Personnel manager spot checks", "medium": "∙ \"clean desk\" requirements\n∙ Personnel manager spot checks", "large": "∙ \"clean desk\" requirements\n∙ Personnel manager spot checks", "enterprise": "∙ \"clean desk\" requirements\n∙ Personnel manager spot checks" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2-POF5" ], "general-cobit-2019": [ "DSS05.05" ], "general-csa-cmm-4-1-0": [ "DCS-04", "DCS-10" ], "general-iso-27002-2022": [ "5.15", "7.1", "7.3", "7.5", "7.7" ], "general-iso-27017-2015": [ "9.1.1", "11.1.1", "11.1.3", "11.1.4", "11.2.9" ], "general-iso-27018-2025": [ "5.15", "7.1", "7.3", "7.5", "7.7" ], "general-mpa-csbp-5-3-1": [ "PS-1.0", "PS-1.1", "TS-1.0" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P2" ], "general-nist-800-66-r2": [ "164.310(b)", "164.310(c)" ], "general-nist-800-171-r2": [ "3.10.5" ], "general-nist-800-171-r3": [ "03.08.01", "03.08.02", "03.10.07.a.01", "03.10.07.a.02", "03.10.07.d" ], "general-pci-dss-4-0-1": [ "9.3.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.3.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.3.1.1" ], "general-scf-dpmp-2025": [ "7.3" ], "general-swift-cscf-2025": [ "3.1" ], "general-tisax-6-0-3": [ "5.3.4", "8.1.5", "8.1.8" ], "usa-federal-dow-cmmc-2-level-1": [ "PE.L1-B.1.VIII" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.5" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(viii)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(b)", "164.310(c)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(b)", "164.310(c)" ], "usa-federal-irs-1075-2021": [ "2.B.3.3" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(D)" ], "emea-eu-nis2-annex-2024": [ "13.3.2(c)" ], "emea-deu-c5-2020": [ "PS-04" ], "emea-isr-cmo-1-0": [ "9.15", "18.6" ], "emea-sau-ecc-1-2018": [ "2-14-3-5" ], "emea-sau-otcc-1-2022": [ "2-13-1-4" ], "emea-sau-sacs-002-2022": [ "TPC-46" ], "apac-jpn-ismap": [ "11.1.2.6", "11.1.3", "11.1.3.1", "11.1.3.2", "11.1.3.3", "11.1.3.4", "11.2.9", "11.2.9.1", "11.2.9.2", "11.2.9.3", "11.2.9.4", "11.2.9.5", "11.2.9.6" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP48", "HML48" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP40" ], "apac-nzl-ism-3-9": [ "8.2.6.C.01", "8.2.6.C.02" ], "apac-sgp-mas-trm-2021": [ "8.5.6(e)" ], "americas-can-itsp-10-171-2025": [ "03.08.01", "03.08.02", "03.10.07.A.01", "03.10.07.A.02", "03.10.07.D" ] } }, { "control_id": "PES-04.1", "title": "Working in Secure Areas", "family": "PES", "description": "Physical security mechanisms exist to allow only authorized personnel access to secure areas.", "scf_question": "Does the organization allow only authorized personnel access to secure areas?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to allow only authorized personnel access to secure areas.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Visitor escorts", "small": "∙ Visitor escorts", "medium": "∙ Visitor escorts", "large": "∙ Visitor escorts", "enterprise": "∙ Visitor escorts" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-csa-cmm-4-1-0": [ "DCS-04", "DCS-10" ], "general-iso-27002-2022": [ "5.15", "7.2", "7.3", "7.6" ], "general-iso-27017-2015": [ "9.1.1", "11.1.2", "11.1.5" ], "general-iso-27018-2025": [ "5.15", "7.2", "7.3", "7.6" ], "general-mpa-csbp-5-3-1": [ "PS-1.0", "PS-1.1", "TS-1.0" ], "general-nist-privacy-framework-1-0": [ "PR.AC-P2" ], "general-nist-800-66-r2": [ "164.310(c)" ], "general-nist-800-171-r3": [ "03.08.01", "03.08.02", "03.10.07.a.01", "03.10.07.a.02", "03.10.07.d" ], "general-nist-800-172": [ "3.13.4e" ], "general-pci-dss-4-0-1": [ "9.3.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.3.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.3.1.1" ], "general-swift-cscf-2025": [ "3.1" ], "usa-federal-dow-cmmc-2-level-3": [ "SC.L3-3.13.4E" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(c)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(c)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "8-3.a(2)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(D)" ], "emea-isr-cmo-1-0": [ "18.6" ], "emea-sau-ecc-1-2018": [ "2-14-3-5" ], "emea-sau-otcc-1-2022": [ "2-13-1-5" ], "emea-sau-sacs-002-2022": [ "TPC-49" ], "apac-aus-ism-2024-june": [ "ISM-0164" ], "apac-jpn-ismap": [ "11.1.2.11", "11.1.5", "11.1.5.1", "11.1.5.2", "11.1.5.3", "11.1.5.4", "11.1.5.5", "11.1.5.6" ], "apac-sgp-mas-trm-2021": [ "8.5.6(e)", "5.5.6(f)" ], "americas-can-itsp-10-171-2025": [ "03.08.01", "03.08.02", "03.10.07.A.01", "03.10.07.A.02", "03.10.07.D" ] } }, { "control_id": "PES-04.2", "title": "Searches", "family": "PES", "description": "Physical access control mechanisms exist to inspect personnel and their personal effects (e.g., personal property ordinarily worn or carried by the individual, including vehicles) to prevent the unauthorized exfiltration of data and technology assets.", "scf_question": "Does the organization inspect personnel and their personal effects (e.g., personal property ordinarily worn or carried by the individual, including vehicles) to prevent the unauthorized exfiltration of data and technology assets?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to inspect personnel and their personal effects (e.g., personal property ordinarily worn or carried by the individual, including vehicles) to prevent the unauthorized exfiltration of data and technology assets.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Ensure server room is in a non-flood-prone area", "small": "∙ Physical location risk assessment for IT facilities\n∙ Basic flood prevention", "medium": "∙ Formal physical location risk assessment\n∙ Flood, fire, and natural hazard controls", "large": "∙ Enterprise facility risk assessment\n∙ Multi-site redundancy for disaster scenarios", "enterprise": "∙ Enterprise facility risk management program\n∙ Geographic redundancy\n∙ Natural disaster mitigation controls\n∙ Annual facility risk assessments" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-mpa-csbp-5-3-1": [ "PS-2.0" ], "apac-nzl-ism-3-9": [ "8.1.12.C.01", "8.1.13.C.01", "8.1.13.C.02" ] } }, { "control_id": "PES-04.3", "title": "Temporary Storage", "family": "PES", "description": "Physical access control mechanisms exist to temporarily store undelivered packages or deliveries in a dedicated, secure area (e.g., security cage, secure room) that is locked, access-controlled and monitored with surveillance cameras and/or security guards.", "scf_question": "Does the organization temporarily store undelivered packages or deliveries in a dedicated, secure area (e.g., security cage, secure room) that is locked, access-controlled and monitored with surveillance cameras and/or security guards?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to temporarily store undelivered packages or deliveries in a dedicated, secure area (e.g., security cage, secure room) that is locked, access-controlled and monitored with surveillance cameras and/or security guards.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Store physical backups offsite or in fireproof safe", "small": "∙ Offsite/fire-resistant storage for physical media and backups", "medium": "∙ Formal physical media protection policy\n∙ Climate-controlled, secure offsite storage", "large": "∙ Enterprise physical media management program\n∙ Offsite vaulting service (e.g., Iron Mountain)", "enterprise": "∙ Enterprise physical media vaulting (e.g., Iron Mountain)\n∙ Media lifecycle management\n∙ Destruction certificates for decommissioned media" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": {} }, { "control_id": "PES-05", "title": "Monitoring Physical Access", "family": "PES", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "scf_question": "Does the organization monitor for, detect and respond to physical security incidents?", "relative_weight": 7, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-PES-05" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Where applicable, physical security controls and technologies are configured to monitor for, detect and respond to physical security incidents.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to monitor for, detect and respond to physical security incidents.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Physical alarm systems\n∙ Video surveillance systems", "small": "∙ Physical alarm systems\n∙ Video surveillance systems", "medium": "∙ Physical alarm systems\n∙ Video surveillance systems", "large": "∙ Physical alarm systems\n∙ Video surveillance systems\n∙ Physical security guards\n∙ Staffed lobby (receptionist)", "enterprise": "∙ Physical alarm systems\n∙ Video surveillance systems\n∙ Physical security guards\n∙ Staffed lobby (receptionist)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.4-POF4" ], "general-csa-cmm-4-1-0": [ "DCS-10", "DCS-11" ], "general-csa-iot-2": [ "PHY-01" ], "general-govramp": [ "PE-06" ], "general-govramp-low": [ "PE-06" ], "general-govramp-low-plus": [ "PE-06" ], "general-govramp-mod": [ "PE-06" ], "general-govramp-high": [ "PE-06" ], "general-iso-27002-2022": [ "7.4" ], "general-iso-27018-2025": [ "7.4" ], "general-mpa-csbp-5-3-1": [ "PS-1.4" ], "general-nist-800-53-r4": [ "PE-6" ], "general-nist-800-53-r5-2": [ "PE-06" ], "general-nist-800-53-r5-2-low": [ "PE-06" ], "general-nist-800-82-r3": [ "PE-06" ], "general-nist-800-82-r3-low": [ "PE-06" ], "general-nist-800-82-r3-mod": [ "PE-06" ], "general-nist-800-82-r3-high": [ "PE-06" ], "general-nist-800-160-vol-2-r1": [ "PE-06" ], "general-nist-800-161-r1": [ "PE-6" ], "general-nist-800-161-r1-cscrm": [ "PE-6" ], "general-nist-800-161-r1-level-1": [ "PE-6" ], "general-nist-800-161-r1-level-2": [ "PE-6" ], "general-nist-800-161-r1-level-3": [ "PE-6" ], "general-nist-800-171-r2": [ "3.10.2" ], "general-nist-800-171-r3": [ "03.10.02.a", "03.10.02.b" ], "general-nist-800-171a": [ "3.10.2[c]", "3.10.2[d]" ], "general-nist-800-171a-r3": [ "A.03.10.02.ODP[01]", "A.03.10.02.ODP[02]", "A.03.10.02.a[01]", "A.03.10.02.a[02]", "A.03.10.02.b[01]", "A.03.10.02.b[02]" ], "general-nist-csf-2-0": [ "DE.CM-02" ], "general-pci-dss-4-0-1": [ "9.2.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.2.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.2.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.2.1.1" ], "general-scf-dpmp-2025": [ "7.3" ], "general-swift-cscf-2025": [ "3.1" ], "general-tisax-6-0-3": [ "8.1.6" ], "usa-federal-fbi-cjis-6-0": [ "PE-6" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.2" ], "usa-federal-gsa-fedramp-5-low": [ "PE-06" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-06" ], "usa-federal-gsa-fedramp-5-high": [ "PE-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-06" ], "usa-federal-irs-1075-2021": [ "PE-6" ], "usa-federal-cms-marse-2-0": [ "PE-6", "PE-6.a", "PE-6.b", "PE-6.c", "PE-6-IS.1" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.4", "CIP-006-6 1.6", "CIP-006-6 1.7" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(D)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(C)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PE-06" ], "usa-state-tx-txramp-2-0-level-1": [ "PE-06" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-06" ], "emea-eu-nis2-annex-2024": [ "13.1.2(f)", "13.3.2(d)" ], "emea-isr-cmo-1-0": [ "18.8", "18.10", "18.11" ], "emea-sau-cgiot-2024": [ "2-13-1" ], "emea-sau-ecc-1-2018": [ "2-14-3-2" ], "emea-gbr-def-stan-05-138-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1500" ], "apac-ind-sebi-2024": [ "PR.AA.S10" ], "apac-jpn-ismap": [ "11.1.2.13" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP66", "HML65" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP57" ], "apac-sgp-mas-trm-2021": [ "5.5.5" ], "americas-can-itsp-10-171-2025": [ "03.10.02.A", "03.10.02.B" ] } }, { "control_id": "PES-05.1", "title": "Intrusion Alarms / Surveillance Equipment", "family": "PES", "description": "Physical access control mechanisms exist to monitor physical intrusion alarms and surveillance equipment.", "scf_question": "Does the organization monitor physical intrusion alarms and surveillance equipment?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Where applicable, physical security controls and technologies are configured to monitor for, detect and respond to physical security incidents.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to monitor physical intrusion alarms and surveillance equipment.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Physical alarm systems\n∙ Video surveillance systems", "small": "∙ Physical alarm systems\n∙ Video surveillance systems", "medium": "∙ Physical alarm systems\n∙ Video surveillance systems", "large": "∙ Physical alarm systems\n∙ Video surveillance systems", "enterprise": "∙ Physical alarm systems\n∙ Video surveillance systems" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-csa-cmm-4-1-0": [ "DCS-11" ], "general-csa-iot-2": [ "PHY-01" ], "general-govramp": [ "PE-06(01)" ], "general-govramp-mod": [ "PE-06(01)" ], "general-govramp-high": [ "PE-06(01)" ], "general-iso-27002-2022": [ "7.4" ], "general-iso-27018-2025": [ "7.4" ], "general-mpa-csbp-5-3-1": [ "PS-1.4", "PS-3.0" ], "general-nist-800-53-r4": [ "PE-6(1)" ], "general-nist-800-53-r5-2": [ "PE-06(01)" ], "general-nist-800-53-r5-2-mod": [ "PE-06(01)" ], "general-nist-800-82-r3": [ "PE-06(01)" ], "general-nist-800-82-r3-mod": [ "PE-06(01)" ], "general-nist-800-82-r3-high": [ "PE-06(01)" ], "general-nist-800-171-r2": [ "3.10.2", "NFO - PE-6(1)" ], "general-nist-800-171-r3": [ "03.10.02.a", "03.10.02.b" ], "general-nist-800-171a": [ "3.10.2[c]", "3.10.2[d]" ], "general-pci-dss-4-0-1": [ "9.2.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.2.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.2.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.2.1.1" ], "general-tisax-6-0-3": [ "8.1.6" ], "usa-federal-fbi-cjis-6-0": [ "PE-6(1)" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.2" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-06(01)" ], "usa-federal-gsa-fedramp-5-high": [ "PE-06(01)" ], "usa-federal-irs-1075-2021": [ "PE-6(CE-1)" ], "usa-federal-cms-marse-2-0": [ "PE-6(1)" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.5", "CIP-006-6 1.7" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-06 (01)" ], "emea-isr-cmo-1-0": [ "18.9", "18.11" ], "emea-sau-cgiot-2024": [ "2-13-1" ], "emea-sau-ecc-1-2018": [ "2-14-3-2" ], "emea-sau-otcc-1-2022": [ "2-13-1-2" ], "emea-gbr-def-stan-05-138-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1500" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1500" ], "apac-chn-pipl-2021": [ "26" ], "americas-can-itsp-10-171-2025": [ "03.10.02.A", "03.10.02.B" ] } }, { "control_id": "PES-05.2", "title": "Monitoring Physical Access To Critical Systems", "family": "PES", "description": "Facility security mechanisms exist to monitor physical access to critical systems or sensitive/regulated data, in addition to the physical access monitoring of the facility.", "scf_question": "Does the organization monitor physical access to critical systems or sensitive/regulated data, in addition to the physical access monitoring of the facility?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.\n▪ Facility security mechanisms exist to monitor physical access to business-critical Technology Assets, Applications, Services and/or Data (TAASD), in addition to the physical access monitoring of the facility.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Where applicable, physical security controls and technologies are configured to monitor for, detect and respond to physical security incidents.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to monitor physical access to critical systems or sensitive/regulated data, in addition to the physical access monitoring of the facility.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Physical security policy\n∙ Door locks and key management", "small": "∙ Physical security policy\n∙ Access log\n∙ Visitor procedures", "medium": "∙ Physical security guards", "large": "∙ Physical security guards", "enterprise": "∙ Physical security guards" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-csa-iot-2": [ "PHY-01" ], "general-govramp": [ "PE-06(04)" ], "general-govramp-high": [ "PE-06(04)" ], "general-iso-27002-2022": [ "7.4" ], "general-iso-27018-2025": [ "7.4" ], "general-mpa-csbp-5-3-1": [ "PS-1.4" ], "general-nist-800-53-r4": [ "PE-6(4)" ], "general-nist-800-53-r5-2": [ "PE-06(04)" ], "general-nist-800-53-r5-2-high": [ "PE-06(04)" ], "general-nist-800-82-r3": [ "PE-06(04)" ], "general-nist-800-82-r3-mod": [ "PE-06(04)" ], "general-nist-800-82-r3-high": [ "PE-06(04)" ], "general-nist-800-160-vol-2-r1": [ "PE-06(04)" ], "general-nist-800-171-r2": [ "3.10.2" ], "general-nist-800-171-r3": [ "03.10.02.a", "03.10.02.b" ], "general-nist-800-171a": [ "3.10.2[c]", "3.10.2[d]" ], "general-pci-dss-4-0-1": [ "9.2.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "9.2.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.2.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.2.1.1" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.2" ], "usa-federal-gsa-fedramp-5-high": [ "PE-06(04)" ], "apac-sgp-mas-trm-2021": [ "8.5.5" ], "americas-can-itsp-10-171-2025": [ "03.10.02.A", "03.10.02.B" ] } }, { "control_id": "PES-06", "title": "Visitor Control", "family": "PES", "description": "Physical access control mechanisms exist to identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible).", "scf_question": "Does the organization identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-PES-02" ], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Physical security controls distinguish between onsite personnel and visitors, especially in areas where sensitive/regulated data is accessible.\n▪ Users are trained and encouraged to stop and question anyone attempting to install or remove IT assets from facilities.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible).", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Visitor logbook\n∙ iLobby (https://goilobby.com)\n∙ The Receptionist (https://thereceptionist.com)\n∙ LobbyGuard (http://lobbyguard.com)", "small": "∙ Visitor logbook\n∙ iLobby (https://goilobby.com)\n∙ The Receptionist (https://thereceptionist.com)\n∙ LobbyGuard (http://lobbyguard.com)", "medium": "∙ Visitor logbook\n∙ iLobby (https://goilobby.com)\n∙ The Receptionist (https://thereceptionist.com)\n∙ LobbyGuard (http://lobbyguard.com)", "large": "∙ Staffed lobby (receptionist)\n∙ Visitor logbook", "enterprise": "∙ Staffed lobby (receptionist)\n∙ Visitor logbook" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-iso-27002-2022": [ "7.2" ], "general-iso-27017-2015": [ "11.1.2" ], "general-iso-27018-2025": [ "7.2" ], "general-mpa-csbp-5-3-1": [ "OP-1.0", "PS-1.1" ], "general-nist-800-66-r2": [ "164.310(a)" ], "general-nist-800-171-r2": [ "3.10.3" ], "general-nist-800-171-r3": [ "03.10.02.b", "03.10.07.c" ], "general-nist-800-171a": [ "3.10.3[a]", "3.10.3[b]" ], "general-nist-800-171a-r3": [ "A.03.10.07.c[01]", "A.03.10.07.c[02]" ], "general-pci-dss-4-0-1": [ "9.3.2", "9.3.3", "9.3.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.3.2", "9.3.3", "9.3.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.3.2", "9.3.3", "9.3.4" ], "general-scf-dpmp-2025": [ "7.3" ], "general-swift-cscf-2025": [ "3.1" ], "general-tisax-6-0-3": [ "8.1.7" ], "usa-federal-dow-cmmc-2-level-1": [ "PE.L1-B.1.IX" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.3" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(ix)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(a)(2)(iii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(a)(2)(iii)" ], "usa-federal-irs-1075-2021": [ "2.B.3.1", "2.B.3.1-1", "2.B.3.1-2", "2.B.3.1-3", "2.B.3.1-4", "2.B.3.1-5", "2.B.3.1-6", "2.B.3.1-7" ], "usa-federal-cms-marse-2-0": [ "PE-3-IS.5" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.2", "CIP-006-6 1.3", "CIP-006-6 R2", "CIP-006-6 2.2" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "8-3.a", "8-3.a(1)", "8-3.a(3)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(3)(D)" ], "emea-deu-c5-2020": [ "PS-04" ], "emea-isr-cmo-1-0": [ "18.3", "18.12" ], "emea-sau-otcc-1-2022": [ "2-13-1-6" ], "emea-sau-sacs-002-2022": [ "TPC-47" ], "emea-esp-ccn-stic-825-2023": [ "8.1.2 [MP.IF.2]", "8.1.7 [MP.IF.7]" ], "apac-aus-ism-2024-june": [ "ISM-0164" ], "apac-jpn-ismap": [ "11.1.2.4" ], "apac-nzl-ism-3-9": [ "9.4.4.C.01", "9.4.5.C.01", "9.4.5.C.02", "9.4.6.C.01", "9.4.6.C.02", "9.4.7.C.01", "9.4.8.C.01", "9.4.9.C.01", "9.4.10.C.01" ], "apac-sgp-mas-trm-2021": [ "8.5.6(b)", "5.5.6(f)" ], "americas-can-itsp-10-171-2025": [ "03.10.02.B", "03.10.07.C" ] } }, { "control_id": "PES-06.1", "title": "Distinguish Visitors from On-Site Personnel", "family": "PES", "description": "Physical access control mechanisms exist to easily distinguish between onsite personnel and visitors, especially in areas where sensitive/regulated data is accessible.", "scf_question": "Does the organization easily distinguish between onsite personnel and visitors, especially in areas where sensitive/regulated data is accessible?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Physical security controls distinguish between onsite personnel and visitors, especially in areas where sensitive/regulated data is accessible.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to easily distinguish between onsite personnel and visitors, especially in areas where sensitive/regulated data is accessible.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Visible badges for visitors that are different from organizational personnel", "small": "∙ Visible badges for visitors that are different from organizational personnel", "medium": "∙ Visible badges for visitors that are different from organizational personnel", "large": "∙ Visible badges for visitors that are different from organizational personnel", "enterprise": "∙ Visible badges for visitors that are different from organizational personnel" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-nist-800-171-r2": [ "3.10.3" ], "general-nist-800-171-r3": [ "03.10.02.b", "03.10.07.c" ], "general-nist-800-171a": [ "3.10.3[a]", "3.10.3[b]" ], "general-nist-800-171a-r3": [ "A.03.10.07.c[01]", "A.03.10.07.c[02]" ], "general-pci-dss-4-0-1": [ "9.3.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.3.2" ], "usa-federal-dow-cmmc-2-level-1": [ "PE.L1-B.1.IX" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.3" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(ix)" ], "emea-sau-sacs-002-2022": [ "TPC-47" ], "emea-gbr-def-stan-05-138-2024": [ "1503" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1503" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1503" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1503" ], "apac-jpn-ismap": [ "11.1.2.8" ], "americas-can-itsp-10-171-2025": [ "03.10.02.B", "03.10.07.C" ] } }, { "control_id": "PES-06.2", "title": "Identification Requirement", "family": "PES", "description": "Physical access control mechanisms exist to requires at least one(1) form of government-issued or organization-issued photo identification to authenticate individuals before they can gain access to the facility.", "scf_question": "Does the organization require at least one (1) form of government-issued or organization-issued photo identification to authenticate individuals before they can gain access to the facility?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Users are trained and encouraged to stop and question anyone attempting to install or remove IT assets from facilities.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to requires at least one(1) form of government-issued or organization-issued photo identification to authenticate individuals before they can gain access to the facility.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Ensure fire extinguisher near server room", "small": "∙ Fire detection and suppression in server/data rooms\n∙ Sprinkler or suppression system", "medium": "∙ Formal fire protection system for data areas\n∙ Fire suppression appropriate for electronics", "large": "∙ Enterprise fire protection (FM-200 or Novec 1230 suppression)\n∙ VESDA early warning system", "enterprise": "∙ Enterprise fire suppression system (FM-200, Novec 1230)\n∙ VESDA early smoke detection\n∙ Integration with building management system" }, "risks": [ "R-AC-4", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-mpa-csbp-5-3-1": [ "PS-1.1" ], "general-nist-800-53-r4": [ "PE-2(2)" ], "general-nist-800-53-r5-2": [ "PE-02(02)" ], "general-nist-800-82-r3": [ "PE-02(02)" ], "general-nist-800-171-r3": [ "03.10.07.c" ], "general-pci-dss-4-0-1": [ "9.3.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.3.2" ], "usa-federal-irs-1075-2021": [ "2.B.3.1" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 2.2" ], "emea-sau-sacs-002-2022": [ "TPC-47" ], "emea-esp-ccn-stic-825-2023": [ "8.1.2 [MP.IF.2]" ], "emea-gbr-def-stan-05-138-2024": [ "1503" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1503" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1503" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1503" ], "americas-can-itsp-10-171-2025": [ "03.10.07.C" ] } }, { "control_id": "PES-06.3", "title": "Restrict Unescorted Access", "family": "PES", "description": "Physical access control mechanisms exist to restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validate the need for access.", "scf_question": "Does the organization restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validate the need for access?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Users are trained and encouraged to stop and question anyone attempting to install or remove IT assets from facilities.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validate the need for access.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "medium": "∙ Emergency power shutoff procedure for IT equipment rooms", "large": "∙ Emergency power shutoff capability for data center/server room (EPO)", "enterprise": "∙ Enterprise emergency power off (EPO) system\n∙ EPO training and drills\n∙ Integration with facility management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-nist-800-53-r4": [ "PE-2(3)" ], "general-nist-800-53-r5-2": [ "PE-02(03)" ], "general-nist-800-82-r3": [ "PE-02(03)" ], "general-nist-800-171-r2": [ "3.10.3" ], "general-nist-800-171-r3": [ "03.10.07.c" ], "general-nist-800-171a": [ "3.10.3[a]", "3.10.3[b]" ], "general-nist-800-171a-r3": [ "A.03.10.07.c[01]", "A.03.10.07.c[02]" ], "general-pci-dss-4-0-1": [ "9.3.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.3.2" ], "general-swift-cscf-2025": [ "3.1" ], "usa-federal-dow-cmmc-2-level-1": [ "PE.L1-B.1.IX" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "PE.L1-B.1.IX[b]" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.3" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(ix)" ], "usa-federal-nerc-cip-2024": [ "CIP-004-7 4.1.2", "CIP-006-6 1.2", "CIP-006-6 1.3", "CIP-006-6 2.1" ], "emea-sau-otcc-1-2022": [ "2-13-1-7" ], "emea-sau-sacs-002-2022": [ "TPC-48" ], "apac-aus-ism-2024-june": [ "ISM-0164" ], "apac-jpn-ismap": [ "11.1.2.9" ], "apac-nzl-ism-3-9": [ "9.4.7.C.01" ], "americas-can-itsp-10-171-2025": [ "03.10.07.C" ] } }, { "control_id": "PES-06.4", "title": "Automated Records Management & Review", "family": "PES", "description": "Automated mechanisms exist to facilitate the maintenance and review of visitor access records.", "scf_question": "Does the organization use automated mechanisms to facilitate the maintenance and review of visitor access records?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-PES-02" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically facilitate the maintenance and review of visitor access records.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Emergency lighting in IT facility areas", "large": "∙ Emergency lighting system in data center and critical areas", "enterprise": "∙ Enterprise emergency lighting system with battery backup\n∙ Regular testing program\n∙ Integration with facility safety systems" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-5", "R-GV-1", "R-GV-2", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-govramp": [ "PE-08(01)" ], "general-govramp-high": [ "PE-08(01)" ], "general-nist-800-53-r4": [ "PE-8(1)" ], "general-nist-800-53-r5-2": [ "PE-08(01)" ], "general-nist-800-53-r5-2-high": [ "PE-08(01)" ], "general-nist-800-82-r3": [ "PE-08(01)" ], "general-nist-800-82-r3-high": [ "PE-08(01)" ], "general-pci-dss-4-0-1": [ "9.3.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.3.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.3.4" ], "usa-federal-gsa-fedramp-5-high": [ "PE-08(01)" ], "apac-nzl-ism-3-9": [ "9.4.9.C.01" ] } }, { "control_id": "PES-06.5", "title": "Minimize Visitor Personal Data (PD)", "family": "PES", "description": "Mechanisms exist to minimize the collection of Personal Data (PD) contained in visitor access records.", "scf_question": "Does the organization minimize the collection of Personal Data (PD) contained in visitor access records?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to minimize the collection of Personal Data (PD) contained in visitor access records.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Emergency response procedure for IT facility", "large": "∙ Formal emergency response plan for IT facilities", "enterprise": "∙ Enterprise emergency response program for IT facilities\n∙ Regular drills\n∙ Integration with corporate emergency management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-nist-800-53-r5-2": [ "PE-08(03)", "PM-25", "SA-08(33)" ], "general-nist-800-53-r5-2-privacy": [ "PE-08(03)", "PM-25", "SA-08(33)" ], "general-nist-800-82-r3": [ "PE-08(03)", "PM-25", "SA-08(33)" ], "general-nist-800-82-r3-low": [ "PM-25" ], "general-nist-800-82-r3-mod": [ "PM-25" ], "general-nist-800-82-r3-high": [ "PM-25" ], "general-nist-800-161-r1": [ "PM-25" ], "general-nist-800-161-r1-level-2": [ "PM-25" ], "general-pci-dss-4-0-1": [ "9.3.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.3.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.3.4" ], "general-shared-assessments-sig-2025": [ "P.6" ], "usa-federal-fbi-cjis-6-0": [ "PE-8(3)" ], "usa-federal-gsa-fedramp-5-low": [ "PM-25", "SA-08(33)" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-25", "SA-08(33)" ], "usa-federal-gsa-fedramp-5-high": [ "PM-25", "SA-08(33)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-25", "SA-08(33)" ], "apac-nzl-ism-3-9": [ "9.4.9.C.01" ] } }, { "control_id": "PES-06.6", "title": "Visitor Access Revocation", "family": "PES", "description": "Mechanisms exist to ensure visitor badges, or other issued identification, are surrendered before visitors leave the facility or are deactivated at a pre-determined time/date of expiration.", "scf_question": "Does the organization ensure visitor badges, or other issued identification, are surrendered before visitors leave the facility or are deactivated at a pre-determined time/date of expiration?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure visitor badges, or other issued identification, are surrendered before visitors leave the facility or are deactivated at a pre-determined time/date of expiration.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "large": "∙ Physical security response capabilities for facility threats", "enterprise": "∙ Enterprise physical security response program\n∙ Dedicated security team\n∙ Coordination with law enforcement" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.4-POF2" ], "general-nist-800-171-r3": [ "03.10.07.c" ], "general-pci-dss-4-0-1": [ "9.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.3.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.3.3" ], "emea-sau-sacs-002-2022": [ "TPC-47" ], "emea-gbr-def-stan-05-138-2024": [ "1503" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1503" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1503" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1503" ], "americas-can-itsp-10-171-2025": [ "03.10.07.C" ] } }, { "control_id": "PES-07", "title": "Supporting Utilities", "family": "PES", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "scf_question": "Does the organization protect power equipment and power cabling for the system from damage and destruction?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-PES-01" ], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to protect power equipment and power cabling for the system from damage and destruction.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Inspect deliveries for tampering before bringing into facility", "small": "∙ Delivery inspection policy\n∙ Designated delivery area", "medium": "∙ Formal delivery and removal inspection procedure", "large": "∙ Enterprise delivery management program\n∙ Dedicated loading/receiving area\n∙ Package screening", "enterprise": "∙ Enterprise delivery security program\n∙ X-ray/screening for deliveries\n∙ Access controls at loading dock\n∙ CCTV monitoring" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2-POF6" ], "general-aicpa-tsc-2017": [ "A1.2" ], "general-cobit-2019": [ "DSS01.04" ], "general-csa-cmm-4-1-0": [ "DCS-14", "DCS-15" ], "general-govramp": [ "PE-09" ], "general-govramp-mod": [ "PE-09" ], "general-govramp-high": [ "PE-09" ], "general-iso-27002-2022": [ "7.11", "7.12" ], "general-iso-27017-2015": [ "11.2.2", "11.2.3" ], "general-iso-27018-2025": [ "7.11", "7.12" ], "general-mpa-csbp-5-3-1": [ "PS-3.1" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(j)" ], "general-nist-800-53-r4": [ "PE-9" ], "general-nist-800-53-r5-2": [ "PE-09" ], "general-nist-800-53-r5-2-mod": [ "PE-09" ], "general-nist-800-82-r3": [ "PE-09" ], "general-nist-800-82-r3-mod": [ "PE-09" ], "general-nist-800-82-r3-high": [ "PE-09" ], "general-nist-800-171-r3": [ "03.10.08" ], "general-nist-csf-2-0": [ "PR.IR-02" ], "usa-federal-fbi-cjis-6-0": [ "PE-9" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-09" ], "usa-federal-gsa-fedramp-5-high": [ "PE-09" ], "usa-federal-cms-marse-2-0": [ "PE-9", "PE-9-IS.1" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-09" ], "emea-eu-eba-ict-srm-2025": [ "3.4.3(35)" ], "emea-eu-nis2-annex-2024": [ "13.1.2(d)" ], "emea-deu-c5-2020": [ "PS-01", "PS-06" ], "emea-esp-ccn-stic-825-2023": [ "8.1.3 [MP.IF.3]", "8.1.4 [MP.IF.4]" ], "apac-jpn-ismap": [ "11.2.2", "11.2.2.1", "11.2.2.2", "11.2.2.3", "11.2.2.4", "11.2.2.5" ], "apac-nzl-ism-3-9": [ "8.3.3.C.01", "8.3.4.C.01", "8.3.4.C.02", "8.3.5.C.01" ], "apac-sgp-mas-trm-2021": [ "8.5.2", "8.5.2(a)", "8.5.2(b)", "8.5.2(c)" ], "americas-can-itsp-10-171-2025": [ "03.10.08" ] } }, { "control_id": "PES-07.1", "title": "Automatic Voltage Controls", "family": "PES", "description": "Facility security mechanisms exist to utilize automatic voltage controls for critical system components.", "scf_question": "Does the organization utilize automatic voltage controls for critical system components?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to utilize automatic voltage controls for critical system components.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document and approve all equipment removals from facility", "small": "∙ Equipment removal authorization policy", "medium": "∙ Formal equipment removal authorization and logging procedure", "large": "∙ Enterprise asset removal management program\n∙ Automated tracking of asset movements", "enterprise": "∙ Enterprise asset management platform with removal tracking (e.g., ServiceNow)\n∙ RFID/barcode tracking\n∙ Automated authorization workflows" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2-POF6" ], "general-aicpa-tsc-2017": [ "A1.2" ], "general-cobit-2019": [ "DSS01.04" ], "general-csa-cmm-4-1-0": [ "DCS-14" ], "general-iso-27002-2022": [ "7.11" ], "general-iso-27017-2015": [ "11.2.2" ], "general-iso-27018-2025": [ "7.11" ], "general-mpa-csbp-5-3-1": [ "PS-3.1" ], "general-nist-800-53-r4": [ "PE-9(2)" ], "general-nist-800-53-r5-2": [ "PE-09(02)" ], "general-nist-800-82-r3": [ "PE-09(02)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.3(35)" ], "emea-esp-ccn-stic-825-2023": [ "8.1.4 [MP.IF.4]" ] } }, { "control_id": "PES-07.2", "title": "Emergency Shutoff", "family": "PES", "description": "Facility security mechanisms exist to shut off power in emergency situations by:\n(1) Placing emergency shutoff switches or devices in close proximity to systems or system components to facilitate safe and easy access for personnel; and\n(2) Protecting emergency power shutoff capability from unauthorized activation.", "scf_question": "Does the organization shut off power in emergency situations by:\n (1) Placing emergency shutoff switches or devices in close proximity to systems or system components to facilitate safe and easy access for personnel; and\n (2) Protecting emergency power shutoff capability from unauthorized activation?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to shut off power in emergency situations by:\n(1) Placing emergency shutoff switches or devices in close proximity to systems or system components to facilitate safe and easy access for personnel; and\n(2) Protecting emergency power shutoff capability from unauthorized activation.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Maintain a log of equipment entering and leaving the facility", "small": "∙ Equipment movement log\n∙ Sign-in/sign-out for equipment", "medium": "∙ Formal equipment movement tracking system\n∙ Barcode or asset tag scanning", "large": "∙ Enterprise asset movement tracking system with barcode/RFID", "enterprise": "∙ Enterprise asset management with automated movement tracking (RFID/barcode)\n∙ Integration with physical access system" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2-POF6" ], "general-aicpa-tsc-2017": [ "A1.2" ], "general-cobit-2019": [ "DSS01.04" ], "general-csa-cmm-4-1-0": [ "DCS-14" ], "general-govramp": [ "PE-10" ], "general-govramp-mod": [ "PE-10" ], "general-govramp-high": [ "PE-10" ], "general-iso-27002-2022": [ "7.11" ], "general-iso-27017-2015": [ "11.2.2" ], "general-iso-27018-2025": [ "7.11" ], "general-mpa-csbp-5-3-1": [ "PS-3.1" ], "general-nist-800-53-r4": [ "PE-10" ], "general-nist-800-53-r5-2": [ "PE-10" ], "general-nist-800-53-r5-2-mod": [ "PE-10" ], "general-nist-800-82-r3": [ "PE-10" ], "general-nist-800-82-r3-mod": [ "PE-10" ], "general-nist-800-82-r3-high": [ "PE-10" ], "usa-federal-fbi-cjis-6-0": [ "PE-10" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-10" ], "usa-federal-gsa-fedramp-5-high": [ "PE-10" ], "usa-federal-cms-marse-2-0": [ "PE-10", "PE-10.a", "PE-10.b", "PE-10.c" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-10" ], "apac-jpn-ismap": [ "11.2.2.7" ] } }, { "control_id": "PES-07.3", "title": "Emergency Power", "family": "PES", "description": "Facility security mechanisms exist to supply alternate power, capable of maintaining minimally-required operational capability, in the event of an extended loss of the primary power source.", "scf_question": "Does the organization supply alternate power, capable of maintaining minimally-required operational capability, in the event of an extended loss of the primary power source?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to supply alternate power, capable of maintaining minimally-required operational capability, in the event of an extended loss of the primary power source.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Periodically verify that IT equipment is present and accounted for", "small": "∙ Periodic physical inventory of IT assets", "medium": "∙ Formal physical asset inventory procedure\n∙ Scheduled physical audits", "large": "∙ Enterprise physical asset audit program\n∙ Automated inventory verification", "enterprise": "∙ Enterprise asset management platform with automated physical inventory (RFID, barcode)\n∙ Scheduled audit program" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2-POF6" ], "general-aicpa-tsc-2017": [ "A1.2" ], "general-cobit-2019": [ "DSS01.04" ], "general-csa-cmm-4-1-0": [ "DCS-14" ], "general-govramp": [ "PE-11", "PE-11(01)" ], "general-govramp-mod": [ "PE-11" ], "general-govramp-high": [ "PE-11", "PE-11(01)" ], "general-iec-62443-3-3-2013": [ "SR 7.5" ], "general-iso-27002-2022": [ "7.11" ], "general-iso-27017-2015": [ "11.2.2" ], "general-iso-27018-2025": [ "7.11" ], "general-mpa-csbp-5-3-1": [ "PS-3.1" ], "general-nist-800-53-r4": [ "PE-11", "PE-11(1)", "PE-11(2)" ], "general-nist-800-53-r5-2": [ "PE-11", "PE-11(01)", "PE-11(02)" ], "general-nist-800-53-r5-2-mod": [ "PE-11" ], "general-nist-800-53-r5-2-high": [ "PE-11(01)" ], "general-nist-800-82-r3": [ "PE-11", "PE-11(01)", "PE-11(02)" ], "general-nist-800-82-r3-mod": [ "PE-11" ], "general-nist-800-82-r3-high": [ "PE-11", "PE-11(01)" ], "general-nist-800-160-vol-2-r1": [ "PE-11(01)", "PE-11(02)" ], "usa-federal-fbi-cjis-6-0": [ "PE-11" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-11" ], "usa-federal-gsa-fedramp-5-high": [ "PE-11", "PE-11(01)" ], "usa-federal-cms-marse-2-0": [ "PE-11" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-11" ], "emea-eu-nis2-annex-2024": [ "13.1.2(a)" ], "emea-deu-c5-2020": [ "PS-01", "PS-06" ], "emea-isr-cmo-1-0": [ "18.14", "18.15" ], "emea-gbr-def-stan-05-138-2024": [ "2704" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2704" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2704" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2704" ], "apac-aus-ism-2024-june": [ "ISM-1123" ] } }, { "control_id": "PES-07.4", "title": "Emergency Lighting", "family": "PES", "description": "Facility security mechanisms exist to utilize and maintain automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.", "scf_question": "Does the organization utilize and maintain automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to utilize and maintain automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Store equipment securely when not in use", "small": "∙ Equipment storage security policy\n∙ Secure storage for portable/critical equipment", "medium": "∙ Formal equipment storage security policy\n∙ Locked storage with access controls", "large": "∙ Enterprise secure equipment storage program\n∙ Access-controlled storage areas", "enterprise": "∙ Enterprise secure equipment storage and management program\n∙ Access-controlled vaults\n∙ Environmental monitoring" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2-POF6" ], "general-aicpa-tsc-2017": [ "A1.2" ], "general-cobit-2019": [ "DSS01.04" ], "general-csa-cmm-4-1-0": [ "DCS-14" ], "general-govramp": [ "PE-12" ], "general-govramp-mod": [ "PE-12" ], "general-govramp-high": [ "PE-12" ], "general-iso-27002-2022": [ "7.11" ], "general-iso-27017-2015": [ "11.2.2" ], "general-iso-27018-2025": [ "7.11" ], "general-mpa-csbp-5-3-1": [ "PS-3.1" ], "general-nist-800-53-r4": [ "PE-12" ], "general-nist-800-53-r5-2": [ "PE-12" ], "general-nist-800-53-r5-2-low": [ "PE-12" ], "general-nist-800-82-r3": [ "PE-12" ], "general-nist-800-82-r3-low": [ "PE-12" ], "general-nist-800-82-r3-mod": [ "PE-12" ], "general-nist-800-82-r3-high": [ "PE-12" ], "usa-federal-fbi-cjis-6-0": [ "PE-12" ], "usa-federal-gsa-fedramp-5-low": [ "PE-12" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-12" ], "usa-federal-gsa-fedramp-5-high": [ "PE-12" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-12" ], "usa-federal-cms-marse-2-0": [ "PE-12" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PE-12" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-12" ], "emea-eu-nis2-annex-2024": [ "13.1.2(a)" ], "emea-isr-cmo-1-0": [ "18.16" ], "apac-jpn-ismap": [ "11.2.2.6" ] } }, { "control_id": "PES-07.5", "title": "Water Damage Protection", "family": "PES", "description": "Facility security mechanisms exist to protect systems from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly and known to key personnel.", "scf_question": "Does the organization protect systems from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly and known to key personnel?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-PES-01" ], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to protect systems from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly and known to key personnel.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Water leak sensors\n∙ Humidity sensors", "small": "∙ Water leak sensors\n∙ Humidity sensors", "medium": "∙ Water leak sensors\n∙ Humidity sensors", "large": "∙ Water leak sensors\n∙ Humidity sensors", "enterprise": "∙ Water leak sensors\n∙ Humidity sensors" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2-POF6" ], "general-aicpa-tsc-2017": [ "A1.2" ], "general-cobit-2019": [ "DSS01.04" ], "general-csa-cmm-4-1-0": [ "DCS-14" ], "general-govramp": [ "PE-15" ], "general-govramp-low": [ "PE-15" ], "general-govramp-low-plus": [ "PE-15" ], "general-govramp-mod": [ "PE-15" ], "general-govramp-high": [ "PE-15" ], "general-mpa-csbp-5-3-1": [ "PS-3.1" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(j)" ], "general-nist-800-53-r4": [ "PE-15" ], "general-nist-800-53-r5-2": [ "PE-15" ], "general-nist-800-53-r5-2-low": [ "PE-15" ], "general-nist-800-82-r3": [ "PE-15" ], "general-nist-800-82-r3-low": [ "PE-15" ], "general-nist-800-82-r3-mod": [ "PE-15" ], "general-nist-800-82-r3-high": [ "PE-15" ], "general-nist-csf-2-0": [ "PR.IR-02" ], "usa-federal-fbi-cjis-6-0": [ "PE-15" ], "usa-federal-gsa-fedramp-5-low": [ "PE-15" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-15" ], "usa-federal-gsa-fedramp-5-high": [ "PE-15" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-15" ], "usa-federal-cms-marse-2-0": [ "PE-15" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PE-15" ], "usa-state-tx-txramp-2-0-level-1": [ "PE-15" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-15" ], "emea-eu-eba-ict-srm-2025": [ "3.4.3(35)" ], "emea-deu-c5-2020": [ "PS-01" ], "emea-isr-cmo-1-0": [ "18.19" ] } }, { "control_id": "PES-07.6", "title": "Automation Support for Water Damage Protection", "family": "PES", "description": "Facility security mechanisms exist to detect the presence of water in the vicinity of critical systems and alert facility maintenance and IT personnel.", "scf_question": "Does the organization detect the presence of water in the vicinity of critical systems and alert facility maintenance and IT personnel?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to detect the presence of water in the vicinity of critical systems and alert facility maintenance and IT personnel.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Inspect returned equipment for damage or tampering", "small": "∙ Equipment inspection policy upon return from external use", "medium": "∙ Formal returned equipment inspection procedure", "large": "∙ Enterprise equipment return and inspection program\n∙ Sanitization before reuse", "enterprise": "∙ Enterprise equipment lifecycle management\n∙ Formal inspection and sanitization procedures\n∙ Forensic review for suspect equipment" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-cobit-2019": [ "DSS01.04" ], "general-govramp": [ "PE-15(01)" ], "general-govramp-high": [ "PE-15(01)" ], "general-nist-800-53-r4": [ "PE-15(1)" ], "general-nist-800-53-r5-2": [ "PE-15(01)" ], "general-nist-800-53-r5-2-high": [ "PE-15(01)" ], "general-nist-800-82-r3": [ "PE-15(01)" ], "general-nist-800-82-r3-high": [ "PE-15(01)" ], "usa-federal-gsa-fedramp-5-high": [ "PE-15(01)" ], "emea-esp-ccn-stic-825-2023": [ "8.1.6 [MP.IF.6]" ] } }, { "control_id": "PES-07.7", "title": "Redundant Cabling", "family": "PES", "description": "Mechanisms exist to employ redundant power cabling paths that are physically separated to ensure that power continues to flow in the event one of the cables is cut or otherwise damaged.", "scf_question": "Does the organization employ redundant power cabling paths that are physically separated to ensure that power continues to flow in the event one of the cables is cut or otherwise damaged?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to employ redundant power cabling paths that are physically separated to ensure that power continues to flow in the event one of the cables is cut or otherwise damaged.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Review and approve any AI/autonomous equipment brought into facility", "large": "∙ Policy for AI/autonomous equipment in facility\n∙ Approval process for new AI devices", "enterprise": "∙ Enterprise AI equipment governance policy\n∙ Formal approval process for AI devices in facility" }, "risks": [ "R-AM-1", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-nist-800-53-r4": [ "PE-9(1)" ], "general-nist-800-53-r5-2": [ "PE-09(01)" ], "general-nist-800-82-r3": [ "PE-09(01)" ], "general-nist-800-160-vol-2-r1": [ "PE-09(01)" ] } }, { "control_id": "PES-08", "title": "Fire Protection", "family": "PES", "description": "Facility security mechanisms exist to utilize and maintain fire suppression and detection devices/systems for the system that are supported by an independent energy source.", "scf_question": "Does the organization utilize and maintain fire suppression and detection devices/systems for the system that are supported by an independent energy source?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-PES-01" ], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to utilize and maintain fire suppression and detection devices/systems for the system that are supported by an independent energy source.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure cables and equipment to prevent unauthorized access", "small": "∙ Cabling security policy\n∙ Protect network and power cabling", "medium": "∙ Formal cabling security standards\n∙ Cable protection and labeling", "large": "∙ Enterprise cabling management program\n∙ Protected pathways\n∙ Cable labeling and documentation", "enterprise": "∙ Enterprise cabling security and management program (e.g., structured cabling standards)\n∙ Automated cable plant documentation" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-cobit-2019": [ "DSS01.04" ], "general-govramp": [ "PE-13" ], "general-govramp-low": [ "PE-13" ], "general-govramp-low-plus": [ "PE-13" ], "general-govramp-mod": [ "PE-13" ], "general-govramp-high": [ "PE-13" ], "general-mpa-csbp-5-3-1": [ "PS-3.1" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(j)" ], "general-nist-800-53-r4": [ "PE-13" ], "general-nist-800-53-r5-2": [ "PE-13" ], "general-nist-800-53-r5-2-low": [ "PE-13" ], "general-nist-800-82-r3": [ "PE-13" ], "general-nist-800-82-r3-low": [ "PE-13" ], "general-nist-800-82-r3-mod": [ "PE-13" ], "general-nist-800-82-r3-high": [ "PE-13" ], "general-nist-csf-2-0": [ "PR.IR-02" ], "usa-federal-fbi-cjis-6-0": [ "PE-13" ], "usa-federal-gsa-fedramp-5-low": [ "PE-13" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-13" ], "usa-federal-gsa-fedramp-5-high": [ "PE-13" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-13" ], "usa-federal-cms-marse-2-0": [ "PE-13" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PE-13" ], "usa-state-tx-txramp-2-0-level-1": [ "PE-13" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-13" ], "emea-eu-eba-ict-srm-2025": [ "3.4.3(35)" ], "emea-deu-c5-2020": [ "PS-01", "PS-05" ], "emea-isr-cmo-1-0": [ "18.17" ], "emea-esp-ccn-stic-825-2023": [ "8.1.5 [MP.IF.5]" ], "apac-sgp-mas-trm-2021": [ "8.5.3", "8.5.4" ] } }, { "control_id": "PES-08.1", "title": "Fire Detection Devices", "family": "PES", "description": "Facility security mechanisms exist to utilize and maintain fire detection devices/systems that activate automatically and notify organizational personnel and emergency responders in the event of a fire.", "scf_question": "Does the organization utilize and maintain fire detection devices/systems that activate automatically and notify organizational personnel and emergency responders in the event of a fire?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to utilize and maintain fire detection devices/systems that activate automatically and notify organizational personnel and emergency responders in the event of a fire.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Label and document all network cables", "small": "∙ Cable labeling policy and procedure", "medium": "∙ Formal cable labeling and documentation standards", "large": "∙ Enterprise cable management system with documentation", "enterprise": "∙ Enterprise cable management platform (e.g., Netbox, IT Portal)\n∙ Automated cable plant documentation\n∙ DCIM integration" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-cobit-2019": [ "DSS01.04" ], "general-govramp": [ "PE-13(01)" ], "general-govramp-high": [ "PE-13(01)" ], "general-mpa-csbp-5-3-1": [ "PS-3.1" ], "general-nist-800-53-r4": [ "PE-13(1)" ], "general-nist-800-53-r5-2": [ "PE-13(01)" ], "general-nist-800-53-r5-2-mod": [ "PE-13(01)" ], "general-nist-800-82-r3": [ "PE-13(01)" ], "general-nist-800-82-r3-mod": [ "PE-13(01)" ], "general-nist-800-82-r3-high": [ "PE-13(01)" ], "usa-federal-fbi-cjis-6-0": [ "PE-13(1)" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-13(01)" ], "usa-federal-gsa-fedramp-5-high": [ "PE-13(01)" ], "usa-federal-cms-marse-2-0": [ "PE-13(1)" ], "emea-deu-c5-2020": [ "PS-05" ], "emea-isr-cmo-1-0": [ "18.17" ], "apac-sgp-mas-trm-2021": [ "8.5.3", "8.5.4" ] } }, { "control_id": "PES-08.2", "title": "Fire Suppression Devices", "family": "PES", "description": "Facility security mechanisms exist to utilize fire suppression devices/systems that provide automatic notification of any activation to organizational personnel and emergency responders.", "scf_question": "Does the organization utilize fire suppression devices/systems that provide automatic notification of any activation to organizational personnel and emergency responders?", "relative_weight": 3, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to utilize fire suppression devices/systems that provide automatic notification of any activation to organizational personnel and emergency responders.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Protect cables from physical damage", "small": "∙ Physical cable protection policy\n∙ Use cable conduits in sensitive areas", "medium": "∙ Formal cabling protection standards\n∙ Conduit use in exposed or high-risk areas", "large": "∙ Enterprise cabling protection program\n∙ Armored cabling for sensitive runs\n∙ Physical cable protection audits", "enterprise": "∙ Enterprise cabling protection and management program\n∙ Armored conduits\n∙ Regular physical cable audits" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-cobit-2019": [ "DSS01.04" ], "general-govramp": [ "PE-13(02)" ], "general-govramp-mod": [ "PE-13(02)" ], "general-govramp-high": [ "PE-13(02)" ], "general-nist-800-53-r4": [ "PE-13(2)" ], "general-nist-800-53-r5-2": [ "PE-13(02)" ], "general-nist-800-53-r5-2-privacy": [ "PE-13(02)" ], "general-nist-800-53-r5-2-high": [ "PE-13(02)" ], "general-nist-800-82-r3": [ "PE-13(02)" ], "usa-federal-gsa-fedramp-5-low": [ "PE-13(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-13(02)" ], "usa-federal-gsa-fedramp-5-high": [ "PE-13(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-13(02)" ], "usa-federal-cms-marse-2-0": [ "PE-13(3)" ], "emea-deu-c5-2020": [ "PS-05" ], "emea-isr-cmo-1-0": [ "18.17" ], "emea-gbr-def-stan-05-138-2024": [ "2704" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2704" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2704" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2704" ] } }, { "control_id": "PES-08.3", "title": "Automatic Fire Suppression", "family": "PES", "description": "Facility security mechanisms exist to employ an automatic fire suppression capability for critical systems when the facility is not staffed on a continuous basis.", "scf_question": "Does the organization employ an automatic fire suppression capability for critical systems when the facility is not staffed on a continuous basis?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to employ an automatic fire suppression capability for critical systems when the facility is not staffed on a continuous basis.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Separate power and data cables to reduce interference and tampering risk", "small": "∙ Power/data cable separation policy", "medium": "∙ Formal power and data cable separation standards", "large": "∙ Enterprise cabling standards with physical separation of power and data", "enterprise": "∙ Enterprise cabling infrastructure program with full power/data separation\n∙ DCIM documentation" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-cobit-2019": [ "DSS01.04" ], "general-govramp": [ "PE-13(02)" ], "general-govramp-mod": [ "PE-13(02)" ], "general-govramp-high": [ "PE-13(02)" ], "general-nist-800-53-r4": [ "PE-13(3)" ], "general-nist-800-53-r5-2": [ "PE-13(02)" ], "general-nist-800-53-r5-2-privacy": [ "PE-13(02)" ], "general-nist-800-53-r5-2-high": [ "PE-13(02)" ], "general-nist-800-82-r3": [ "PE-13(02)" ], "general-nist-800-82-r3-high": [ "PE-13(02)" ], "usa-federal-gsa-fedramp-5-low": [ "PE-13(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-13(02)" ], "usa-federal-gsa-fedramp-5-high": [ "PE-13(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-13(02)" ], "usa-federal-cms-marse-2-0": [ "PE-13(2)" ], "emea-deu-c5-2020": [ "PS-05" ] } }, { "control_id": "PES-09", "title": "Temperature & Humidity Controls", "family": "PES", "description": "Facility security mechanisms exist to maintain and monitor temperature and humidity levels within the facility.", "scf_question": "Does the organization maintain and monitor temperature and humidity levels within the facility?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-PES-01" ], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to maintain and monitor temperature and humidity levels within the facility.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Know what utilities (power, water, HVAC) serve IT equipment", "small": "∙ Utility inventory for IT facilities\n∙ Utility service contacts", "medium": "∙ Formal utility management policy for IT facilities\n∙ Utility protection measures", "large": "∙ Enterprise utility management program\n∙ Redundant utilities\n∙ Monitoring of utility services", "enterprise": "∙ Enterprise utility management platform\n∙ Redundant utility feeds\n∙ Automated utility monitoring\n∙ Emergency utility procedures" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2", "A1.2-POF2", "A1.2-POF4" ], "general-cobit-2019": [ "DSS01.04" ], "general-govramp": [ "PE-14" ], "general-govramp-low": [ "PE-14" ], "general-govramp-low-plus": [ "PE-14" ], "general-govramp-mod": [ "PE-14" ], "general-govramp-high": [ "PE-14" ], "general-mpa-csbp-5-3-1": [ "PS-3.1" ], "general-nist-800-53-r4": [ "PE-14" ], "general-nist-800-53-r5-2": [ "PE-14" ], "general-nist-800-53-r5-2-low": [ "PE-14" ], "general-nist-800-82-r3": [ "PE-14" ], "general-nist-800-82-r3-low": [ "PE-14" ], "general-nist-800-82-r3-mod": [ "PE-14" ], "general-nist-800-82-r3-high": [ "PE-14" ], "general-nist-csf-2-0": [ "PR.IR-02" ], "usa-federal-fbi-cjis-6-0": [ "PE-14" ], "usa-federal-gsa-fedramp-5-low": [ "PE-14" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-14" ], "usa-federal-gsa-fedramp-5-high": [ "PE-14" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-14" ], "usa-federal-cms-marse-2-0": [ "PE-14", "PE-14.a", "PE-14.b", "PE-14-IS.1", "PE-14-IS.2", "PE-14-IS.3" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PE-14" ], "usa-state-tx-txramp-2-0-level-1": [ "PE-14" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-14" ], "emea-eu-eba-ict-srm-2025": [ "3.4.3(35)" ], "emea-eu-nis2-annex-2024": [ "13.1.2(f)" ], "emea-deu-c5-2020": [ "PS-06", "PS-07" ], "emea-isr-cmo-1-0": [ "18.18" ], "emea-gbr-def-stan-05-138-2024": [ "2704" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2704" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2704" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2704" ] } }, { "control_id": "PES-09.1", "title": "Monitoring with Alarms / Notifications", "family": "PES", "description": "Facility security mechanisms exist to trigger an alarm or notification of temperature and humidity changes that be potentially harmful to personnel or equipment.", "scf_question": "Does the organization trigger an alarm or notification of temperature and humidity changes that be potentially harmful to personnel or equipment?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to trigger an alarm or notification of temperature and humidity changes that be potentially harmful to personnel or equipment.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Know location of power shutoffs for IT areas", "small": "∙ Utility shutoff documentation and procedure", "medium": "∙ Formal utility emergency shutoff procedures\n∙ Documentation of shutoff locations", "large": "∙ Enterprise utility emergency management\n∙ EPO systems\n∙ Utility shutoff training", "enterprise": "∙ Enterprise facility emergency management\n∙ Automated utility monitoring\n∙ EPO integration\n∙ Emergency utility procedures" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2", "A1.2-POF2", "A1.2-POF4" ], "general-cobit-2019": [ "DSS01.04" ], "general-govramp": [ "PE-14(02)" ], "general-govramp-mod": [ "PE-14(02)" ], "general-govramp-high": [ "PE-14(02)" ], "general-mpa-csbp-5-3-1": [ "PS-3.1" ], "general-nist-800-53-r4": [ "PE-14(2)" ], "general-nist-800-53-r5-2": [ "PE-14(02)" ], "general-nist-800-82-r3": [ "PE-14(02)" ], "usa-federal-gsa-fedramp-5-high": [ "PE-14(02)" ], "emea-deu-c5-2020": [ "PS-06", "PS-07" ], "emea-isr-cmo-1-0": [ "18.18" ] } }, { "control_id": "PES-10", "title": "Delivery & Removal", "family": "PES", "description": "Physical security mechanisms exist to isolate information processing facilities from points such as delivery and loading areas and other points to avoid unauthorized access.", "scf_question": "Does the organization isolate information processing facilities from points such as delivery and loading areas and other points to avoid unauthorized access?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to isolate information processing facilities from points such as delivery and loading areas and other points to avoid unauthorized access.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Shred sensitive paper documents before disposal", "small": "∙ Clean desk policy\n∙ Shredding policy for sensitive documents", "medium": "∙ Formal clear desk and secure disposal policy\n∙ Shredding service for sensitive materials", "large": "∙ Enterprise clear desk/clean screen program\n∙ Shredding service contract\n∙ Regular audits", "enterprise": "∙ Enterprise information handling program\n∙ Contracted shredding service (e.g., Iron Mountain)\n∙ Regular compliance audits\n∙ Secure printer management" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-govramp": [ "PE-16" ], "general-govramp-low": [ "PE-16" ], "general-govramp-low-plus": [ "PE-16" ], "general-govramp-mod": [ "PE-16" ], "general-govramp-high": [ "PE-16" ], "general-iso-27002-2022": [ "7.2" ], "general-iso-27017-2015": [ "11.1.6" ], "general-iso-27018-2025": [ "7.2" ], "general-mpa-csbp-5-3-1": [ "OP-1.0" ], "general-nist-800-53-r4": [ "PE-16" ], "general-nist-800-53-r5-2": [ "PE-16" ], "general-nist-800-53-r5-2-low": [ "PE-16" ], "general-nist-800-82-r3": [ "PE-16" ], "general-nist-800-82-r3-low": [ "PE-16" ], "general-nist-800-82-r3-mod": [ "PE-16" ], "general-nist-800-82-r3-high": [ "PE-16" ], "general-nist-800-161-r1": [ "PE-16" ], "general-nist-800-161-r1-cscrm": [ "PE-16" ], "general-nist-800-161-r1-level-3": [ "PE-16" ], "general-nist-800-171-r2": [ "NFO - PE-16" ], "general-tisax-6-0-3": [ "3.1.3", "5.3.3" ], "usa-federal-fbi-cjis-6-0": [ "PE-16" ], "usa-federal-gsa-fedramp-5-low": [ "PE-16" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-16" ], "usa-federal-gsa-fedramp-5-high": [ "PE-16" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-16" ], "usa-federal-irs-1075-2021": [ "PE-16" ], "usa-federal-cms-marse-2-0": [ "PE-16", "PE-16-IS.1" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PE-16" ], "usa-state-tx-txramp-2-0-level-1": [ "PE-16" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-16" ], "emea-isr-cmo-1-0": [ "18.20" ], "apac-jpn-ismap": [ "11.1.6", "11.1.6.1", "11.1.6.2", "11.1.6.3", "11.1.6.4", "11.1.6.5", "11.1.6.6", "11.1.6.7" ], "apac-sgp-mas-trm-2021": [ "5.5.6(f)" ] } }, { "control_id": "PES-11", "title": "Alternate Work Site", "family": "PES", "description": "Physical security mechanisms exist to utilize appropriate management, operational and technical controls at alternate work sites.", "scf_question": "Does the organization utilize appropriate management, operational and technical controls at alternate work sites?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Where applicable, physical security controls and technologies are employed at alternate work sites to provide “equal protection” of physical and digital assets.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to utilize appropriate management, operational and technical controls at alternate work sites.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Formally-designated alternate work sites", "small": "∙ Formally-designated alternate work sites", "medium": "∙ Formally-designated alternate work sites", "large": "∙ Formally-designated alternate work sites", "enterprise": "∙ Formally-designated alternate work sites" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-govramp": [ "PE-17" ], "general-govramp-low-plus": [ "PE-17" ], "general-govramp-mod": [ "PE-17" ], "general-govramp-high": [ "PE-17" ], "general-mpa-csbp-5-3-1": [ "OP-2.1" ], "general-nist-800-53-r4": [ "PE-17" ], "general-nist-800-53-r5-2": [ "PE-17" ], "general-nist-800-53-r5-2-mod": [ "PE-17" ], "general-nist-800-82-r3": [ "PE-17" ], "general-nist-800-82-r3-mod": [ "PE-17" ], "general-nist-800-82-r3-high": [ "PE-17" ], "general-nist-800-160-vol-2-r1": [ "PE-17" ], "general-nist-800-161-r1": [ "PE-17" ], "general-nist-800-161-r1-level-3": [ "PE-17" ], "general-nist-800-171-r2": [ "3.10.6" ], "general-nist-800-171-r3": [ "03.10.06.a", "03.10.06.b" ], "general-nist-800-171a": [ "3.10.6[a]", "3.10.6[b]" ], "general-nist-800-171a-r3": [ "A.03.10.06.ODP[01]", "A.03.10.06.a", "A.03.10.06.b" ], "usa-federal-fbi-cjis-6-0": [ "PE-17" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.6" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-17" ], "usa-federal-gsa-fedramp-5-high": [ "PE-17" ], "usa-federal-irs-1075-2021": [ "PE-17" ], "usa-federal-cms-marse-2-0": [ "PE-17", "PE-17.a", "PE-17.b", "PE-17.c", "PE-17-IS.1" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PE-17" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-17" ], "emea-deu-c5-2020": [ "PS-02" ], "emea-isr-cmo-1-0": [ "18.21" ], "emea-gbr-def-stan-05-138-2024": [ "2312" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2312" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2312" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2312" ], "americas-can-itsp-10-171-2025": [ "03.10.06.A", "03.10.06.B" ] } }, { "control_id": "PES-12", "title": "Equipment Siting & Protection", "family": "PES", "description": "Physical security mechanisms exist to locate system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.", "scf_question": "Does the organization locate system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Physical security controls address system component location within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.\n▪ Physical security controls isolate information processing facilities from points such as delivery and loading areas and other points to avoid unauthorized access.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to locate system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Keep valuable/sensitive equipment out of high-visibility areas", "small": "∙ Equipment placement policy\n∙ Protect sensitive equipment from public view", "medium": "∙ Formal equipment placement and protection policy", "large": "∙ Enterprise equipment positioning and protection program\n∙ Physical security zones", "enterprise": "∙ Enterprise physical security design program\n∙ Security zones with appropriate controls\n∙ Physical security reviews during facility design" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-csa-cmm-4-1-0": [ "DCS-16" ], "general-csa-iot-2": [ "PHY-01" ], "general-govramp": [ "PE-18" ], "general-govramp-high": [ "PE-18" ], "general-iso-27002-2022": [ "7.12", "7.3", "7.5", "7.8" ], "general-iso-27017-2015": [ "11.1.4", "11.2.1", "11.2.3" ], "general-iso-27018-2025": [ "7.3", "7.5", "7.8", "7.12" ], "general-mpa-csbp-5-3-1": [ "PS-1.0" ], "general-nist-800-53-r4": [ "PE-18", "PE-18(1)", "SC-7(14)" ], "general-nist-800-53-r5-2": [ "PE-18", "PE-23", "SC-07(14)" ], "general-nist-800-53-r5-2-privacy": [ "PE-23", "SC-07(14)" ], "general-nist-800-53-r5-2-high": [ "PE-18" ], "general-nist-800-82-r3": [ "PE-18", "PE-23", "SC-07(14)" ], "general-nist-800-82-r3-high": [ "PE-18" ], "general-nist-800-161-r1": [ "PE-18", "PE-23", "SC-7(14)" ], "general-nist-800-161-r1-flowdown": [ "PE-23" ], "general-nist-800-161-r1-level-1": [ "PE-18" ], "general-nist-800-161-r1-level-2": [ "PE-18", "PE-23", "SC-7(14)" ], "general-nist-800-161-r1-level-3": [ "PE-18", "PE-23", "SC-7(14)" ], "general-nist-800-171-r2": [ "3.10.1" ], "general-nist-800-171-r3": [ "03.10.07.e", "03.10.08" ], "general-nist-800-172": [ "3.13.4e" ], "general-pci-dss-4-0-1": [ "9.2.2", "9.2.3", "9.2.4" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "9.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.2.2", "9.2.3", "9.2.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.2.2", "9.2.3", "9.2.4" ], "general-swift-cscf-2025": [ "3.1" ], "general-tisax-6-0-3": [ "8.1.4" ], "usa-federal-dow-cmmc-2-level-1": [ "PE.L1-B.1.VIII" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.1" ], "usa-federal-dow-cmmc-2-level-3": [ "SC.L3-3.13.4E" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(viii)" ], "usa-federal-gsa-fedramp-5-low": [ "PE-23", "SC-07(14)" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-23", "SC-07(14)" ], "usa-federal-gsa-fedramp-5-high": [ "PE-18", "PE-23", "SC-07(14)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-23", "SC-07(14)" ], "usa-federal-irs-1075-2021": [ "2.B.5" ], "usa-federal-cms-marse-2-0": [ "PE-4-IS.1", "PE-18" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.10" ], "emea-isr-cmo-1-0": [ "18.7", "18.13", "18.22" ], "emea-esp-ccn-stic-825-2023": [ "8.1.3 [MP.IF.3]" ], "apac-aus-ism-2024-june": [ "ISM-1644" ], "apac-jpn-ismap": [ "11.2", "11.2.1", "11.2.1.1", "11.2.1.2", "11.2.1.4", "11.2.1.5", "11.2.1.6", "11.2.1.7", "11.2.1.8", "11.2.1.9", "11.2.1.10", "11.2.7.4.PB" ], "apac-nzl-ism-3-9": [ "8.3.3.C.01", "8.3.4.C.01", "8.3.4.C.02", "8.3.5.C.01" ], "americas-can-itsp-10-171-2025": [ "03.10.07.E", "03.10.08" ] } }, { "control_id": "PES-12.1", "title": "Transmission Medium Security", "family": "PES", "description": "Physical security mechanisms exist to protect power and telecommunications cabling carrying data or supporting information services from interception, interference or damage.", "scf_question": "Does the organization protect power and telecommunications cabling carrying data or supporting information services from interception, interference or damage?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Physical security controls address system component location within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.\n▪ Physical security controls isolate information processing facilities from points such as delivery and loading areas and other points to avoid unauthorized access.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to protect power and telecommunications cabling carrying data or supporting information services from interception, interference or damage.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Lock screens and log off when stepping away", "small": "∙ Clean screen policy\n∙ Auto-lock configured on all systems", "medium": "∙ Formal clean screen/clear desk policy\n∙ Auto-lock enforcement via GPO", "large": "∙ Enterprise screen lock policy enforcement\n∙ Automated compliance monitoring", "enterprise": "∙ Enterprise endpoint management with enforced screen lock (e.g., Microsoft Intune, JAMF)\n∙ Compliance reporting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-csa-cmm-4-1-0": [ "DCS-13" ], "general-govramp": [ "PE-04" ], "general-govramp-low-plus": [ "PE-04" ], "general-govramp-mod": [ "PE-04" ], "general-govramp-high": [ "PE-04" ], "general-iso-27002-2022": [ "7.12" ], "general-iso-27017-2015": [ "11.2.3" ], "general-iso-27018-2025": [ "7.12" ], "general-nist-800-53-r4": [ "PE-4", "SC-7(14)" ], "general-nist-800-53-r5-2": [ "PE-04", "SC-07(14)" ], "general-nist-800-53-r5-2-privacy": [ "SC-07(14)" ], "general-nist-800-53-r5-2-mod": [ "PE-04" ], "general-nist-800-82-r3": [ "PE-04", "SC-07(14)" ], "general-nist-800-82-r3-mod": [ "PE-04" ], "general-nist-800-82-r3-high": [ "PE-04" ], "general-nist-800-161-r1": [ "SC-7(14)" ], "general-nist-800-161-r1-level-2": [ "SC-7(14)" ], "general-nist-800-161-r1-level-3": [ "SC-7(14)" ], "general-nist-800-171-r2": [ "3.10.1" ], "general-nist-800-171-r3": [ "03.10.08" ], "general-nist-800-171a-r3": [ "A.03.10.08" ], "general-pci-dss-4-0-1": [ "9.2.2", "9.2.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "9.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.2.2", "9.2.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.2.2", "9.2.3" ], "usa-federal-fbi-cjis-6-0": [ "PE-4" ], "usa-federal-dow-cmmc-2-level-1": [ "PE.L1-B.1.VIII" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.1" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(viii)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-07(14)" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-04", "SC-07(14)" ], "usa-federal-gsa-fedramp-5-high": [ "PE-04", "SC-07(14)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-07(14)" ], "usa-federal-irs-1075-2021": [ "PE-4" ], "usa-federal-cms-marse-2-0": [ "PE-4" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.10" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-04" ], "emea-isr-cmo-1-0": [ "9.15", "18.13" ], "apac-aus-ism-2024-june": [ "ISM-0181", "ISM-0187", "ISM-0194", "ISM-0195", "ISM-0198", "ISM-0201", "ISM-0206", "ISM-0208", "ISM-0211", "ISM-0213", "ISM-0216", "ISM-0217", "ISM-0218", "ISM-0926", "ISM-1095", "ISM-1096", "ISM-1098", "ISM-1100", "ISM-1101", "ISM-1102", "ISM-1103", "ISM-1105", "ISM-1107", "ISM-1109", "ISM-1111", "ISM-1112", "ISM-1114", "ISM-1115", "ISM-1116", "ISM-1119", "ISM-1122", "ISM-1130", "ISM-1133", "ISM-1164", "ISM-1216", "ISM-1639", "ISM-1640", "ISM-1718", "ISM-1719", "ISM-1720", "ISM-1721" ], "apac-jpn-ismap": [ "11.2.3", "11.2.3.1", "11.2.3.2", "11.2.3.3" ], "apac-nzl-ism-3-9": [ "8.3.3.C.01", "8.3.3.C.02", "8.3.4.C.01", "8.3.4.C.02", "8.3.5.C.01", "10.1.42.C.01", "10.1.42.C.02", "10.1.43.C.01", "10.1.43.C.02", "10.1.43.C.03", "10.1.43.C.04", "10.1.44.C.01", "10.1.45.C.01", "10.1.45.C.02", "10.1.46.C.01", "10.1.46.C.02", "10.1.46.C.03", "10.1.46.C.04", "10.1.47.C.01", "10.1.47.C.02", "10.1.48.C.01", "10.1.48.C.02", "10.1.48.C.03", "10.1.49.C.01", "10.1.50.C.01", "10.1.50.C.02", "10.1.50.C.03", "10.1.50.C.04", "10.1.51.C.01", "10.2.6.C.01", "10.2.6.C.02", "10.2.7.C.01", "10.2.8.C.01", "10.2.9.C.01", "10.2.10.C.01", "10.3.5.C.01", "10.3.6.C.01", "10.3.6.C.02", "10.3.7.C.01", "10.3.8.C.01", "10.3.9.C.01", "10.3.10.C.01", "10.3.11.C.01", "10.3.12.C.01", "10.3.13.C.01", "10.4.4.C.01", "10.4.4.C.02", "10.4.5.C.01", "10.4.5.C.02", "10.4.6.C.01", "10.4.6.C.02", "10.4.6.C.03", "10.4.7.C.01", "10.4.7.C.02", "10.4.8.C.01", "10.4.9.C.01", "10.4.9.C.02", "10.4.9.C.03", "10.4.9.C.04", "10.4.10.C.01", "10.4.11.C.01", "10.4.12.C.01", "10.4.13.C.01", "10.4.13.C.02", "10.5.4.C.01", "10.5.5.C.01", "10.5.6.C.01", "10.5.6.C.02", "10.5.7.C.01", "10.5.8.C.01", "10.5.8.C.02", "10.5.9.C.01", "10.5.9.C.02", "10.5.10.C.01", "10.5.10.C.02", "10.5.11.C.01", "10.6.22.C.01", "10.6.22.C.02", "10.6.23.C.01", "10.6.23.C.02", "10.6.23.C.03", "10.6.23.C.04", "10.6.24.C.01", "10.6.24.C.02", "10.6.25.C.01", "10.6.26.C.01", "10.6.27.C.01", "10.6.28.C.01", "10.6.28.C.02", "10.6.29.C.01", "10.6.30.C.01", "10.6.31.C.01" ], "americas-can-itsp-10-171-2025": [ "03.10.08" ] } }, { "control_id": "PES-12.2", "title": "Access Control for Output Devices", "family": "PES", "description": "Physical security mechanisms exist to restrict access to printers and other system output devices to prevent unauthorized individuals from obtaining the output.", "scf_question": "Does the organization restrict access to printers and other system output devices to prevent unauthorized individuals from obtaining the output?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Physical security controls address system component location within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.\n▪ Physical security controls isolate information processing facilities from points such as delivery and loading areas and other points to avoid unauthorized access.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to restrict access to printers and other system output devices to prevent unauthorized individuals from obtaining the output.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Physical security policy\n∙ Door locks and key management", "small": "∙ Physical security policy\n∙ Access log\n∙ Visitor procedures", "medium": "∙ Printer management (print only when at the printer with proximity card or code)", "large": "∙ Printer management (print only when at the printer with proximity card or code)", "enterprise": "∙ Printer management (print only when at the printer with proximity card or code)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "PI1.4" ], "general-cobit-2019": [ "DSS05.06" ], "general-govramp": [ "PE-05" ], "general-govramp-low-plus": [ "PE-05" ], "general-govramp-mod": [ "PE-05" ], "general-govramp-high": [ "PE-05" ], "general-nist-800-53-r4": [ "PE-5" ], "general-nist-800-53-r5-2": [ "PE-05" ], "general-nist-800-53-r5-2-mod": [ "PE-05" ], "general-nist-800-82-r3": [ "PE-05" ], "general-nist-800-82-r3-mod": [ "PE-05" ], "general-nist-800-82-r3-high": [ "PE-05" ], "general-nist-800-171-r2": [ "3.10.1" ], "general-nist-800-171-r3": [ "03.10.07.e" ], "general-nist-800-171a-r3": [ "A.03.10.07.e" ], "general-pci-dss-4-0-1": [ "9.2.2", "9.2.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "9.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.2.2", "9.2.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.2.2", "9.2.3" ], "usa-federal-fbi-cjis-6-0": [ "PE-5" ], "usa-federal-dow-cmmc-2-level-1": [ "PE.L1-B.1.VIII" ], "usa-federal-dow-cmmc-2-level-2": [ "PEL2.-3.10.1" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(viii)" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-05" ], "usa-federal-gsa-fedramp-5-high": [ "PE-05" ], "usa-federal-irs-1075-2021": [ "PE-5" ], "usa-federal-cms-marse-2-0": [ "PE-5" ], "usa-state-tx-txramp-2-0-level-2": [ "PE-05" ], "emea-isr-cmo-1-0": [ "18.7" ], "apac-aus-ism-2024-june": [ "ISM-1036" ], "americas-can-itsp-10-171-2025": [ "03.10.07.E" ] } }, { "control_id": "PES-13", "title": "Information Leakage Due To Electromagnetic Signals Emanations", "family": "PES", "description": "Facility security mechanisms exist to protect the system from information leakage due to electromagnetic signals emanations.", "scf_question": "Does the organization protect the system from information leakage due to electromagnetic signals emanations?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to protect the system from information leakage due to electromagnetic signals emanations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use a surge protector for all equipment", "small": "∙ Power conditioning policy\n∙ UPS for critical systems\n∙ Surge protection for all equipment", "medium": "∙ Formal power protection policy\n∙ UPS for critical equipment\n∙ Power quality monitoring", "large": "∙ Enterprise power protection program\n∙ UPS + generator\n∙ Power quality monitoring", "enterprise": "∙ Enterprise power management platform (UPS, PDU, generator)\n∙ Power quality monitoring\n∙ N+1 redundancy\n∙ DCIM integration" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-iso-27002-2022": [ "8.12" ], "general-iso-27018-2025": [ "8.12" ], "general-nist-800-53-r4": [ "PE-19" ], "general-nist-800-53-r5-2": [ "PE-19" ], "general-nist-800-82-r3": [ "PE-19" ], "apac-aus-ism-2024-june": [ "ISM-0246", "ISM-0249", "ISM-0250" ], "apac-nzl-ism-3-9": [ "10.7.6.C.01", "10.7.6.C.02", "10.7.7.C.01", "10.7.7.C.02", "10.7.8.C.01", "10.7.9.C.01" ] } }, { "control_id": "PES-14", "title": "Asset Monitoring and Tracking", "family": "PES", "description": "Physical security mechanisms exist to employ asset location technologies that track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.", "scf_question": "Does the organization employ asset location technologies that track and monitor the location and movement of organization-defined assets within organization-defined controlled areas?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to employ asset location technologies that track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Physical security policy\n∙ Door locks and key management", "small": "∙ Physical security policy\n∙ Access log\n∙ Visitor procedures", "medium": "∙ RFID tagging", "large": "∙ RFID tagging", "enterprise": "∙ RFID tagging" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-nist-800-53-r4": [ "PE-20" ], "general-nist-800-53-r5-2": [ "PE-20" ], "general-nist-800-82-r3": [ "PE-20" ], "general-nist-800-161-r1": [ "PE-20" ], "general-nist-800-161-r1-level-2": [ "PE-20" ], "general-nist-800-161-r1-level-3": [ "PE-20" ] } }, { "control_id": "PES-15", "title": "Electromagnetic Pulse (EMP) Protection", "family": "PES", "description": "Physical security mechanisms exist to employ safeguards against Electromagnetic Pulse (EMP) damage for systems and system components.", "scf_question": "Does the organization employ safeguards against Electromagnetic Pulse (EMP) damage for systems and system components?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to employ safeguards against Electromagnetic Pulse (EMP) damage for systems and system components.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Physical security policy\n∙ Door locks and key management", "small": "∙ Physical security policy\n∙ Access log\n∙ Visitor procedures", "medium": "∙ Formal physical security program\n∙ Card-based access control\n∙ CCTV", "large": "∙ EMP shielding (Faraday cages)", "enterprise": "∙ EMP shielding (Faraday cages)" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-GV-1" ], "threats": [ "NT-9", "MT-4", "MT-6", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2" ], "general-nist-800-53-r5-2": [ "PE-21" ], "general-nist-800-82-r3": [ "PE-21" ] } }, { "control_id": "PES-16", "title": "Component Marking", "family": "PES", "description": "Physical security mechanisms exist to mark system hardware components indicating the impact or classification level of the information permitted to be processed, stored or transmitted by the hardware component.", "scf_question": "Does the organization mark system hardware components indicating the impact or classification level of the information permitted to be processed, stored or transmitted by the hardware component?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "Physical & Environmental Security (PES) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Physical security / facilities management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Physical security / facilities management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Physical security controls and technologies primarily focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational physical security capability exists to mark system hardware components indicating the impact or classification level of the information permitted to be processed, stored or transmitted by the hardware component.", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Ensure facility can be secured during and after emergencies", "small": "∙ Physical security contingency plan\n∙ Access control backup procedures", "medium": "∙ Formal physical security contingency plan\n∙ Backup physical access controls", "large": "∙ Enterprise physical security continuity program\n∙ Backup access control systems", "enterprise": "∙ Enterprise physical security resilience program\n∙ Backup physical security systems\n∙ Emergency response integration\n∙ Regular drills" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-nist-800-53-r5-2": [ "PE-22" ], "general-nist-800-53-r5-2-privacy": [ "PE-22" ], "general-nist-800-82-r3": [ "PE-22" ], "general-nist-800-82-r3-mod": [ "PE-22" ], "general-nist-800-82-r3-high": [ "PE-22" ], "usa-federal-gsa-fedramp-5-low": [ "PE-22" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-22" ], "usa-federal-gsa-fedramp-5-high": [ "PE-22" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-22" ], "emea-sau-cgiot-2024": [ "2-6-1" ], "apac-aus-ism-2024-june": [ "ISM-1107", "ISM-1216", "ISM-1217", "ISM-1599", "ISM-1718", "ISM-1719", "ISM-1720", "ISM-1721", "ISM-1728", "ISM-1729" ] } }, { "control_id": "PES-17", "title": "Proximity Sensor", "family": "PES", "description": "Automated mechanisms exist to monitor physical proximity to robotic or autonomous platforms to reduce applied force or stop the operation when sensors indicate a potentially dangerous scenario.", "scf_question": "Does the organization use automated mechanisms to monitor physical proximity to robotic or autonomous platforms to reduce applied force or stop the operation when sensors indicate a potentially dangerous scenario?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically monitor physical proximity to robotic or autonomous platforms to reduce applied force or stop the operation when sensors indicate a potentially dangerous scenario.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document and protect physical assets at remote/alternate sites", "small": "∙ Physical security policy for remote/alternate work sites", "medium": "∙ Formal remote site physical security policy\n∙ Controls commensurate with risks", "large": "∙ Enterprise remote site physical security program\n∙ Security assessments for remote locations", "enterprise": "∙ Enterprise remote site security program\n∙ Standardized physical security controls\n∙ Regular remote site audits" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-6", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": {} }, { "control_id": "PES-18", "title": "On-Site Client Segregation", "family": "PES", "description": "Mechanisms exist to ensure client-specific sensitive/regulated data is isolated from other data when client-specific sensitive/regulated data is processed or stored within multi-client workspaces.", "scf_question": "Does the organization ensure client-specific sensitive/regulated data is isolated from other data when client-specific sensitive/regulated data is processed or stored within multi-client workspaces?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPhysical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure client-specific sensitive/regulated data is isolated from other data when client-specific sensitive/regulated data is processed or stored within multi-client workspaces.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "medium": "∙ Physical security controls for embedded devices and IoT in facility", "large": "∙ Enterprise IoT/embedded device physical security program", "enterprise": "∙ Enterprise IoT/OT physical security program\n∙ Physical tamper detection\n∙ Device inventory and monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "general-nist-800-172": [ "3.13.4e" ], "general-tisax-6-0-3": [ "5.3.4", "8.1.8" ], "usa-federal-dow-cmmc-2-level-3": [ "SC.L3-3.13.4E" ], "emea-sau-sacs-002-2022": [ "TPC-38" ] } }, { "control_id": "PES-19", "title": "Physical Access Device Inventories", "family": "PES", "description": "Mechanisms exist to maintain an accurate inventory of all physical access devices (e.g., RFID cards, access fobs, door keys, etc.).", "scf_question": "Does the organization maintain an accurate inventory of all physical access devices (e.g., RFID cards, access fobs, door keys, etc.)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Facility", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Physical & Environmental Security (PES) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PES domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Physical security-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).\n▪ IT and/or cybersecurity personnel implement appropriate physical security practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets and data.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Physical & Environmental Security (PES) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PES domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PES domain capabilities are well-documented and kept current by process owners.\n▪ A facilities management team, or similar function, is appropriately staffed and supported to implement and maintain NET domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of physical and environmental security operations (e.g., facility management solution, visitor log management automation, proximity badge access, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PES domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain an accurate inventory of all physical access devices (e.g., RFID cards, access fobs, door keys, etc.).", "4": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Physical & Environmental Security (PES) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Check that no unauthorized recording devices are in sensitive meetings", "small": "∙ Policy restricting recording devices in sensitive areas", "medium": "∙ Formal surveillance protection policy\n∙ Prohibition of unauthorized recording in sensitive areas", "large": "∙ Enterprise counter-surveillance program\n∙ Technical detection of recording devices", "enterprise": "∙ Enterprise counter-surveillance program\n∙ Technical TSCM capabilities\n∙ Regular sweeps of sensitive areas" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-10", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Physical & Environmental Security", "crosswalks": { "emea-gbr-def-stan-05-138-2024": [ "1501" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1501" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1501" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1501" ] } }, { "control_id": "PRI-01", "title": "Data Privacy Program", "family": "PRI", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "scf_question": "Does the organization facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-02", "E-GOV-08" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Privacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.\n▪ Data/process owners are expected to take the initiative to work with Data Protection Officers (DPOs) to ensure applicable statutory, regulatory and contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.\n▪ No formal data privacy principles are identified for the organization.\n▪ Data/process owners perform their own Data Protection Impact Assessment (DPIA).", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A qualified individual is formally assigned as the Chief Privacy Officer (CPO), or similar role, to lead the organization's data privacy program. This individual may be assigned to multiple data privacy-related roles.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data privacy program", "small": "∙ Data privacy program", "medium": "∙ Data privacy program", "large": "∙ Data privacy program", "enterprise": "∙ Data privacy program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0", "M1.2", "N2.2-POF1", "D6.1-POF1" ], "general-aicpa-tsc-2017": [ "CC1.3-POF6", "CC2.3-POF7", "CC8.1-POF17", "CC8.1-POF18", "P1.0" ], "general-apec-privacy-framework-2015": [ "1", "9" ], "general-cobit-2019": [ "APO04.01" ], "general-csa-iot-2": [ "LGL-04" ], "general-iso-27002-2022": [ "5.1", "5.34" ], "general-iso-27017-2015": [ "5.1", "5.1.1", "7.2.1", "18.1.4" ], "general-iso-27018-2025": [ "5.1", "5.4", "5.34" ], "general-iso-27701-2025": [ "4.4", "5.1", "6.1.1", "6.1.1(a)", "6.1.1(b)", "6.1.3(h)", "6.2", "6.2(a)", "6.2(b)", "6.2(c)", "6.2(d)", "6.2(e)", "6.2(f)", "6.2(g)", "6.3", "7.1", "7.4", "7.5.1", "7.5.1(a)", "7.5.1(b)", "7.5.2", "7.5.3" ], "general-iso-29100-2024": [ "6.1" ], "general-nist-100-1-ai-rmf": [ "MAP 1.6" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P1", "GV.PO-P5", "GV.PO-P6", "GV.MT-P", "CT-P", "CT.PO-P2", "CT.DM-P", "CT.DP-P", "CM.PO-P1", "CM.AW-P", "PR.PO-P9" ], "general-nist-800-53-r5-2": [ "PM-18", "PT-01" ], "general-nist-800-53-r5-2-privacy": [ "PM-18", "PT-01" ], "general-nist-800-82-r3": [ "PM-18", "PT-01" ], "general-nist-800-82-r3-low": [ "PM-18" ], "general-nist-800-82-r3-mod": [ "PM-18" ], "general-nist-800-82-r3-high": [ "PM-18" ], "general-nist-800-161-r1": [ "PM-18", "PT-1" ], "general-nist-800-161-r1-flowdown": [ "PM-18", "PT-1" ], "general-nist-800-161-r1-level-1": [ "PM-18", "PT-1" ], "general-nist-800-161-r1-level-2": [ "PM-18", "PT-1" ], "general-nist-800-161-r1-level-3": [ "PT-1" ], "general-nist-csf-2-0": [ "GV.OC-03" ], "general-oecd-privacy-principles-2010": [ "8" ], "general-scf-dpmp-2025": [ "1.0", "1.1" ], "general-shared-assessments-sig-2025": [ "P.3" ], "general-tisax-6-0-3": [ "7.1.2" ], "usa-federal-doc-data-privacy-framework-2023": [ "III.15.a" ], "usa-federal-sro-fca-crm-2023": [ "609.930(d)" ], "usa-federal-gsa-fedramp-5-low": [ "PT-01" ], "usa-federal-gsa-fedramp-5-mod": [ "PT-01" ], "usa-federal-gsa-fedramp-5-high": [ "PT-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PT-01" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.502(a)", "164.530(a)(1)(i)", "164.530(i)(1)", "164.530(i)(4)(i)(A)", "164.530(i)(4)(i)(B)", "164.530(i)(5)", "164.530(i)(5)(i)", "164.530(i)(5)(ii)" ], "usa-federal-irs-1075-2021": [ "PM-18", "PT-1" ], "usa-federal-cms-marse-2-0": [ "AR-1", "AR-1.b", "AR-1.c", "AR-1.d", "AR-1.e", "AR-1.f" ], "usa-state-ca-ccpa-cpra-2026": [ "7002(a)" ], "usa-state-nv-regulation-5-2024": [ "5.260.1" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.3(k)" ], "usa-state-tx-cdpa-2025": [ "541.101(a)(2)", "541.101(b)(2)", "541.204(c)" ], "usa-state-va-cdpa-2023": [ "59.1-578.A.3" ], "emea-eu-ai-act-2024": [ "Article 10.5" ], "emea-eu-gdpr-2016": [ "Article 5.1(a)", "Article 9.1", "Article 12.2" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "4" ], "emea-deu-fdpa-2017": [ "Inferred", "Expectation" ], "emea-grc-pirppd-1997": [ "Inferred", "Expectation" ], "emea-hun-isdfi-2011": [ "Inferred", "Expectation" ], "emea-irl-dpa-2003": [ "Inferred", "Expectation" ], "emea-isr-ppl-5741-1981": [ "Inferred", "Expectation" ], "emea-ita-pdpc-2003": [ "Inferred", "Expectation" ], "emea-ken-pda-2019": [ "30(1)(a)", "30(1)(b)(i)", "30(1)(b)(ii)", "30(1)(b)(iii)", "30(1)(b)(iv)", "30(1)(b)(v)", "30(1)(b)(vi)", "30(1)(b)(vii)", "30(1)(b)(viii)", "30(2)", "30(3)" ], "emea-nga-dpr-2019": [ "4.1(3)" ], "emea-nor-pda-2018": [ "Inferred", "Expectation" ], "emea-pol-act-29-1997": [ "Inferred", "Expectation" ], "emea-qat-pdppl-2020": [ "2", "3", "8.1" ], "emea-rus-federal-law-27-2006": [ "Inferred", "Expectation" ], "emea-sau-pdpl-2023": [ "Article 11.2" ], "emea-srb-act-9-2018": [ "5.1", "59", "59.1", "59.2", "59.3", "59.4", "59.5", "59.6", "59.7", "59.8", "59.9", "59.10", "59.11" ], "emea-zaf-popia-2013": [ "19", "20", "60" ], "emea-esp-decree-1720-2007": [ "Inferred", "Expectation" ], "emea-esp-ccn-stic-825-2023": [ "8.7.1 [MP.INFO.1]" ], "emea-che-fadp-2025": [ "Inferred", "Expectation" ], "emea-tur-lppd-2016": [ "Inferred", "Expectation" ], "emea-gbr-dpa-1998": [ "Inferred", "Expectation" ], "apac-aus-privacy-act-1998": [ "Inferred", "Expectation" ], "apac-aus-privacy-principles-2026": [ "APP 1" ], "apac-chn-csnip-2012": [ "Inferred", "Expectation" ], "apac-chn-pipl-2021": [ "7", "16", "51", "51(1)", "51(2)", "51(3)", "51(4)", "51(5)", "51(6)", "58", "58(1)", "58(2)", "58(3)", "58(4)", "59" ], "apac-hkg-pdo-2022": [ "Inferred", "Expectation" ], "apac-ind-privacy-rules-2011": [ "Inferred", "Expectation" ], "apac-jpn-ppi-2020": [ "24(3)", "26(1)", "26(1)(i)", "26(1)(ii)", "26(2)", "26(3)", "26(4)", "26-2(1)", "26-2(1)(i)", "26-2(1)(ii)", "26-2(2)", "26-2(3)", "36", "37", "38", "39", "51(1)", "51(2)", "52(1)", "53(2)", "53(3)", "53(1)", "53(4)", "54", "55" ], "apac-jpn-ismap": [ "5.1.1", "5.1.1.19", "18.1.4" ], "apac-mys-pdpa-2010": [ "23" ], "apac-phl-dpa-2012": [ "Inferred", "Expectation" ], "apac-sgp-pdpa-2012": [ "12" ], "apac-kor-pipa-2011": [ "3", "30" ], "apac-twn-pdpa-2025": [ "Inferred", "Expectation" ], "americas-bhs-dpa-2003": [ "6" ], "americas-bra-lgpd-2018": [ "6.8", "6.10", "50" ], "americas-can-pipeda-2000": [ "Principle 1", "Principle 8" ], "americas-chl-act-19628-1999": [ "Inferred", "Expectation" ], "americas-col-law-1581-2012": [ "4" ], "americas-mex-fdpa-2010": [ "6", "14", "30" ] } }, { "control_id": "PRI-01.1", "title": "Chief Privacy Officer (CPO)", "family": "PRI", "description": "Mechanisms exist to appoints a Chief Privacy Officer (CPO) or similar role, with the authority, mission, accountability and resources to coordinate, develop and implement, applicable data privacy requirements and manage data privacy risks through the organization-wide data privacy program.", "scf_question": "Does the organization have a Chief Privacy Officer (CPO) or similar role, with the authority, mission, accountability and resources to coordinate, develop and implement, applicable data privacy requirements and manage data privacy risks through the organization-wide data privacy program?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-08" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A qualified individual is formally assigned as the Chief Privacy Officer (CPO), or similar role, to lead the organization's data privacy program. This individual may be assigned to multiple data privacy-related roles.\n▪ The CPO, or similar role, identifies appropriate data privacy controls that Technology Assets, Applications and/or Services (TAAS) and third-parties must adhere to, in addition to applicable statutory, regulatory and/or contractual obligations.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ A Chief Privacy Officer (CPO) or similar role, has the authority, mission, accountability and resources to coordinate, develop and implement, applicable data privacy requirements and manage data privacy risks through the organization-wide data privacy program.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Privacy policy document\n∙ Data handling procedures", "small": "∙ Written privacy policy\n∙ Data subject request procedures", "medium": "∙ Data privacy program\n∙ Assigned Chief Privacy Officer (CPO) role", "large": "∙ Assigned Chief Privacy Officer (CPO) role", "enterprise": "∙ Assigned Chief Privacy Officer (CPO) role" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF1", "N2.2-POF1" ], "general-apec-privacy-framework-2015": [ "9" ], "general-iso-27017-2015": [ "5.1", "7.2.1" ], "general-iso-27018-2025": [ "5.4" ], "general-iso-27701-2025": [ "5.1", "5.3" ], "general-iso-29100-2024": [ "6.1" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P3" ], "general-nist-800-53-r4": [ "AR-1" ], "general-nist-800-53-r5-2": [ "PM-19" ], "general-nist-800-53-r5-2-privacy": [ "PM-19" ], "general-nist-800-82-r3": [ "PM-19" ], "general-nist-800-82-r3-low": [ "PM-19" ], "general-nist-800-82-r3-mod": [ "PM-19" ], "general-nist-800-82-r3-high": [ "PM-19" ], "general-nist-800-161-r1": [ "PM-19" ], "general-nist-800-161-r1-level-1": [ "PM-19" ], "general-oecd-privacy-principles-2010": [ "8" ], "general-scf-dpmp-2025": [ "1.1" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-hipaa-simplification-2013": [ "164.530(a)(1)(i)" ], "usa-federal-irs-1075-2021": [ "PM-19" ], "usa-federal-cms-marse-2-0": [ "AR-1.a" ], "emea-deu-fdpa-2017": [ "Sec 4d", "Sec 4f", "Sec 4g" ], "emea-hun-isdfi-2011": [ "24" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "30" ], "emea-pol-act-29-1997": [ "46" ], "emea-qat-pdppl-2020": [ "8.1" ], "emea-rus-federal-law-27-2006": [ "23" ], "emea-zaf-popia-2013": [ "55", "56" ], "apac-chn-pipl-2021": [ "9", "52" ], "apac-jpn-ppi-2020": [ "21" ], "apac-sgp-pdpa-2012": [ "11" ], "apac-kor-pipa-2011": [ "31" ], "americas-bra-lgpd-2018": [ "6.8", "6.10" ], "americas-chl-act-19628-1999": [ "7", "11" ], "americas-col-law-1581-2012": [ "17", "18" ] } }, { "control_id": "PRI-01.2", "title": "Privacy Act Statements", "family": "PRI", "description": "Mechanisms exist to provide additional formal notice to individuals from whom the information is being collected that includes:\n(1) Notice of the authority of organizations to collect Personal Data (PD); \n(2) Whether providing PD is mandatory or optional; \n(3) The principal purpose or purposes for which the PD is to be used; \n(4) The intended disclosures or routine uses of the information; and \n(5) The consequences of not providing all or some portion of the information requested.", "scf_question": "Does the organization provide additional formal notice to individuals from whom the information is being collected that includes:\n (1) Notice of the authority of organizations to collect Personal Data (PD); \n (2) Whether providing PD is mandatory or optional; \n (3) The principal purpose or purposes for which the PD is to be used; \n (4) The intended disclosures or routine uses of the information; and \n (5) The consequences of not providing all or some portion of the information requested?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Privacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.\n▪ Data/process owners are expected to take the initiative to work with Data Protection Officers (DPOs) to ensure applicable statutory, regulatory and contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide additional formal notice to individuals from whom the information is being collected that includes:\n(1) Notice of the authority of organizations to collect Personal Data (PD); \n(2) Whether providing PD is mandatory or optional; \n(3) The principal purpose or purposes for which the PD is to be used; \n(4) The intended disclosures or routine uses of the information; and \n(5) The consequences of not providing all or some portion of the information requested.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data privacy program", "small": "∙ Data privacy program", "medium": "∙ Data privacy program", "large": "∙ Data privacy program", "enterprise": "∙ Data privacy program" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "P1.1" ], "general-nist-privacy-framework-1-0": [ "CM.PO-P1" ], "general-nist-800-53-r4": [ "TR-2" ], "general-nist-800-53-r5-2": [ "PT-05(02)" ], "general-nist-800-53-r5-2-privacy": [ "PT-05(02)" ], "general-nist-800-82-r3": [ "PT-05(02)" ], "general-scf-dpmp-2025": [ "4.0" ], "usa-federal-cms-marse-2-0": [ "TR-2", "TR-2.c" ], "emea-gbr-dpa-1998": [ "Chapter29-Schedule1-Part1-Principles 8" ] } }, { "control_id": "PRI-01.3", "title": "Dissemination of Data Privacy Program Information", "family": "PRI", "description": "Mechanisms exist to: \n(1) Ensure that the public has access to information about organizational data privacy activities and can communicate with its Chief Privacy Officer (CPO) or similar role;\n(2) Ensure that organizational data privacy practices are publicly available through organizational websites or document repositories; \n(3) Utilize publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to data privacy office(s) regarding data privacy practices; and\n(4) Inform data subjects when changes are made to the privacy notice and the nature of such changes.", "scf_question": "Does the organization: \n (1) Ensure that the public has access to information about organizational data privacy activities and can communicate with its Chief Privacy Officer (CPO) or similar role;\n (2) Ensure that organizational data privacy practices are publicly available through organizational websites or document repositories; \n (3) Utilize publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to data privacy office(s) regarding data privacy practices; and\n (4) Inform data subjects when changes are made to the privacy notice and the nature of such changes?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to: \n(1) Ensure that the public has access to information about organizational data privacy activities and can communicate with its Chief Privacy Officer (CPO) or similar role;\n(2) Ensure that organizational data privacy practices are publicly available through organizational websites or document repositories; \n(3) Utilize publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to data privacy office(s) regarding data privacy practices; and\n(4) Inform data subjects when changes are made to the privacy notice and the nature of such changes.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data privacy program", "small": "∙ Data privacy program", "medium": "∙ Data privacy program", "large": "∙ Data privacy program", "enterprise": "∙ Data privacy program" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF1" ], "general-aicpa-tsc-2017": [ "P1.1", "P1.1-POF6" ], "general-iso-27002-2022": [ "5.1" ], "general-iso-27017-2015": [ "5.1.1" ], "general-iso-27018-2025": [ "5.1" ], "general-iso-27701-2025": [ "6.2(e)", "7.4", "7.5.3(a)" ], "general-iso-29100-2024": [ "6.8" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P1", "CM.PO-P1", "CM.AW-P1" ], "general-nist-800-53-r4": [ "TR-3" ], "general-nist-800-53-r5-2": [ "PM-20" ], "general-nist-800-53-r5-2-privacy": [ "PM-20" ], "general-nist-800-82-r3": [ "PM-20" ], "general-nist-800-82-r3-low": [ "PM-20" ], "general-nist-800-82-r3-mod": [ "PM-20" ], "general-nist-800-82-r3-high": [ "PM-20" ], "general-nist-800-161-r1": [ "PM-20" ], "general-nist-800-161-r1-level-1": [ "PM-20" ], "general-nist-800-161-r1-level-2": [ "PM-20" ], "general-oecd-privacy-principles-2010": [ "6" ], "general-scf-dpmp-2025": [ "1.0", "11.2" ], "usa-federal-omb-fipps-1973": [ "8" ], "usa-federal-cms-marse-2-0": [ "TR-3", "TR-3.a", "TR-3.b" ], "usa-state-or-cpa-2023": [ "Section 7(1)(a)(B)" ], "usa-state-va-cdpa-2023": [ "59.1-581.A.2" ], "apac-aus-privacy-principles-2026": [ "APP 1" ], "apac-chn-pipl-2021": [ "9", "48" ], "apac-jpn-ismap": [ "5.1.1" ] } }, { "control_id": "PRI-01.4", "title": "Data Protection Officer (DPO)", "family": "PRI", "description": "Mechanisms exist to appoint a Data Protection Officer (DPO):\n(1) Based on professional qualifications; and\n(2) To be involved in all issues related to how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed.", "scf_question": "Does the organization appoint a Data Protection Officer (DPO):\n (1) Based on professional qualifications; and\n (2) To be involved in all issues related to how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-10" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.\n▪ Data/process owners work with IT and/or cybersecurity personnel and Data Protection Officers (DPOs) to ensure applicable statutory, regulatory and/or contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ A Data Protection Officer (DPO) is appointed:\n(1) Based on professional qualifications; and\n(2) To be involved in all issues related to how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Privacy policy document\n∙ Data handling procedures", "small": "∙ Written privacy policy\n∙ Data subject request procedures", "medium": "∙ Data privacy program\n∙ Assigned Data Protection Officer (DPO) role(s)", "large": "∙ Data privacy program\n∙ Assigned Data Protection Officer (DPO) role(s)", "enterprise": "∙ Data privacy program\n∙ Assigned Data Protection Officer (DPO) role(s)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-iso-29100-2024": [ "6.1" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P3", "CT.PO-P2", "CM.PO-P2" ], "general-scf-dpmp-2025": [ "1.1" ], "usa-federal-law-hipaa-simplification-2013": [ "164.530(a)(1)(ii)" ], "emea-eu-gdpr-2016": [ "Article 27.1", "Article 27.3", "Article 27.4", "Article 27.5", "Article 35.2", "Article 37.1", "Article 37.1(a)", "Article 37.1(b)", "Article 37.1(c)", "Article 37.2", "Article 37.3", "Article 37.4", "Article 37.5", "Article 37.6", "Article 37.7", "Article 38.1", "Article 38.2", "Article 38.3", "Article 38.4", "Article 38.5", "Article 38.6", "Article 39.1", "Article 39.1(a)", "Article 39.1(b)", "Article 39.1(c)", "Article 39.1(d)", "Article 39.1(e)", "Article 39.2" ], "emea-ken-pda-2019": [ "24(1)", "24(1)(a)", "24(1)(b)", "24(1)(c)", "24(2)", "24(3)", "24(4)", "24(5)", "24(6)", "24(7)(a)", "24(7)(b)", "24(7)(c)", "24(7)(d)", "24(7)(e)" ], "emea-nga-dpr-2019": [ "4.1(2)", "4.1(3)" ], "emea-qat-pdppl-2020": [ "8.2", "10" ], "emea-sau-pdpl-2023": [ "Article 30.2" ], "emea-srb-act-9-2018": [ "44", "44.1", "44.2", "56", "56.1", "56.2", "56.3", "57", "58", "58.1", "58.2", "58.3", "58.4" ], "emea-zaf-popia-2013": [ "17", "55", "56" ], "apac-chn-pipl-2021": [ "9", "52", "53" ], "apac-ind-dpdpa-2023": [ "10(2)(a)", "10(2)(a)(iv)" ], "americas-bra-lgpd-2018": [ "6.8", "6.10", "41" ], "americas-can-pipeda-2000": [ "Sec 6" ] } }, { "control_id": "PRI-01.5", "title": "Binding Corporate Rules (BCR)", "family": "PRI", "description": "Mechanisms exist to implement and manage Binding Corporate Rules (BCR) (e.g., data sharing agreement) to legally-bind all parties engaged in a joint economic activity that contractually states enforceable rights on data subjects with regard to the processing of their personal data.", "scf_question": "Does the organization implement and manage Binding Corporate Rules (BCR) (e.g., data sharing agreement) to legally-bind all parties engaged in a joint economic activity that contractually states enforceable rights on data subjects with regard to the processing of their personal data?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRI-05" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement and manage Binding Corporate Rules (BCR) (e.g., data sharing agreement) to legally-bind all parties engaged in a joint economic activity that contractually states enforceable rights on data subjects with regard to the processing of their personal data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data privacy program", "small": "∙ Data privacy program", "medium": "∙ Data privacy program", "large": "∙ Data privacy program", "enterprise": "∙ Data privacy program" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-tisax-6-0-3": [ "9.5.1", "9.5.2", "9.5.3" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.3.a", "II.3.b", "III.9.b.i", "III.9.b.ii", "III.9.b.iii", "III.9.c.i", "III.9.d.i", "III.9.d.ii", "III.9.e.i", "III.10.a.i", "III.10.a.ii.1", "III.10.a.ii.2", "III.10.a.ii.3", "III.10.a.iii", "III.10.b.i", "III.10.c.i" ], "usa-state-va-cdpa-2023": [ "59.1-579.B" ], "emea-eu-gdpr-2016": [ "Article 45.1", "Article 46.1", "Article 46.2(b)" ], "emea-qat-pdppl-2020": [ "15" ], "emea-sau-pdpl-2023": [ "Article 29.2.b" ], "emea-srb-act-9-2018": [ "65", "65.x", "66", "67", "67.x" ], "apac-nzl-privacy-act-2020": [ "Principle 12", "P12-(1)", "P12-(1)(a)", "P12-(1)(b)", "P12-(1)(c)", "P12-(1)(d)", "P12-(1)(e)", "P12-(1)(f)", "P12-(2)", "P12-(3)" ] } }, { "control_id": "PRI-01.6", "title": "Security of Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to ensure Personal Data (PD) is protected by logical and physical security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD.", "scf_question": "Does the organization ensure Personal Data (PD) is protected by logical and physical security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure Personal Data (PD) is protected by logical and physical security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF6", "M1.4-POF1" ], "general-aicpa-tsc-2017": [ "CC6.1-POF13", "P4.2-POF2" ], "general-apec-privacy-framework-2015": [ "7" ], "general-iso-27002-2022": [ "5.34" ], "general-iso-27018-2025": [ "5.34" ], "general-iso-29100-2024": [ "6.11" ], "general-nist-600-1-gen-ai-profile": [ "MP-4.1-001" ], "general-oecd-privacy-principles-2010": [ "5" ], "general-pci-dss-4-0-1": [ "12.9.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.9.1" ], "general-scf-dpmp-2025": [ "7.0", "7.1" ], "general-tisax-6-0-3": [ "7.1.2" ], "usa-federal-law-coppa-2024": [ "Sec. 6502.(b)(1)(D)" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.4.a" ], "usa-federal-omb-fipps-1973": [ "8" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)(vii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7023(d)(4)", "7024(f)" ], "usa-state-co-privacy-act-2021": [ "6-1-1305(2)(a)", "6-1-1305(4)", "6-1-1308(5)" ], "usa-state-il-bipa-2008": [ "15(e)(1)", "15(e)(2)" ], "usa-state-il-pipa-2006": [ "45(a)" ], "usa-state-nv-regulation-5-2024": [ "5.260.1" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(a)" ], "usa-state-or-ors-646a-2025": [ "646A.578(1)(c)" ], "usa-state-or-cpa-2023": [ "Section 5(1)(c)", "Section 6(1)(b)" ], "usa-state-tn-tipa-2025": [ "47-18-3204(a)(3)" ], "usa-state-tx-bc521-2009": [ "521.052(a)" ], "usa-state-va-cdpa-2023": [ "59.1-578.A.3", "59.1-579.A.1", "59.1-579.B.1" ], "usa-state-vt-act-171-2018": [ "2447(a)(2)" ], "emea-eu-ai-act-2024": [ "Article 10.5(b)", "Article 10.5(c)" ], "emea-eu-gdpr-2016": [ "Article 5.1(f)", "Article 24.1", "Article 25.1", "Article 25.2", "Article 32.1", "Article 32.1(a)", "Article 32.1(b)" ], "emea-ken-pda-2019": [ "29(f)", "41(1)", "41(1)(a)", "41(1)(b)", "41(2)", "41(3)(a)", "41(3)(b)", "41(3)(c)", "41(3)(d)", "41(3)(e)", "41(4)(a)", "41(4)(b)", "41(4)(c)", "41(4)(d)", "41(4)(e)", "41(4)(f)", "42(1)(a)", "42(1)(b)", "42(1)(c)", "42(1)(d)", "42(2)(a)", "42(2)(b)", "42(3)", "42(4)" ], "emea-nga-dpr-2019": [ "2.1(1)(d)", "2.6" ], "emea-qat-pdppl-2020": [ "8.3", "13" ], "emea-sau-pdpl-2023": [ "Article 19" ], "emea-srb-act-9-2018": [ "5.6", "41", "42", "42.1", "42.2", "50", "50.1", "50.2", "50.3", "50.4", "51", "51.1", "51.2", "51.3", "51.4", "51.5", "51.6", "51.7", "51.8", "51.9", "51.10" ], "apac-chn-cybersecurity-law-2017": [ "Article 42" ], "apac-chn-pipl-2021": [ "9", "25", "28", "59" ], "apac-ind-dpdpa-2023": [ "8(4)", "8(5)" ], "apac-jpn-ppi-2020": [ "20", "21" ], "apac-nzl-privacy-act-2020": [ "Principle 5", "P5-(a)", "P5-(a)(i)", "P5-(a)(ii)", "P5-(a)(iii)", "P5-(b)" ], "apac-sgp-mas-trm-2021": [ "14.1.1", "14.1.2", "14.1.3", "14.1.4", "14.1.5", "14.1.6", "14.1.7" ] } }, { "control_id": "PRI-01.7", "title": "Limiting Personal Data (PD) Disclosures", "family": "PRI", "description": "Mechanisms exist to limit the disclosure of Personal Data (PD) to authorized parties for the sole purpose for which the PD was obtained.", "scf_question": "Does the organization limit the disclosure of Personal Data (PD) to authorized parties for the sole purpose for which the PD was obtained?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to limit the disclosure of Personal Data (PD) to authorized parties for the sole purpose for which the PD was obtained.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF5", "D6.1", "D6.1-POF2" ], "general-aicpa-tsc-2017": [ "P6.1-POF2", "P6.1-POF3", "P6.1-POF4", "P6.4-POF1" ], "general-iso-29100-2024": [ "6.6" ], "general-shared-assessments-sig-2025": [ "P.6" ], "general-tisax-6-0-3": [ "9.2.1" ], "usa-federal-doc-data-privacy-framework-2023": [ "III.8.c.ii", "III.14.e.i" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(1)", "155.260(a)(1)(ii)", "155.260(a)(1)(iii)", "155.260(a)(1)(iii)(A)" ], "usa-state-ca-ccpa-cpra-2026": [ "7027(m)" ], "usa-state-il-ipa-2009": [ "10(a)(1)", "10(a)(2)", "10(a)(4)", "10(b)(1)", "10(c)", "10(c)(1)", "10(c)(2)", "10(c)(5)" ], "emea-sau-pdpl-2023": [ "Article 23.1", "Article 23.2", "Article 29.2.c" ], "emea-srb-act-9-2018": [ "33" ], "apac-chn-pipl-2021": [ "20", "21", "22", "25", "41" ], "apac-nzl-privacy-act-2020": [ "Principle 11", "P11-(1)", "P11-(1)(a)", "P11-(1)(b)", "P11-(1)(c)", "P11-(1)(d)", "P11-(1)(e)(i)", "P11-(1)(e)(ii)", "P11-(1)(e)(iii)", "P11-(1)(e)(iv)", "P11-(1)(f)(i)", "P11-(1)(f)(ii)", "P11-(1)(g)", "P11-(1)(h)(i)", "P11-(1)(h)(ii)", "P11-(1)(i)", "P11-(2)", "Principle 12", "P12-(1)", "P12-(1)(a)", "P12-(1)(b)", "P12-(1)(c)", "P12-(1)(d)", "P12-(1)(e)", "P12-(1)(f)", "P12-(2)", "P12-(3)" ] } }, { "control_id": "PRI-01.8", "title": "Data Fiduciary", "family": "PRI", "description": "Mechanisms exist to appoint an individual to determine the following criteria about Personal Data (PD):\n(1) The purpose why PD is necessary; \n(2) Authorized methods to collect, receive, process, store, transmit, share, update and/or dispose PD; and\n(3) Authorized parties PD may be shared with.", "scf_question": "Does the organization appoint an individual to determine the following criteria about Personal Data (PD):\n(1) The purpose why PD is necessary; \n(2) Authorized methods to collect, receive, process, store, transmit, share, update and/or dispose PD; and\n(3) Authorized parties PD may be shared with?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to appoint an individual to determine the following criteria about Personal Data (PD):\n(1) The purpose why PD is necessary; \n(2) Authorized methods to collect, receive, process, store, transmit, share, update and/or dispose PD; and\n(3) Authorized parties PD may be shared with.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "small": "∙ Designate a data fiduciary as required by applicable law", "medium": "∙ Data fiduciary designation and responsibilities documentation", "large": "∙ Formal data fiduciary program\n∙ Designated fiduciary with documented responsibilities", "enterprise": "∙ Enterprise data fiduciary framework\n∙ Legal compliance program\n∙ Data fiduciary accountability measures" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-privacy-framework-1-0": [ "GV.PO-P3" ], "apac-ind-dpdpa-2023": [ "5(3)", "8(9)", "8(10)", "8(11)", "10(2)", "10(2)(a)(i)", "10(2)(a)(ii)", "10(2)(a)(iii)" ] } }, { "control_id": "PRI-01.9", "title": "Personal Data (PD) Process Manager", "family": "PRI", "description": "Mechanisms exist to assign accountability to a Personal Data Process Manager, or equivalent role, to ensure Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed of according to data subject consent.", "scf_question": "Does the organization assign accountability to a Personal Data Process Manager, or equivalent role, to ensure Personal Data (PD)is collected, received, processed, stored, transmitted, shared, updated and/or disposed of according to data subject consent?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Accountability is assigned to a Personal Data Process Manager, or equivalent role, to ensure Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed of according to data subject consent.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Assign someone to oversee personal data processing activities", "small": "∙ Designated personal data process manager role", "medium": "∙ Formal personal data process manager role and responsibilities", "large": "∙ Enterprise PD process management function\n∙ Designated process manager with authority", "enterprise": "∙ Enterprise privacy operations team\n∙ Data process manager with enterprise authority\n∙ Privacy management platform (e.g., OneTrust)" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "apac-ind-dpdpa-2023": [ "6(8)" ] } }, { "control_id": "PRI-01.10", "title": "Financial Incentives For Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to strictly govern financial incentives offered to data subjects for Personal Data (PD) to ensure compliance with applicable legal and regulatory requirements.", "scf_question": "Does the organization strictly govern financial incentives offered to data subjects for Personal Data (PD) to ensure compliance with applicable legal and regulatory requirements?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to strictly govern financial incentives offered to data subjects for Personal Data (PD) to ensure compliance with applicable legal and regulatory requirements.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document any financial incentives offered for personal data", "small": "∙ Policy disclosing financial incentives for personal data collection", "medium": "∙ Formal financial incentive disclosure policy\n∙ Privacy notice updates", "large": "∙ Enterprise financial incentive disclosure program\n∙ Legal review of incentive structures", "enterprise": "∙ Enterprise privacy compliance platform\n∙ Automated disclosure management\n∙ Legal and compliance review" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7016(a)", "7016(b)", "7016(c)", "7016(d)", "7016(d)(1)", "7016(d)(2)", "7016(d)(3)", "7016(d)(4)", "7016(d)(5)", "7016(d)(5)(A)", "7016(d)(5)(B)", "7027(k)", "7081(a)", "7081(a)(1)", "7081(a)(2)", "7081(a)(3)", "7081(a)(4)", "7081(a)(5)", "7081(a)(6)", "7081(a)(7)", "7081(a)(8)", "7081(b)" ] } }, { "control_id": "PRI-01.11", "title": "Reasonable Data Privacy Practices", "family": "PRI", "description": "Mechanisms exist to limit the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of Personal Data (PD) according to reasonable consumer expectations for what is necessary and proportionate.", "scf_question": "Does the organization limit the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of Personal Data (PD) according to reasonable consumer expectations for what is necessary and proportionate?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Privacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.\n▪ Data/process owners are expected to take the initiative to work with Data Protection Officers (DPOs) to ensure applicable statutory, regulatory and contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A qualified individual is formally assigned as the Chief Privacy Officer (CPO), or similar role, to lead the organization's data privacy program. This individual may be assigned to multiple data privacy-related roles.\n▪ The CPO, or similar role, identifies appropriate data privacy controls that Technology Assets, Applications and/or Services (TAAS) and third-parties must adhere to, in addition to applicable statutory, regulatory and/or contractual obligations.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.\n▪ Communications with data subjects is designed to be readily accessible and written in a manner that is concise, unambiguous and understandable by a reasonable person.\n▪ Asset / process owners collect, store, processes, transmit share or use PD only for the purposes identified in the data privacy notice.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to limit the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of Personal Data (PD) according to reasonable consumer expectations for what is necessary and proportionate.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS" ], "possible_solutions": { "micro_small": "∙ Follow basic privacy best practices for data handling", "small": "∙ Documented reasonable data privacy practices policy", "medium": "∙ Formal reasonable data privacy practices program\n∙ Privacy principles implementation", "large": "∙ Enterprise privacy program aligned with GDPR/CCPA principles", "enterprise": "∙ Enterprise privacy management platform (e.g., OneTrust, TrustArc)\n∙ Comprehensive privacy practices program\n∙ Regulatory compliance management" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "N2.2-POF1" ], "general-apec-privacy-framework-2015": [ "2-1", "2-2" ], "general-csa-cmm-4-1-0": [ "DSP-08" ], "general-iso-27017-2015": [ "18.1.4" ], "general-iso-29100-2024": [ "6.5", "6.8", "6.1" ], "general-mpa-csbp-5-3-1": [ "TS-1.14" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P5", "GV.MT-P3", "GV.MT-P5", "CT.PO-P1", "CM.AW-P2", "CM.AW-P3" ], "general-nist-800-37-r2": [ "TASK P-16" ], "general-scf-dpmp-2025": [ "1.0" ], "usa-federal-law-coppa-2024": [ "Sec. 6502.(b)(1)(D)" ], "usa-federal-law-facta-fcra-2023": [ "623(a)(1)(A)", "623(a)(1)(B)", "623(a)(1)(B)(i)", "623(a)(1)(B)(ii)" ], "usa-federal-law-ferpa-2010": [ "1232h(a)", "1232h(c)(1)(C)(ii)", "1232h(c)(1)(D)", "1232h(c)(1)(E)", "1232h(c)(1)(F)(i)", "1232h(c)(1)(F)(ii)" ], "usa-federal-omb-fipps-1973": [ "2", "4" ], "usa-state-ca-ccpa-cpra-2026": [ "7002(b)", "7002(b)(1)", "7002(b)(2)", "7002(b)(3)", "7002(d)", "7002(d)(1)", "7002(d)(2)", "7027(m)", "7027(m)(1)", "7027(m)(2)", "7027(m)(3)", "7027(m)(4)", "7027(m)(5)", "7027(m)(6)", "7027(m)(7)", "7027(m)(8)" ], "usa-state-co-privacy-act-2021": [ "6-1-1305(2)(a)", "6-1-1305(4)", "6-1-1308(3)", "6-1-1308(4)", "6-1-1308(5)", "6-1-1308(7)" ], "usa-state-il-bipa-2008": [ "15(e)(1)", "15(e)(2)" ], "usa-state-il-ipa-2009": [ "10(a)(3)", "10(b)(2)", "10(b)(3)", "10(c)(3)", "10(c)(4)", "10(c)(6)", "10(d)" ], "usa-state-il-pipa-2006": [ "45(a)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(a)", "899-bb.2(b)(ii)(A)" ], "usa-state-or-ors-646a-2025": [ "646A.578(1)(c)", "646A.578(2)(a)", "646A.578(2)(b)", "646A.578(2)(c)", "646A.578(2)(d)", "646A.581(1)", "646A.581(1)(a)", "646A.581(1)(b)", "646A.581(1)(c)", "646A.583(1)(b)" ], "usa-state-tx-bc521-2009": [ "521.051(a)", "521.052(a)" ], "usa-state-va-cdpa-2023": [ "59.1-577.1.B", "59.1-577.1.C", "59.1-577.1.E", "59.1-578.A.4", "59.1-578.F.1.d", "59.1-578.F.2", "59.1-579.A.1", "59.1-579.A.2", "59.1-579.A.3" ], "usa-state-vt-act-171-2018": [ "2433(a)(1)", "2433(a)(2)(A)", "2433(a)(2)(B)", "2433(a)(2)(C)", "2447(a)(2)" ], "apac-jpn-ismap": [ "7.1.1.12", "18.1.4", "18.1.4.1", "18.1.4.2", "18.1.4.3", "18.1.4.4", "18.1.4.5", "18.1.4.6" ] } }, { "control_id": "PRI-02", "title": "Data Privacy Notice", "family": "PRI", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "scf_question": "Does the organization:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRI-08" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.\n▪ The CPO, or similar role, develops and ensures data privacy notices are published that include relevant purpose, notice and data privacy program information.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF1", "N2.1", "N2.1-POF2", "N2.1-POF3", "N2.1-POF4", "N2.2", "C3.1-POF3", "M9.1-POF1" ], "general-aicpa-tsc-2017": [ "CC2.3-POF7", "P1.1", "P1.1-POF1", "P1.1-POF2", "P1.1-POF3", "P1.1-POF4", "P1.1-POF5", "P1.1-POF7" ], "general-apec-privacy-framework-2015": [ "2", "2(a)", "2(b)", "2(c)", "2(d)", "2(e)" ], "general-csa-cmm-4-1-0": [ "DSP-14" ], "general-iso-27002-2022": [ "5.34" ], "general-iso-27018-2025": [ "5.34" ], "general-iso-29100-2024": [ "6.3" ], "general-nist-privacy-framework-1-0": [ "CM.PO-P1", "CM.AW-P1" ], "general-nist-800-53-r4": [ "TR-1", "TR-2" ], "general-nist-800-53-r5-2": [ "PM-20(01)", "PT-05" ], "general-nist-800-53-r5-2-privacy": [ "PM-20(01)", "PT-05" ], "general-nist-800-82-r3": [ "PM-20(01)", "PT-05" ], "general-nist-800-82-r3-low": [ "PM-20(01)" ], "general-nist-800-82-r3-mod": [ "PM-20(01)" ], "general-nist-800-82-r3-high": [ "PM-20(01)" ], "general-scf-dpmp-2025": [ "4.0" ], "usa-federal-law-coppa-2024": [ "Sec. 6502.(b)(1)(A)(i)" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.1.a.i", "II.1.a.ii", "II.1.a.iii", "II.1.a.iv", "II.1.a.v", "II.1.a.vi", "II.1.a.vii", "II.1.a.viii", "II.1.a.ix", "II.1.a.x", "II.1.a.xi", "II.1.a.xii", "II.1.a.xiii", "II.1.b", "III.11.d.i", "III.11.d.ii", "III.14.b.ii" ], "usa-federal-omb-fipps-1973": [ "7", "8" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)(iii)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.520(a)(1)", "164.520(a)(2)(i)", "164.520(a)(2)(i)(A)", "164.520(a)(2)(i)(B)", "164.520(a)(2)(ii)", "164.520(a)(2)(ii)(A)", "164.520(a)(2)(ii)(B)", "164.520(a)(2)(iii)", "164.520(b)(1)", "164.520(b)(1)(i)", "164.520(b)(1)(ii)", "164.520(b)(1)(ii)(A)", "164.520(b)(1)(ii)(B)", "164.520(b)(1)(ii)(C)", "164.520(b)(1)(ii)(D)", "164.520(b)(1)(ii)(E)", "164.520(b)(1)(iv)", "164.520(b)(1)(iv)(A)", "164.520(b)(1)(iv)(B)", "164.520(b)(1)(iv)(C)", "164.520(b)(1)(iv)(D)", "164.520(b)(1)(iv)(E)", "164.520(b)(1)(iv)(F)", "164.520(b)(1)(v)", "164.520(b)(1)(v)(A)", "164.520(b)(1)(v)(B)", "164.520(b)(1)(v)(C)", "164.520(b)(1)(vi)", "164.520(b)(1)(vii)", "164.520(b)(1)(viii)", "164.520(b)(2)(i)", "164.520(b)(2)(ii)", "164.520(b)(3)", "164.520(c)", "164.520(c)(1)(i)", "164.520(c)(1)(i)(A)", "164.520(c)(1)(i)(B)", "164.520(c)(1)(ii)", "164.520(c)(1)(iii)", "164.520(c)(1)(iv)", "164.520(c)(1)(v)", "164.520(c)(1)(v)(A)", "164.520(c)(1)(v)(B)", "164.530(i)(4)(i)(C)" ], "usa-federal-cms-marse-2-0": [ "TR-1", "TR-1.a", "TR-1.a.1", "TR-1.a.2", "TR-1.a.3", "TR-1.a.4", "TR-1.b", "TR-1.b.1", "TR-1.b.2", "TR-1.b.3", "TR-1.b.4", "TR-1.b.5", "TR-1.b.6", "TR-1.c" ], "usa-state-ca-ccpa-cpra-2026": [ "7002(b)(5)", "7003(a)", "7004(a)(1)", "7010(a)", "7011(a)", "7011(b)", "7011(c)", "7011(d)", "7011(e)", "7011(e)(1)", "7011(e)(1)(A)", "7011(e)(1)(B)", "7011(e)(1)(C)", "7011(e)(1)(D)", "7011(e)(1)(E)", "7011(e)(1)(F)", "7011(e)(1)(G)", "7011(e)(1)(H)", "7011(e)(1)(I)", "7011(e)(1)(J)", "7011(e)(2)", "7011(e)(2)(A)", "7011(e)(2)(B)", "7011(e)(2)(C)", "7011(e)(2)(D)", "7011(e)(2)(E)", "7011(e)(2)(F)", "7011(e)(2)(G)", "7011(e)(2)(H)", "7011(e)(3)", "7011(e)(3)(A)", "7011(e)(3)(B)", "7011(e)(3)(C)", "7011(e)(3)(D)", "7011(e)(3)(E)", "7011(e)(3)(F)", "7011(e)(3)(G)", "7011(e)(3)(H)", "7011(e)(3)(I)", "7011(e)(3)(J)", "7011(e)(4)", "7011(e)(5)", "7012(f)", "7012(g)(1)", "7013(c)", "7013(e)", "7013(e)(1)", "7013(e)(2)", "7013(e)(3)", "7013(g)(2)", "7014(b)", "7014(c)", "7014(d)", "7014(e)(1)", "7014(e)(2)", "7014(e)(3)", "7014(g)(1)", "7014(g)(2)", "7014(h)", "7025(g)(2)", "7025(g)(2)(A)", "7025(g)(2)(B)", "7025(g)(2)(C)", "7025(g)(2)(D)", "7072(a)" ], "usa-state-co-privacy-act-2021": [ "6-1-1308(1)(a)", "6-1-1308(1)(a)(III)", "6-1-1308(1)(a)(IV)", "6-1-1308(1)(a)(V)", "6-1-1308(1)(b)", "6-1-1308(2)" ], "usa-state-il-bipa-2008": [ "15(a)", "15(b)(1)", "15(b)(2)" ], "usa-state-il-ipa-2009": [ "35(a)(5)", "37(a)(5)" ], "usa-state-or-ors-646a-2025": [ "646A.578(1)(a)", "646A.578(4)", "646A.578(4)(a)", "646A.578(4)(b)", "646A.578(4)(c)", "646A.578(4)(d)", "646A.578(4)(e)", "646A.578(4)(f)", "646A.578(4)(g)", "646A.578(4)(h)", "646A.578(4)(i)", "646A.578(5)(b)", "646A.583(1)(a)(B)" ], "usa-state-or-cpa-2023": [ "Section 5(1)(a)", "Section 5(4)(a)", "Section 5(4)(b)", "Section 5(4)(c)", "Section 5(4)(d)", "Section 5(4)(e)", "Section 5(4)(f)", "Section 5(4)(g)", "Section 5(4)(h)", "Section 5(4)(i)" ], "usa-state-tn-tipa-2025": [ "47-18-3204(a)(1)", "47-18-3204(c)", "47-18-3204(c)(1)", "47-18-3204(c)(2)", "47-18-3204(c)(3)", "47-18-3204(c)(4)", "47-18-3204(c)(5)", "47-18-3204(d)", "47-18-3204(e)(1)" ], "usa-state-tx-cdpa-2025": [ "541.053(b)", "541.055(c)", "541.055(d)", "541.102(a)(1)", "541.102(a)(2)", "541.102(a)(3)", "541.102(a)(4)", "541.102(a)(5)", "541.102(a)(6)", "541.102(b)", "541.103", "541.106(a)(2)" ], "usa-state-va-cdpa-2023": [ "59.1-578.C", "59.1-578.C.1", "59.1-578.C.2", "59.1-578.C.3", "59.1-578.C.4", "59.1-578.C.5", "59.1-578.D", "59.1-578.E", "59.1-581.A.2" ], "emea-eu-gdpr-2016": [ "Article 12.7", "Article 13.1(a)", "Article 13.1(b)", "Article 13.1(c)", "Article 13.1(d)", "Article 13.1(e)", "Article 13.2", "Article 13.2(a)", "Article 13.2(b)", "Article 13.2(c)", "Article 13.2(d)", "Article 13.2(e)", "Article 13.2(f)", "Article 13.3", "Article 14.1(a)", "Article 14.1(b)", "Article 14.1(c)", "Article 14.1(d)", "Article 14.1(e)", "Article 14.1(f)", "Article 14.2", "Article 14.2(a)", "Article 14.2(b)", "Article 14.2(c)", "Article 14.2(d)", "Article 14.2(e)", "Article 14.2(f)", "Article 14.2(g)", "Article 14.3(a)", "Article 14.3(b)", "Article 14.3(c)", "Article 14.4", "Article 14.5(a)" ], "emea-bel-act-8-1992": [ "9" ], "emea-deu-fdpa-2017": [ "Sec 4", "Sec 19" ], "emea-ita-pdpc-2003": [ "11", "13", "37" ], "emea-ken-pda-2019": [ "25(e)", "26(a)", "29(a)", "29(b)", "29(c)", "29(d)", "29(e)", "29(f)", "29(g)", "29(h)" ], "emea-nga-dpr-2019": [ "2.5", "2.5(a)", "2.5(b)", "2.5(c)", "2.5(d)", "2.5(e)", "2.5(f)", "2.5(g)", "2.5(h)", "2.5(i)", "3.1(1)", "3.1(7)(a)", "3.1(7)(b)", "3.1(7)(c)", "3.1(7)(d)", "3.1(7)(e)", "3.1(7)(f)", "3.1(7)(g)", "3.1(7)(h)", "3.1(7)(i)", "3.1(7)(j)", "3.1(7)(k)", "3.1(7)(l)", "3.1(7)(m)", "3.1(7)(n)", "3.1(9)", "3.1(9)(a)", "3.1(9)(b)", "3.1(9)(c)", "3.1(9)(d)", "3.1(9)(e)" ], "emea-nor-pda-2018": [ "31" ], "emea-pol-act-29-1997": [ "23" ], "emea-qat-pdppl-2020": [ "6.1", "8.1", "9.1", "9.3", "9.4", "10", "17.1", "17.2", "17.3", "17.4", "17.5" ], "emea-rus-federal-law-27-2006": [ "22" ], "emea-sau-pdpl-2023": [ "Article 4.1", "Article 12", "Article 13.2", "Article 13.4", "Article 13.5", "Article 13.6" ], "emea-srb-act-9-2018": [ "5.1", "6.1", "12.2", "12.3", "12.4", "12.5", "12.6" ], "emea-zaf-popia-2013": [ "18" ], "emea-esp-decree-1720-2007": [ "8" ], "emea-tur-lppd-2016": [ "10" ], "emea-gbr-def-stan-05-138-2024": [ "2406", "2407" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2407" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2406", "2407" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2406", "2407" ], "emea-gbr-dpa-1998": [ "Chapter29-Schedule1-Part1-Principles 8" ], "apac-aus-privacy-act-1998": [ "APP Part 5" ], "apac-aus-privacy-principles-2026": [ "APP 1", "APP 5" ], "apac-chn-pipl-2021": [ "7", "17", "17(1)", "17(2)", "17(3)", "17(4)", "27", "39", "48" ], "apac-ind-dpdpa-2023": [ "5(1)(i)", "5(1)(ii)", "5(1)(iii)", "5(2)(a)(i)", "5(2)(a)(ii)", "5(2)(a)(iii)", "6(3)", "6(10)" ], "apac-jpn-ppi-2020": [ "15(1)", "15(2)" ], "apac-mys-pdpa-2010": [ "7" ], "apac-nzl-privacy-act-2020": [ "Principle 3", "P3-(1)", "P3-(1)(a)", "P3-(1)(b)", "P3-(1)(c)", "P3-(1)(d)", "P3-(1)(d)(i)", "P3-(1)(d)(ii)", "P3-(1)(e)", "P3-(1)(e)(i)", "P3-(1)(e)(ii)", "P3-(1)(f)", "P3-(1)(g)", "P3-(2)", "P3-(3)", "P3-(4)", "P3-(4)(a)", "P3-(4)(b)", "P3-(4)(b)(i)", "P3-(4)(b)(ii)", "P3-(4)(b)(iii)", "P3-(4)(b)(iv)", "P3-(4)(c)", "P3-(4)(d)", "P3-(4)(e)", "P3-(4)(e)(i)", "P3-(4)(e)(ii)" ], "apac-sgp-pdpa-2012": [ "14" ], "apac-kor-pipa-2011": [ "3", "4" ], "apac-twn-pdpa-2025": [ "5" ], "americas-bra-lgpd-2018": [ "6.2", "6.6", "8" ], "americas-can-pipeda-2000": [ "Principle 2" ], "americas-chl-act-19628-1999": [ "5" ], "americas-col-law-1581-2012": [ "12" ], "americas-mex-fdpa-2010": [ "7", "16", "17", "18" ] } }, { "control_id": "PRI-02.1", "title": "Purpose Specification", "family": "PRI", "description": "Mechanisms exist to ensure data privacy notices identify the purpose(s) for which Personal Data (PD) is collected, received, processed, stored, transmitted and/or shared.", "scf_question": "Does the organization ensure data privacy notices identify the purpose(s) for which Personal Data (PD) is collected, received, processed, stored, transmitted and/or shared?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure data privacy notices identify the purpose(s) for which Personal Data (PD) is collected, received, processed, stored, transmitted and/or shared.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "C3.2-POF1" ], "general-aicpa-tsc-2017": [ "P1.1-POF1", "P1.1-POF2", "P1.1-POF3", "P1.1-POF4", "P6.7-POF1" ], "general-csa-cmm-4-1-0": [ "DSP-12" ], "general-iso-27002-2022": [ "5.34" ], "general-iso-27017-2015": [ "18.1.4" ], "general-iso-27018-2025": [ "5.34" ], "general-iso-29100-2024": [ "6.3" ], "general-nist-privacy-framework-1-0": [ "CM.PO-P1" ], "general-nist-800-53-r4": [ "AP-2" ], "general-nist-800-53-r5-2": [ "PT-03" ], "general-nist-800-53-r5-2-privacy": [ "PT-03" ], "general-nist-800-82-r3": [ "PT-03" ], "general-oecd-privacy-principles-2010": [ "3" ], "general-scf-dpmp-2025": [ "4.1" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.1.a.iv", "II.5.a" ], "usa-federal-gsa-fedramp-5-low": [ "PT-03" ], "usa-federal-gsa-fedramp-5-mod": [ "PT-03" ], "usa-federal-gsa-fedramp-5-high": [ "PT-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PT-03" ], "usa-federal-omb-fipps-1973": [ "3", "7" ], "usa-federal-law-hipaa-simplification-2013": [ "164.502(a)(3)", "164.508(c)(1)(i)", "164.508(c)(1)(ii)", "164.508(c)(1)(iii)", "164.508(c)(1)(iv)", "164.508(c)(2)(i)(A)", "164.508(c)(2)(i)(B)" ], "usa-federal-cms-marse-2-0": [ "AP-2" ], "usa-state-ca-ccpa-cpra-2026": [ "7002(a)(1)", "7002(a)(2)", "7002(b)(4)", "7027(m)" ], "usa-state-co-privacy-act-2021": [ "6-1-1308(1)(a)(II)" ], "usa-state-or-cpa-2023": [ "Section 5(1)(a)", "Section 5(4)(b)", "Section 5(4)(h)" ], "usa-state-tn-tipa-2025": [ "47-18-3204(c)(2)" ], "usa-state-tx-cdpa-2025": [ "541.101(b)(1)", "541.102(a)(2)" ], "usa-state-va-cdpa-2023": [ "59.1-578.C.2" ], "emea-eu-gdpr-2016": [ "Article 13.1(c)", "Article 14.1(c)" ], "emea-aut-fappd-2000": [ "Sec 6" ], "emea-bel-act-8-1992": [ "Sun Apr 06 2025 20:00:00 GMT-0400 (Eastern Daylight Time)" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-ppl-5741-1981": [ "8" ], "emea-ita-pdpc-2003": [ "13" ], "emea-ken-pda-2019": [ "29(c)" ], "emea-nga-dpr-2019": [ "2.3(1)" ], "emea-nor-pda-2018": [ "32" ], "emea-pol-act-29-1997": [ "23" ], "emea-qat-pdppl-2020": [ "6.1", "8.1", "10" ], "emea-rus-federal-law-27-2006": [ "5" ], "emea-sau-pdpl-2023": [ "Article 11.1", "Article 13.2", "Article 13.3" ], "emea-srb-act-9-2018": [ "5.1", "6.1", "12.2", "12.3", "12.4", "12.5", "12.6" ], "emea-zaf-popia-2013": [ "13", "18" ], "emea-tur-lppd-2016": [ "10" ], "apac-aus-privacy-act-1998": [ "APP Part 3" ], "apac-aus-privacy-principles-2026": [ "APP 1" ], "apac-chn-pipl-2021": [ "6", "48" ], "apac-hkg-pdo-2022": [ "Principle 1" ], "apac-ind-dpdpa-2023": [ "4(2)", "5(1)(i)", "5(2)(a)(i)", "7(a)", "8(8)(a)" ], "apac-jpn-ppi-2020": [ "15(1)", "15(2)" ], "apac-nzl-privacy-act-2020": [ "Principle 3", "P3-(1)", "P3-(1)(a)", "P3-(1)(b)", "P3-(1)(c)", "P3-(1)(d)", "P3-(1)(d)(i)", "P3-(1)(d)(ii)", "P3-(1)(e)", "P3-(1)(e)(i)", "P3-(1)(e)(ii)", "P3-(1)(f)", "P3-(1)(g)", "P3-(2)", "P3-(3)", "P3-(4)", "P3-(4)(a)", "P3-(4)(b)", "P3-(4)(b)(i)", "P3-(4)(b)(ii)", "P3-(4)(b)(iii)", "P3-(4)(b)(iv)", "P3-(4)(c)", "P3-(4)(d)", "P3-(4)(e)", "P3-(4)(e)(i)", "P3-(4)(e)(ii)" ], "apac-phl-dpa-2012": [ "19" ], "apac-sgp-pdpa-2012": [ "14", "19", "20" ], "apac-kor-pipa-2011": [ "3", "4" ], "apac-twn-pdpa-2025": [ "5", "19" ], "americas-arg-ppd-2018": [ "6", "27.1", "27.2", "28.1" ], "americas-bhs-dpa-2003": [ "6" ], "americas-bra-lgpd-2018": [ "6.1", "6.3" ], "americas-can-pipeda-2000": [ "Sec 5", "Principle 2" ], "americas-chl-act-19628-1999": [ "5" ], "americas-col-law-1581-2012": [ "4" ], "americas-mex-fdpa-2010": [ "7", "16", "17", "18" ] } }, { "control_id": "PRI-02.2", "title": "Automated Data Management Processes", "family": "PRI", "description": "Automated mechanisms exist to adjust data that is able to be collected, received, processed, stored, transmitted, shared, updated and/or disposed, based on updated data subject authorization(s).", "scf_question": "Does the organization use automated mechanisms to adjust data that is able tobe collected, received, processed, stored, transmitted, shared, updated and/or disposed, based on updated data subject authorization(s)?", "relative_weight": 1, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically adjust data that is able to be collected, received, processed, stored, transmitted, shared, updated and/or disposed, based on updated data subject authorization(s).", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-800-53-r5-2": [ "PM-24", "PT-02(02)", "PT-03(02)" ], "general-nist-800-53-r5-2-privacy": [ "PM-24", "PT-03(02)" ], "general-nist-800-82-r3": [ "PM-24", "PT-02(02)", "PT-03(02)" ], "general-nist-800-82-r3-low": [ "PM-24" ], "general-nist-800-82-r3-mod": [ "PM-24" ], "general-nist-800-82-r3-high": [ "PM-24" ], "general-scf-dpmp-2025": [ "5.0" ], "usa-federal-gsa-fedramp-5-low": [ "PM-24", "PT-03(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-24", "PT-03(02)" ], "usa-federal-gsa-fedramp-5-high": [ "PM-24", "PT-03(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-24", "PT-03(02)" ], "emea-ken-pda-2019": [ "35(1)", "35(2)", "35(2)(a)", "35(2)(b)", "35(2)(c)", "35(3)", "35(3)(a)", "35(3)(b)(i)", "35(3)(b)(ii)", "35(4)(a)", "35(4)(b)", "35(4)(c)(i)", "35(4)(c)(ii)" ], "emea-srb-act-9-2018": [ "38", "38.1", "38.2", "38.3", "39" ], "emea-zaf-popia-2013": [ "5", "71" ], "apac-chn-pipl-2021": [ "24" ], "apac-twn-pdpa-2025": [ "5" ], "americas-mex-fdpa-2010": [ "7" ] } }, { "control_id": "PRI-02.3", "title": "Computer Matching Agreements (CMA)", "family": "PRI", "description": "Mechanisms exist to publish Computer Matching Agreements (CMA) on the organization's public website(s).", "scf_question": "Does the organization publish Computer Matching Agreements (CMA) on its public website(s)?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to publish Computer Matching Agreements (CMA) on the organization's public website(s).", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-800-53-r4": [ "DI-2(1)" ], "general-nist-800-53-r5-2": [ "PM-24", "PT-08" ], "general-nist-800-53-r5-2-privacy": [ "PM-24", "PT-08" ], "general-nist-800-82-r3": [ "PM-24", "PT-08" ], "general-nist-800-82-r3-low": [ "PM-24" ], "general-nist-800-82-r3-mod": [ "PM-24" ], "general-nist-800-82-r3-high": [ "PM-24" ], "general-scf-dpmp-2025": [ "11.6" ], "usa-federal-gsa-fedramp-5-low": [ "PM-24" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-24" ], "usa-federal-gsa-fedramp-5-high": [ "PM-24" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-24" ], "usa-federal-cms-marse-2-0": [ "DI-2(1)" ] } }, { "control_id": "PRI-02.4", "title": "System of Records Notice (SORN)", "family": "PRI", "description": "Mechanisms exist to draft, publish and keep System of Records Notices (SORN) updated in accordance with regulatory guidance.", "scf_question": "Does the organization draft, publish and keep System of Records Notices (SORN) updated in accordance with regulatory guidance?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to draft, publish and keep System of Records Notices (SORN) updated in accordance with regulatory guidance.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-800-53-r4": [ "TR-2(1)" ], "general-nist-800-53-r5-2": [ "PT-06" ], "general-nist-800-53-r5-2-privacy": [ "PT-06" ], "general-nist-800-82-r3": [ "PT-06" ], "general-scf-dpmp-2025": [ "11.6" ], "usa-federal-cms-marse-2-0": [ "TR-2", "TR-2.a", "TR-2.b", "TR-2(1)" ] } }, { "control_id": "PRI-02.5", "title": "System of Records Notice (SORN) Review Process", "family": "PRI", "description": "Mechanisms exist to review all routine uses of data published in the System of Records Notices (SORN) to ensure continued accuracy and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.", "scf_question": "Does the organization review all routine uses of data published in the System of Records Notices (SORN) to ensure continued accuracy and to ensure that routine uses continue to be compatible with the purpose for which the information was collected?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to review all routine uses of data published in the System of Records Notices (SORN) to ensure continued accuracy and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-800-53-r5-2": [ "PT-06(01)" ], "general-nist-800-53-r5-2-privacy": [ "PT-06(01)" ], "general-nist-800-82-r3": [ "PT-06(01)" ], "general-scf-dpmp-2025": [ "11.6" ] } }, { "control_id": "PRI-02.6", "title": "Privacy Act Exemptions", "family": "PRI", "description": "Mechanisms exist to review all Privacy Act exemptions claimed for the System of Records Notices (SORN) to ensure they remain appropriate and accurate.", "scf_question": "Does the organization review all Privacy Act exemptions claimed for the System of Records Notices (SORN) to ensure they remain appropriate and accurate?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to review all Privacy Act exemptions claimed for the System of Records Notices (SORN) to ensure they remain appropriate and accurate.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-800-53-r5-2": [ "PT-06(02)" ], "general-nist-800-53-r5-2-privacy": [ "PT-06(02)" ], "general-nist-800-82-r3": [ "PT-06(02)" ], "general-scf-dpmp-2025": [ "11.6" ] } }, { "control_id": "PRI-02.7", "title": "Real-Time or Layered Notice", "family": "PRI", "description": "Mechanisms exist to provide real-time and/or layered notice when Personal Data (PD) is collected that provides data subjects with a summary of key points or more detailed information that is specific to the organization's data privacy notice.", "scf_question": "Does the organization provide real-time and/or layered notice when Personal Data (PD) is collected that provides data subjects with a summary of key points or more detailed information that is specific to its data privacy notice?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide real-time and/or layered notice when Personal Data (PD) is collected that provides data subjects with a summary of key points or more detailed information that is specific to the organization's data privacy notice.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-800-53-r4": [ "TR-1(1)" ], "usa-federal-cms-marse-2-0": [ "TR-1(1)" ] } }, { "control_id": "PRI-02.8", "title": "Purpose Compatibility", "family": "PRI", "description": "Mechanisms exist to periodically assess disclosed purposes for which Personal Data (PD) is collected, received, processed, stored, transmitted and/or shared to ensure compatibility with reasonable consumer expectations.", "scf_question": "Does the organization periodically assess disclosed purposes for which Personal Data (PD) is collected, received, processed, stored, transmitted and/or shared to ensure compatibility with reasonable consumer expectations?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to periodically assess disclosed purposes for which Personal Data (PD) is collected, received, processed, stored, transmitted and/or shared to ensure compatibility with reasonable consumer expectations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Only collect personal data for stated purposes", "small": "∙ Purpose limitation policy for personal data use", "medium": "∙ Formal purpose compatibility assessment process for new PD uses", "large": "∙ Enterprise purpose compatibility review program\n∙ Privacy impact assessment for new uses", "enterprise": "∙ Enterprise privacy management platform with purpose compatibility workflows\n∙ Automated PIA triggers" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-federal-omb-fipps-1973": [ "7" ], "usa-state-ca-ccpa-cpra-2026": [ "7002(c)", "7002(c)(1)", "7002(c)(2)", "7002(c)(3)" ] } }, { "control_id": "PRI-02.9", "title": "Privacy Notice Formatting", "family": "PRI", "description": "Mechanisms exist to reasonably accommodate data privacy notice formatting for consumers requiring alternative formatting due to accessibility needs through:\n(1) Screen resolution / screen sizes;\n(2) Multilingual support; and/or\n(3) Disability-specific concessions.", "scf_question": "Does the organization reasonably accommodate data privacy notice formatting for consumers requiring alternative formatting due to accessibility needs through:\n(1) Screen resolution / screen sizes;\n(2) Multilingual support; and/or\n(3) Disability-specific concessions?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to reasonably accommodate data privacy notice formatting for consumers requiring alternative formatting due to accessibility needs through:\n(1) Screen resolution / screen sizes;\n(2) Multilingual support; and/or\n(3) Disability-specific concessions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Write privacy notices in plain, clear language", "small": "∙ Readable, user-friendly privacy notice formatting", "medium": "∙ Formal privacy notice formatting standards\n∙ Plain language requirement\n∙ Layered notices", "large": "∙ Enterprise privacy notice management\n∙ Layered privacy notice design\n∙ Readability standards", "enterprise": "∙ Enterprise privacy notice platform (e.g., OneTrust)\n∙ Automated notice generation\n∙ Layered notices with readability scoring" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7003(b)(1)", "7003(b)(2)", "7003(b)(3)" ] } }, { "control_id": "PRI-02.10", "title": "Symmetry In Choice", "family": "PRI", "description": "Mechanisms exist to ensure symmetry in choice, where options presented to consumers for more protective options are not longer, more difficult, nor more time-consuming than less protective options.", "scf_question": "Does the organization ensure symmetry in choice, where options presented to consumers for more protective options are not longer, more difficult, nor more time-consuming than less protective options?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure symmetry in choice, where options presented to consumers for more protective options are not longer, more difficult, nor more time-consuming than less protective options.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Present privacy choices clearly and neutrally to users", "small": "∙ Symmetrical choice design in privacy consent flows", "medium": "∙ Formal symmetry-in-choice policy for privacy consent interfaces", "large": "∙ Enterprise privacy UX design standards\n∙ Symmetrical choice architecture review", "enterprise": "∙ Enterprise privacy consent platform (e.g., OneTrust, Cookiebot)\n∙ UX testing for consent symmetry\n∙ Regulatory compliance (GDPR, CCPA)" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7004(a)(2)" ] } }, { "control_id": "PRI-02.11", "title": "Choice Architecture", "family": "PRI", "description": "Mechanisms exist to avoid choice architecture that impairs, interferes with or subverts a consumer’s ability to make well-informed choices.", "scf_question": "Does the organization avoid choice architecture that impairs, interferes with or subverts a consumer’s ability to make well-informed choices?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to avoid choice architecture that impairs, interferes with or subverts a consumer’s ability to make well-informed choices.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Design privacy choices to be easy to understand and exercise", "small": "∙ Choice architecture principles for privacy consent flows", "medium": "∙ Formal privacy choice architecture policy\n∙ User-friendly consent design", "large": "∙ Enterprise privacy UX program\n∙ Formal choice architecture design standards", "enterprise": "∙ Enterprise privacy consent management platform\n∙ Choice architecture testing program\n∙ Behavioral design compliance review" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7004(a)(4)", "7004(b)", "7004(c)" ] } }, { "control_id": "PRI-02.12", "title": "Choice Architecture Testing", "family": "PRI", "description": "Mechanisms exist to perform testing of choice architecture to ensure it does not undermine a consumer’s ability to submit choice selections.", "scf_question": "Does the organization perform testing of choice architecture to ensure it does not undermine a consumer’s ability to submit choice selections?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform testing of choice architecture to ensure it does not undermine a consumer’s ability to submit choice selections.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Test privacy choice interfaces for clarity and usability", "small": "∙ User testing of privacy consent and choice interfaces", "medium": "∙ Formal choice architecture testing program\n∙ A/B testing of consent interfaces", "large": "∙ Enterprise privacy UX testing program\n∙ Regular testing of consent flows", "enterprise": "∙ Enterprise consent experience testing program\n∙ Automated UX testing\n∙ Regulatory review of choice architecture" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7004(a)(5)" ] } }, { "control_id": "PRI-02.13", "title": "Notice of Right To Limit", "family": "PRI", "description": "Mechanisms exist to include within the data privacy notice a notification to data subjects of:\n(1) Their right to limit the use and disclosure of their sensitive Personal Data (sPD); and\n(2) The methods available to exercise that right.", "scf_question": "Does the organization include within the data privacy notice a notification to data subjects of:\n(1) Their right to limit the use and disclosure of their sensitive Personal Data (sPD); and\n(2) The methods available to exercise that right?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to include within the data privacy notice a notification to data subjects of:\n(1) Their right to limit the use and disclosure of their sensitive Personal Data (sPD); and\n(2) The methods available to exercise that right.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Inform users of their right to limit personal data processing", "small": "∙ Privacy notice including right to limit processing", "medium": "∙ Formal notice of right-to-limit policy\n∙ Data subject communication procedures", "large": "∙ Enterprise privacy notice management\n∙ Automated right-to-limit notifications", "enterprise": "∙ Enterprise privacy management platform\n∙ Automated data subject rights communications\n∙ DSAR management workflow" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7014(a)", "7014(e)", "7014(f)", "7014(f)(1)", "7014(f)(2)" ] } }, { "control_id": "PRI-02.14", "title": "Alternative Means To Deliver Privacy Notice", "family": "PRI", "description": "Mechanisms exist to provide data subjects with a data privacy notice through alternative means for interactions that do not utilize an interface on a website or application.", "scf_question": "Does the organization provide data subjects with a data privacy notice through alternative means for interactions that do not utilize an interface on a website or application?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide data subjects with a data privacy notice through alternative means for interactions that do not utilize an interface on a website or application.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Offer alternative ways to receive privacy notices (e.g., paper on request)", "small": "∙ Alternative privacy notice delivery options policy", "medium": "∙ Formal alternative notice delivery program\n∙ Accessible formats for privacy notices", "large": "∙ Enterprise alternative notice delivery program\n∙ Accessibility compliance for notices", "enterprise": "∙ Enterprise privacy communication platform\n∙ Multi-format notice delivery (digital, print, accessible formats)\n∙ Accessibility compliance" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7014(e)(3)(A)", "7014(e)(3)(B)", "7014(e)(3)(C)", "7014(e)(3)(D)" ] } }, { "control_id": "PRI-03", "title": "Choice & Consent", "family": "PRI", "description": "Mechanisms exist to enable data subjects to authorize the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of their Personal Data (PD), where prior to collection the data subject is provided with:\n(1) Plain language to illustrate the potential data privacy risks of the authorization; \n(2) A means for users to decline the authorization; and\n(3) All necessary choice and consent-related criteria required by applicable statutory, regulatory and contractual obligations.", "scf_question": "Does the organization enable data subjects to authorize the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of their Personal Data (PD), where prior to collection the data subject is provided with:\n(1) Plain language to illustrate the potential data privacy risks of the authorization; \n(2) A means for users to decline the authorization; and\n(3) All necessary choice and consent-related criteria required by applicable statutory, regulatory and contractual obligations?", "relative_weight": 7, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enable data subjects to authorize the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of their Personal Data (PD), where prior to collection the data subject is provided with:\n(1) Plain language to illustrate the potential data privacy risks of the authorization; \n(2) A means for users to decline the authorization; and\n(3) All necessary choice and consent-related criteria required by applicable statutory, regulatory and contractual obligations.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "N2.1-POF1", "C3.1", "C3.1-POF1", "C3.1-POF3", "C3.2", "C3.2-POF2", "C3.2-POF3", "C3.2-POF4" ], "general-aicpa-tsc-2017": [ "P2.0", "P2.1", "P2.1-POF1", "P2.1-POF2", "P2.1-POF3", "P2.1-POF5", "P2.1-POF6", "P3.2", "P3.2-POF2" ], "general-apec-privacy-framework-2015": [ "2(e)", "4(a)", "5" ], "general-iso-27002-2022": [ "5.33" ], "general-iso-27017-2015": [ "18.1.4" ], "general-iso-27018-2025": [ "5.33" ], "general-iso-29100-2024": [ "6.2" ], "general-nist-privacy-framework-1-0": [ "CT.PO-P1", "CT.PO-P3" ], "general-nist-800-53-r4": [ "IP-1" ], "general-nist-800-53-r5-2": [ "PT-04" ], "general-nist-800-53-r5-2-privacy": [ "PT-04" ], "general-nist-800-82-r3": [ "PT-04" ], "general-oecd-privacy-principles-2010": [ "1", "4(a)" ], "general-scf-dpmp-2025": [ "2.0", "2.1", "2.2" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.2.a", "II.2.c" ], "usa-federal-law-ferpa-2010": [ "1232h(b)", "1232h(b)(1)", "1232h(b)(2)", "1232h(b)(3)", "1232h(b)(4)", "1232h(b)(5)", "1232h(b)(6)", "1232h(b)(7)", "1232h(b)(8)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)(iv)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.506(b)(1)", "164.508(a)(2)", "164.508(c)(1)(v)", "164.508(c)(3)", "164.510(b)(2)(i)", "164.510(b)(2)(ii)", "164.510(b)(2)(iii)", "164.510(b)(3)", "164.514(f)(2)(ii)", "164.514(f)(2)(iv)", "164.514(f)(2)(v)" ], "usa-federal-cms-marse-2-0": [ "IP-1", "IP-1.a", "IP-1.b", "IP-1.c", "IP-1.d", "IP-1(1)" ], "usa-state-ca-ccpa-cpra-2026": [ "7002(e)", "7010(b)", "7012(a)", "7012(b)", "7012(c)", "7012(d)", "7012(e)", "7012(e)(1)", "7012(e)(2)", "7012(e)(3)", "7012(e)(4)", "7012(e)(5)", "7012(e)(6)", "7027(c)", "7027(d)" ], "usa-state-il-bipa-2008": [ "15(b)(3)", "15(d)", "15(d)(1)", "15(d)(2)", "15(d)(3)", "15(d)(4)" ], "usa-state-or-ors-646a-2025": [ "646A.578(6)", "646A.583(1)(a)(C)" ], "usa-state-or-cpa-2023": [ "Section 5(2)(b)", "Section 5(2)(c)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(a)(2)(E)", "47-18-3203(b)", "47-18-3204(a)(6)" ], "usa-state-tx-cdpa-2025": [ "541.101(b)(4)", "541.107(a)" ], "usa-state-va-cdpa-2023": [ "59.1-578.A.5", "59.1-578.D" ], "emea-eu-gdpr-2016": [ "Article 7.1", "Article 7.2", "Article 9.2(a)", "Article 21.1", "Article 21.2", "Article 21.3", "Article 21.4", "Article 21.5", "Article 21.6" ], "emea-aut-fappd-2000": [ "Sec 8" ], "emea-bel-act-8-1992": [ "Sun Apr 06 2025 20:00:00 GMT-0400 (Eastern Daylight Time)" ], "emea-deu-fdpa-2017": [ "Sec 4a", "Sec 11" ], "emea-grc-pirppd-1997": [ "5" ], "emea-hun-isdfi-2011": [ "6" ], "emea-irl-dpa-2003": [ "2" ], "emea-ita-pdpc-2003": [ "23", "24" ], "emea-ken-pda-2019": [ "32(1)", "32(4)" ], "emea-nga-dpr-2019": [ "2.2(a)", "2.3(2)", "2.3(2)(a)", "2.3(2)(b)", "2.3(2)(c)", "2.3(2)(d)", "2.3(2)(e)" ], "emea-pol-act-29-1997": [ "23" ], "emea-qat-pdppl-2020": [ "4", "5.2", "10" ], "emea-rus-federal-law-27-2006": [ "6", "9" ], "emea-sau-pdpl-2023": [ "Article 5.1", "Article 10.1", "Article 15.1", "Article 24.1", "Article 25.1", "Article 25.2", "Article 25.3", "Article 26" ], "emea-srb-act-9-2018": [ "12.1", "15", "31", "31.1", "31.2", "31.3", "31.4" ], "emea-zaf-popia-2013": [ "11" ], "emea-esp-decree-1720-2007": [ "8", "12" ], "emea-tur-lppd-2016": [ "10" ], "apac-aus-privacy-act-1998": [ "APP Part 3" ], "apac-aus-privacy-principles-2026": [ "APP 3" ], "apac-chn-cybersecurity-law-2017": [ "Article 22" ], "apac-chn-pipl-2021": [ "13(1)", "14", "23", "27", "29", "30", "44" ], "apac-ind-dpdpa-2023": [ "4(1)(a)", "6(1)", "6(3)", "6(7)", "6(10)", "7(a)", "7(b)(i)", "8(8)(b)" ], "apac-ind-privacy-rules-2011": [ "5" ], "apac-jpn-ppi-2020": [ "16(1)", "16(3)(i)", "16(3)(ii)", "16(3)(iii)", "16(3)(iv)", "24(1)", "24(2)" ], "apac-mys-pdpa-2010": [ "7" ], "apac-phl-dpa-2012": [ "19" ], "apac-sgp-pdpa-2012": [ "13" ], "apac-kor-pipa-2011": [ "3", "4", "22" ], "apac-twn-pdpa-2025": [ "5" ], "americas-arg-ppd-2018": [ "5.1", "5.2" ], "americas-bra-lgpd-2018": [ "7.1", "15" ], "americas-can-pipeda-2000": [ "Sec 6", "Sec 7", "Principle 3" ], "americas-chl-act-19628-1999": [ "4" ], "americas-col-law-1581-2012": [ "4" ], "americas-mex-fdpa-2010": [ "8", "10" ] } }, { "control_id": "PRI-03.1", "title": "Tailored Consent", "family": "PRI", "description": "Mechanisms exist to allow data subjects to modify permission to collect, receive, process, store, transmit, share, update and/or dispose selected attributes of their Personal Data (PD).", "scf_question": "Does the organization allow data subjects to modify permission to collect, receive, process, store, transmit, share, update and/or dispose selected attributes of their Personal Data (PD)?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to allow data subjects to modify permission to collect, receive, process, store, transmit, share, update and/or dispose selected attributes of their Personal Data (PD).", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "P3.2-POF1" ], "general-nist-privacy-framework-1-0": [ "CT.PO-P3" ], "general-nist-800-53-r4": [ "IP-(1)" ], "general-nist-800-53-r5-2": [ "PT-04(01)" ], "general-nist-800-82-r3": [ "PT-04(01)" ], "general-scf-dpmp-2025": [ "2.5" ], "usa-state-tn-tipa-2025": [ "47-18-3203(a)(2)(E)(i)", "47-18-3203(a)(2)(E)(ii)", "47-18-3203(a)(2)(E)(iii)", "47-18-3203(b)" ], "emea-srb-act-9-2018": [ "31", "31.1", "31.2", "31.3", "31.4" ], "emea-zaf-popia-2013": [ "11" ], "apac-twn-pdpa-2025": [ "5" ] } }, { "control_id": "PRI-03.2", "title": "Just-In-Time Notice & Updated Consent", "family": "PRI", "description": "Mechanisms exist to present data subjects with a new or updated consent request to collect, receive, process, store, transmit, share, update and/or dispose Personal Data (PD) in conjunction with the data action, when:\n(1) The original circumstances under which an individual gave consent have changed; or\n(2) A significant amount of time has passed since an individual gave consent.", "scf_question": "Does the organization present data subjects with a new or updated consent request to collect, receive, process, store, transmit, share, update and/or dispose Personal Data (PD) in conjunction with the data action, when:\n(1) The original circumstances under which an individual gave consent have changed; or\n(2) A significant amount of time has passed since an individual gave consent?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to present data subjects with a new or updated consent request to collect, receive, process, store, transmit, share, update and/or dispose Personal Data (PD) in conjunction with the data action, when:\n(1) The original circumstances under which an individual gave consent have changed; or\n(2) A significant amount of time has passed since an individual gave consent.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "N2.1-POF1", "N2.1-POF2", "N2.2", "C3.2-POF1" ], "general-aicpa-tsc-2017": [ "P2.1", "P2.1-POF4", "P3.2" ], "general-nist-privacy-framework-1-0": [ "CT.PO-P1", "CT.PO-P3" ], "general-nist-800-53-r5-2": [ "PT-04(02)", "PT-05(01)" ], "general-nist-800-82-r3": [ "PT-04(02)", "PT-05(01)" ], "general-scf-dpmp-2025": [ "2.3", "5.14" ], "usa-federal-doc-data-privacy-framework-2023": [ "III.14.b.i", "III.14.b.ii" ], "usa-state-ca-ccpa-cpra-2026": [ "7002(f)", "7010(f)", "7022(g)", "7022(h)", "7025(c)(5)", "7026(k)", "7027(l)", "7221(i)", "7221(k)" ], "emea-aut-fappd-2000": [ "Sec 8" ], "emea-ken-pda-2019": [ "32(2)", "32(3)" ], "emea-zaf-popia-2013": [ "15" ], "apac-aus-privacy-principles-2026": [ "APP 5" ], "apac-chn-pipl-2021": [ "14", "22", "23", "27" ], "apac-jpn-ppi-2020": [ "16(2)", "16(3)(i)", "16(3)(ii)", "16(3)(iii)", "16(3)(iv)" ], "apac-kor-pipa-2011": [ "22" ], "apac-twn-pdpa-2025": [ "5" ], "americas-arg-ppd-2018": [ "27.3" ], "americas-can-pipeda-2000": [ "Sec 6", "Sec 7", "Principle 3" ], "americas-mex-fdpa-2010": [ "7" ] } }, { "control_id": "PRI-03.3", "title": "Prohibition of Selling, Processing and/or Sharing Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to prevent the sale, processing and/or sharing of Personal Data (PD) when:\n(1) Instructed by the data subject; or\n(2) The data subject is a minor, where selling and/or sharing PD is legally prohibited.", "scf_question": "Does the organization prevent the sale, processing and/or sharing of Personal Data (PD) when:\n (1) Instructed by the data subject; or\n (2) The data subject is a minor, where selling and/or sharing PD is legally prohibited?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.\n▪ Asset / process owners collect, store, processes, transmit share or use PD only for the purposes identified in the data privacy notice.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent the sale, processing and/or sharing of Personal Data (PD) when:\n(1) Instructed by the data subject; or\n(2) The data subject is a minor, where selling and/or sharing PD is legally prohibited.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-scf-dpmp-2025": [ "2.5" ], "usa-federal-law-hipaa-simplification-2013": [ "164.502(a)(5)(ii)(A)" ], "usa-state-co-privacy-act-2021": [ "6-1-1308(1)(b)" ], "usa-state-il-bipa-2008": [ "15(c)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(a)(2)(E)(i)", "47-18-3203(a)(2)(E)(ii)", "47-18-3203(a)(2)(E)(iii)", "47-18-3204(d)" ], "usa-state-tx-cdpa-2025": [ "541.101(b)(4)" ], "usa-state-va-cdpa-2023": [ "59.1-577.1.C", "59.1-578.F.1", "59.1-578.F.1.a" ], "emea-srb-act-9-2018": [ "37" ], "apac-aus-privacy-principles-2026": [ "APP 7" ], "apac-chn-pipl-2021": [ "10" ] } }, { "control_id": "PRI-03.4", "title": "Revoke Consent", "family": "PRI", "description": "Mechanisms exist to allow data subjects to revoke consent to collect, receive, process, store, transmit, share and/or update their Personal Data (PD).", "scf_question": "Does the organization allow data subjects to revoke consent to collect, receive, process, store, transmit, share and/or update their Personal Data (PD)?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to allow data subjects to revoke consent to collect, receive, process, store, transmit, share and/or update their Personal Data (PD).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "N2.1-POF5" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.2-003" ], "general-nist-800-53-r5-2": [ "PT-04(03)" ], "general-nist-800-82-r3": [ "PT-04(03)" ], "general-scf-dpmp-2025": [ "2.3" ], "usa-federal-law-coppa-2024": [ "Sec. 6502.(b)(1)(B)(ii)" ], "usa-state-or-ors-646a-2025": [ "646A.576(7)", "646A.578(1)(d)" ], "usa-state-or-cpa-2023": [ "Section 5(1)(d)" ], "emea-eu-gdpr-2016": [ "Article 7.3" ], "emea-ken-pda-2019": [ "26(c)", "32(2)", "32(3)" ], "emea-nga-dpr-2019": [ "2.8", "2.8(a)", "2.8(b)" ], "emea-qat-pdppl-2020": [ "5.1" ], "emea-sau-pdpl-2023": [ "Article 5.2" ], "emea-srb-act-9-2018": [ "15", "37" ], "apac-chn-pipl-2021": [ "15" ], "apac-ind-dpdpa-2023": [ "5(2)(b)", "6(4)", "6(7)", "8(7)(a)", "8(8)(b)" ] } }, { "control_id": "PRI-03.5", "title": "Product or Service Delivery Restrictions", "family": "PRI", "description": "Mechanisms exist to prevent discrimination against a data subject for exercising their legal rights pertaining to modifying or revoking consent, including prohibiting:\n(1) Refusing products and/or services;\n(2) Charging different rates for goods and/or services; and\n(3) Providing different levels of quality.", "scf_question": "Does the organization prevent discrimination against a data subject for exercising their legal rights pertaining to modifying or revoking consent, including prohibiting:\n (1) Refusing products and/or services;\n (2) Charging different rates for goods and/or services; and\n (3) Providing different levels of quality?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent discrimination against a data subject for exercising their legal rights pertaining to modifying or revoking consent, including prohibiting:\n(1) Refusing products and/or services;\n(2) Charging different rates for goods and/or services; and\n(3) Providing different levels of quality.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "C3.1-POF2", "C3.1-POF3" ], "general-scf-dpmp-2025": [ "2.4" ], "usa-federal-law-hipaa-simplification-2013": [ "164.508(c)(2)(ii)(A)", "164.508(c)(2)(ii)(B)", "164.514(f)(2)(iii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7080(a)", "7080(b)", "7221(l)" ], "usa-state-co-privacy-act-2021": [ "6-1-1308(1)(c)(I)", "6-1-1308(1)(c)(II)" ], "usa-state-or-cpa-2023": [ "Section 5(2)(d)" ], "usa-state-tx-cdpa-2025": [ "541.101(b)(3)", "541.101(c)" ], "usa-state-va-cdpa-2023": [ "59.1-577.1.E", "59.1-578.A.4" ], "emea-ken-pda-2019": [ "32(4)" ], "emea-sau-pdpl-2023": [ "Article 7" ], "apac-chn-pipl-2021": [ "16" ] } }, { "control_id": "PRI-03.6", "title": "Authorized Agent", "family": "PRI", "description": "Mechanisms exist to allow data subjects to authorize another person or entity (e.g., authorized agent, proxy, etc.), acting on the data subject's behalf, to make Personal Data (PD) processing decisions.", "scf_question": "Does the organization allow data subjects to authorize another person or entity (e.g., authorized agent, proxy, etc.), acting on the data subject's behalf, to make Personal Data (PD) processing decisions?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to allow data subjects to authorize another person or entity (e.g., authorized agent, proxy, etc.), acting on the data subject's behalf, to make Personal Data (PD) processing decisions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-GV-1", "R-GV-5" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Data Privacy", "crosswalks": { "general-scf-dpmp-2025": [ "2.6" ], "usa-federal-law-coppa-2024": [ "Sec. 6502.(b)(1)(B)", "Sec. 6502.(b)(1)(B)(ii)" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.2.b" ], "usa-federal-law-hipaa-simplification-2013": [ "164.502(g)(1)", "164.502(g)(2)", "164.502(g)(3)(i)", "164.502(g)(3)(i)(A)" ], "usa-state-ca-ccpa-cpra-2026": [ "7026(j)", "7027(j)", "7063(a)", "7063(a)(1)", "7063(a)(2)", "7063(b)", "7063(c)", "7063(d)", "7221(j)" ], "usa-state-co-privacy-act-2021": [ "6-1-1306(1)(a)(II)" ], "usa-state-or-ors-646a-2025": [ "646A.576(3)", "646A.576(4)" ], "usa-state-or-cpa-2023": [ "Section 4(4)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(a)(1)" ], "usa-state-tx-cdpa-2025": [ "541.055(e)", "541.055(e)(1)", "541.055(e)(2)", "541.055(e)(3)", "541.055(e)(4)" ], "usa-state-va-cdpa-2023": [ "59.1-577.A", "59.1-577.1.D", "59.1-578.A.5", "59.1-578.F.3" ], "emea-eu-gdpr-2016": [ "Article 8.1", "Article 8.2" ], "emea-ken-pda-2019": [ "27(a)", "27(b)", "27(c)" ], "emea-qat-pdppl-2020": [ "17.1", "17.2", "17.3", "17.4", "17.5" ], "apac-ind-dpdpa-2023": [ "6(7)", "9(1)", "14(1)" ], "apac-jpn-ppi-2020": [ "16(3)(i)", "16(3)(ii)", "16(3)(iii)", "16(3)(iv)" ] } }, { "control_id": "PRI-03.7", "title": "Active Participation By Data Subjects", "family": "PRI", "description": "Mechanisms exist to compel data subjects to select the level of consent deemed appropriate by the data subject for the relevant business purpose (e.g., opt-in, opt-out, accept all cookies, etc.).", "scf_question": "Does the organization compel data subjects to select the level of consent deemed appropriate by the data subject for the relevant business purpose (e.g., opt-in, opt-out, accept all cookies, etc.)?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to compel data subjects to select the level of consent deemed appropriate by the data subject for the relevant business purpose (e.g., opt-in, opt-out, accept all cookies, etc.).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-iso-29100-2024": [ "6.5" ], "general-oecd-privacy-principles-2010": [ "1" ], "general-scf-dpmp-2025": [ "6.0" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.2.c", "III.12.a", "III.12.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7010(e)", "7010(f)", "7025(c)(4)", "7027(b)", "7027(i)" ], "usa-state-or-cpa-2023": [ "Section 3(1)(d)(A)", "Section 3(1)(d)(B)", "Section 3(1)(d)(C)", "Section 5(6)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(b)" ], "usa-state-tx-cdpa-2025": [ "541.051(b)(5)(A)", "541.051(b)(5)(B)", "541.051(b)(5)(C)", "541.052(f)(2)" ], "usa-state-va-cdpa-2023": [ "59.1-577.A", "59.1-577.A.5" ], "emea-ken-pda-2019": [ "26(a)", "26(c)" ] } }, { "control_id": "PRI-03.8", "title": "Global Privacy Control (GPC)", "family": "PRI", "description": "Automated mechanisms exist to provide data subjects with functionality to exercise pre-selected opt-out preferences (e.g., opt-out signal).", "scf_question": "Does the organization use automated mechanisms to provide data subjects with functionality to exercise pre-selected opt-out preferences (e.g., opt-out signal)?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically provide data subjects with functionality to exercise pre-selected opt-out preferences (e.g., opt-out signal).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-scf-dpmp-2025": [ "2.7" ], "usa-state-ca-ccpa-cpra-2026": [ "7025(a)", "7025(b)", "7025(b)(1)", "7025(b)(2)", "7025(c)", "7025(c)(1)", "7025(c)(2)", "7025(c)(3)", "7025(c)(5)", "7025(c)(6)", "7025(d)", "7025(e)", "7025(f)", "7025(f)(1)", "7025(f)(2)", "7025(f)(3)", "7025(g)", "7025(g)(1)", "7025(g)(3)" ], "usa-state-or-ors-646a-2025": [ "646A.578(5)(c)", "646A.578(5)(c)(A)", "646A.578(5)(c)(B)", "646A.578(5)(c)(C)", "646A.578(5)(c)(D)", "646A.578(5)(c)(E)" ], "usa-state-or-cpa-2023": [ "Section 5(5)(c)", "Section 5(5)(c)(A)", "Section 5(5)(c)(B)", "Section 5(5)(c)(C)", "Section 5(5)(c)(D)", "Section 5(5)(c)(E)" ] } }, { "control_id": "PRI-03.9", "title": "Continued Use of Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to govern the continued use of Personal Data (PD) as it is collected, received, processed, stored, transmitted, shared and/or updated until:\n(1) Disposal of PD occurs when there is no longer a legitimate business purpose;\n(2) Disposal of PD occurs when the data retention timeline for the use case is met; and/or\n(3) Continued use of PD is prohibited upon withdrawal of data subject consent.", "scf_question": "Does the organization govern the continued use of Personal Data (PD) as it is collected, received, processed, stored, transmitted, shared and/or updated until:\n (1) Disposal of PD occurs when there is no longer a legitimate business purpose;\n (2) Disposal of PD occurs when the data retention timeline for the use case is met; and/or\n (3) Continued use of PD is prohibited upon withdrawal of data subject consent?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern the continued use of Personal Data (PD) as it is collected, received, processed, stored, transmitted, shared and/or updated until:\n(1) Disposal of PD occurs when there is no longer a legitimate business purpose;\n(2) Disposal of PD occurs when the data retention timeline for the use case is met; and/or\n(3) Continued use of PD is prohibited upon withdrawal of data subject consent.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document the basis for continued use of personal data", "small": "∙ Policy defining conditions for continued PD use after initial purpose", "medium": "∙ Formal continued use assessment process\n∙ Documentation of continued use justification", "large": "∙ Enterprise privacy review process for continued PD use\n∙ Legal basis documentation", "enterprise": "∙ Enterprise privacy management platform with continued use workflows\n∙ Legal basis tracking (e.g., OneTrust)" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-apec-privacy-framework-2015": [ "4", "4(b)" ], "general-iso-29100-2024": [ "6.6" ], "general-oecd-privacy-principles-2010": [ "4" ], "usa-federal-doc-data-privacy-framework-2023": [ "III.14.c.i" ], "usa-state-ca-ccpa-cpra-2026": [ "7022(f)(3)", "7027(b)", "7027(g)(1)" ], "usa-state-tx-cdpa-2025": [ "541.052(a)", "541.052(f)(2)" ], "usa-state-va-cdpa-2023": [ "59.1-578.F.1.d" ], "emea-eu-gdpr-2016": [ "Article 18.2" ], "apac-ind-dpdpa-2023": [ "5(2)(b)", "9(2)", "9(3)" ] } }, { "control_id": "PRI-03.10", "title": "Cease Processing, Storing and/or Sharing Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to ensure the organization ceases collecting, receiving, processing, storing, transmitting, sharing and/or updating Personal Data (PD) upon receiving a data subject's consent revocation.", "scf_question": "Does the organization ensure it ceases collecting, receiving, processing, storing, transmitting, sharing and/or updating Personal Data (PD) upon receiving a data subject's consent revocation?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.\n▪ Asset / process owners collect, store, processes, transmit share or use PD only for the purposes identified in the data privacy notice.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the organization ceases collecting, receiving, processing, storing, transmitting, sharing and/or updating Personal Data (PD) upon receiving a data subject's consent revocation.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Delete personal data when no longer needed", "small": "∙ Personal data deletion policy\n∙ Process to cease processing on request or retention expiry", "medium": "∙ Formal data retention and deletion program\n∙ Data subject request processing for deletion", "large": "∙ Enterprise data retention management\n∙ Automated deletion workflows", "enterprise": "∙ Enterprise data governance platform (e.g., Collibra, OneTrust)\n∙ Automated data lifecycle management\n∙ DSAR deletion workflow automation" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7027(g)(1)" ], "usa-state-or-ors-646a-2025": [ "646A.576(7)(a)", "646A.576(7)(b)" ], "usa-state-va-cdpa-2023": [ "59.1-579.B.2" ], "apac-ind-dpdpa-2023": [ "6(6)" ] } }, { "control_id": "PRI-03.11", "title": "Communicating Processing Changes", "family": "PRI", "description": "Mechanisms exist to notify data subjects of processing changes affecting their Personal Data (PD), including:\n(1) Erasure of PD;\n(2) Remediation of incorrect PD; and/or\n(3) Processing restrictions affecting their PD.", "scf_question": "Does the organization notify data subjects of processing changes affecting their Personal Data (PD), including:\n (1) Erasure of PD;\n (2) Remediation of incorrect PD; and/or\n (3) Processing restrictions affecting their PD?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to notify data subjects of processing changes affecting their Personal Data (PD), including:\n(1) Erasure of PD;\n(2) Remediation of incorrect PD; and/or\n(3) Processing restrictions affecting their PD.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Notify affected parties when changing how personal data is processed", "small": "∙ Policy to communicate processing changes to data subjects", "medium": "∙ Formal processing change notification policy\n∙ Data subject communication procedures", "large": "∙ Enterprise privacy change management program\n∙ Automated data subject notifications for processing changes", "enterprise": "∙ Enterprise privacy management platform\n∙ Automated processing change notifications\n∙ Consent refresh workflows" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "emea-eu-gdpr-2016": [ "Article 18.3", "Article 19" ] } }, { "control_id": "PRI-03.12", "title": "Data Subject Opt-In Consent", "family": "PRI", "description": "Mechanisms exist to obtain consent from data subjects to opt-in for the following Personal Data (PD) actions:\n(1) Collecting;\n(2) Receiving; \n(3) Processing;\n(4) Storing;\n(5) Transmitting:\n(6) Sharing; and/or\n(7) Updating.", "scf_question": "Does the organization obtain consent from data subjects to opt-in for the following Personal Data (PD) actions:\n(1) Collecting;\n(2) Receiving; \n(3) Processing;\n(4) Storing;\n(5) Transmitting:\n(6) Sharing; and/or\n(7) Updating?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to obtain consent from data subjects to opt-in for the following Personal Data (PD) actions:\n(1) Collecting;\n(2) Receiving; \n(3) Processing;\n(4) Storing;\n(5) Transmitting:\n(6) Sharing; and/or\n(7) Updating.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Obtain opt-in consent before processing personal data", "small": "∙ Opt-in consent policy and procedures", "medium": "∙ Formal opt-in consent program\n∙ Consent records management", "large": "∙ Enterprise consent management platform (e.g., OneTrust, Cookiebot)\n∙ Consent audit trail", "enterprise": "∙ Enterprise consent management platform (e.g., OneTrust, TrustArc)\n∙ Granular consent management\n∙ Automated consent renewal\n∙ Consent audit logs" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "C3.2-POF2", "C3.2-POF3" ], "usa-state-ca-ccpa-cpra-2026": [ "7028(a)", "7028(b)", "7028(c)" ], "usa-state-va-cdpa-2023": [ "59.1-578.F.1", "59.1-578.F.1.b" ] } }, { "control_id": "PRI-03.13", "title": "Parent or Guardian Opt-In Consent For Minors", "family": "PRI", "description": "Mechanisms exist to obtain parental or guardian consent for Personal Data (PD) processing actions through reasonable consumer expectations, when the data subject is a minor.", "scf_question": "Does the organization obtain parental or guardian consent for Personal Data (PD) processing actions through reasonable consumer expectations, when the data subject is a minor?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to obtain parental or guardian consent for Personal Data (PD) processing actions through reasonable consumer expectations, when the data subject is a minor.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Obtain parental consent before collecting data from minors", "small": "∙ Parental consent policy for minors' data", "medium": "∙ Formal parental/guardian consent process for minors' data collection", "large": "∙ Enterprise parental consent management program\n∙ Age verification controls", "enterprise": "∙ Enterprise age verification and parental consent platform\n∙ COPPA/GDPR-K compliance\n∙ Automated consent management" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-federal-law-coppa-2024": [ "Sec. 6502.(b)(1)(A)(ii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7070(a)", "7070(a)(1)", "7070(a)(2)", "7070(a)(2)(A)", "7070(a)(2)(B)", "7070(a)(2)(C)", "7070(a)(2)(D)", "7070(a)(2)(E)", "7070(a)(2)(F)", "7070(b)", "7070(c)", "7071(a)", "7071(b)" ], "usa-state-va-cdpa-2023": [ "59.1-578.F.1", "59.1-578.F.1.b" ] } }, { "control_id": "PRI-04", "title": "Restrict Collection To Identified Purpose", "family": "PRI", "description": "Mechanisms exist to minimize the collection of Personal Data (PD) to only what is adequate, relevant and limited to the purposes identified in the data privacy notice, including protections against collecting PD from minors without appropriate parental or legal guardian consent.", "scf_question": "Does the organization minimize the collection of Personal Data (PD) to only what is adequate, relevant and limited to the purposes identified in the data privacy notice, including protections against collecting PD from minors without appropriate parental or legal guardian consent?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRI-02" ], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to minimize the collection of Personal Data (PD) to only what is adequate, relevant and limited to the purposes identified in the data privacy notice, including protections against collecting PD from minors without appropriate parental or legal guardian consent.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF2", "C3.1-POF4" ], "general-aicpa-tsc-2017": [ "CC8.1-POF18", "P3.0", "P3.1", "P3.1-POF1", "P3.1-POF2", "P3.1-POF3", "P3.1-POF4" ], "general-apec-privacy-framework-2015": [ "3" ], "general-iso-27002-2022": [ "5.33" ], "general-iso-27017-2015": [ "18.1.4" ], "general-iso-27018-2025": [ "5.33" ], "general-iso-29100-2024": [ "6.4", "6.5" ], "general-nist-800-53-r4": [ "AP-1" ], "general-nist-800-53-r5-2": [ "PT-02" ], "general-nist-800-53-r5-2-privacy": [ "PT-02" ], "general-nist-800-82-r3": [ "PT-02" ], "general-scf-dpmp-2025": [ "3.0" ], "usa-federal-law-coppa-2024": [ "Sec. 6502.(a)(1)" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.5.a" ], "usa-federal-gsa-fedramp-5-low": [ "PT-02" ], "usa-federal-gsa-fedramp-5-mod": [ "PT-02" ], "usa-federal-gsa-fedramp-5-high": [ "PT-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PT-02" ], "usa-federal-omb-fipps-1973": [ "4" ], "usa-federal-irs-1075-2021": [ "PT-2" ], "usa-state-ca-ccpa-cpra-2026": [ "7002(f)" ], "usa-state-il-ipa-2009": [ "10(b)(1)" ], "usa-state-or-ors-646a-2025": [ "646A.578(1)(b)" ], "usa-state-or-cpa-2023": [ "Section 5(1)(b)", "Section 5(2)(b)" ], "usa-state-tn-tipa-2025": [ "47-18-3204(a)(1)", "47-18-3204(a)(2)" ], "usa-state-tx-cdpa-2025": [ "541.101(a)(1)", "541.101(b)(1)" ], "usa-state-va-cdpa-2023": [ "59.1-578.A.1", "59.1-578.F.1", "59.1-578.F.1.c", "59.1-578.F.2" ], "usa-state-vt-act-171-2018": [ "2433(a)(1)" ], "emea-eu-gdpr-2016": [ "Article 5.1(b)", "Article 5.1(c)", "Article 8.1" ], "emea-aut-fappd-2000": [ "Sec 6" ], "emea-bel-act-8-1992": [ "Sun Apr 06 2025 20:00:00 GMT-0400 (Eastern Daylight Time)" ], "emea-deu-fdpa-2017": [ "Sec 4" ], "emea-grc-pirppd-1997": [ "4" ], "emea-hun-isdfi-2011": [ "4", "5" ], "emea-irl-dpa-2003": [ "2" ], "emea-ita-pdpc-2003": [ "11" ], "emea-ken-pda-2019": [ "25(c)", "25(d)", "27(a)", "28(2)(a)", "28(2)(b)", "28(2)(c)", "28(2)(d)", "28(2)(e)", "28(2)(f)", "28(2)(f)(i)", "28(2)(f)(ii)", "28(2)(f)(iii)", "28(3)" ], "emea-pol-act-29-1997": [ "23" ], "emea-qat-pdppl-2020": [ "9.1", "10", "17.1", "17.2", "17.3", "17.4", "17.5" ], "emea-rus-federal-law-27-2006": [ "5" ], "emea-srb-act-9-2018": [ "5.1", "5.2", "6.1", "6.2", "6.3", "6.4", "6.5", "16" ], "emea-zaf-popia-2013": [ "5", "11", "69" ], "emea-esp-decree-1720-2007": [ "8" ], "emea-che-fadp-2025": [ "4" ], "emea-tur-lppd-2016": [ "10" ], "apac-aus-privacy-act-1998": [ "APP Part 3" ], "apac-aus-privacy-principles-2026": [ "APP 3" ], "apac-chn-pipl-2021": [ "26", "31" ], "apac-ind-privacy-rules-2011": [ "5" ], "apac-jpn-ppi-2020": [ "17(1)" ], "apac-nzl-privacy-act-2020": [ "Principle 1", "P1-(1)(a)", "P1-(1)(b)", "Principle 3", "P3-(1)", "P3-(1)(a)", "P3-(1)(b)", "P3-(1)(c)", "P3-(1)(d)", "P3-(1)(d)(i)", "P3-(1)(d)(ii)", "P3-(1)(e)", "P3-(1)(e)(i)", "P3-(1)(e)(ii)", "P3-(1)(f)", "P3-(1)(g)", "P3-(2)", "P3-(3)", "P3-(4)", "P3-(4)(a)", "P3-(4)(b)", "P3-(4)(b)(i)", "P3-(4)(b)(ii)", "P3-(4)(b)(iii)", "P3-(4)(b)(iv)", "P3-(4)(c)", "P3-(4)(d)", "P3-(4)(e)", "P3-(4)(e)(i)", "P3-(4)(e)(ii)", "Principle 4", "P4-(a)", "P4-(b)", "P4-(b)(i)", "P4-(b)(ii)" ], "apac-phl-dpa-2012": [ "19" ], "apac-sgp-pdpa-2012": [ "17" ], "apac-kor-pipa-2011": [ "3", "15", "22" ], "apac-twn-pdpa-2025": [ "5", "19" ], "americas-arg-ppd-2018": [ "4.1", "4.2", "6" ], "americas-bhs-dpa-2003": [ "6" ], "americas-bra-lgpd-2018": [ "6.2" ], "americas-can-pipeda-2000": [ "Sec 5", "Principle 4" ], "americas-col-law-1581-2012": [ "4" ], "americas-mex-fdpa-2010": [ "7" ] } }, { "control_id": "PRI-04.1", "title": "Authority To Collect, Process, Store & Share Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to determine and document the legal authority that permits the organization to collect, receive, process, store, transmit, share, update and/or dispose Personal Data (PD), either generally or in support of a specific business process.", "scf_question": "Does the organization determine and document the legal authority that permits the organization to collect, receive, process, store, transmit, share, update and/or dispose Personal Data (PD), either generally or in support of a specific business process?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRI-02" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to determine and document the legal authority that permits the organization to collect, receive, process, store, transmit, share, update and/or dispose Personal Data (PD), either generally or in support of a specific business process.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF2" ], "general-aicpa-tsc-2017": [ "CC8.1-POF18", "P3.1", "P6.7-POF1" ], "general-apec-privacy-framework-2015": [ "4(c)" ], "general-csa-cmm-4-1-0": [ "DSP-12" ], "general-iso-29100-2024": [ "6.3" ], "general-nist-800-53-r4": [ "AP-1" ], "general-nist-800-53-r5-2": [ "PT-02" ], "general-nist-800-53-r5-2-privacy": [ "PT-02" ], "general-nist-800-82-r3": [ "PT-02" ], "general-oecd-privacy-principles-2010": [ "1", "4(b)" ], "general-scf-dpmp-2025": [ "3.1" ], "general-shared-assessments-sig-2025": [ "P.6" ], "general-tisax-6-0-3": [ "9.5.2" ], "usa-federal-gsa-fedramp-5-low": [ "PT-02" ], "usa-federal-gsa-fedramp-5-mod": [ "PT-02" ], "usa-federal-gsa-fedramp-5-high": [ "PT-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PT-02" ], "usa-federal-omb-fipps-1973": [ "3" ], "usa-federal-law-hipaa-simplification-2013": [ "164.502(a)(1)(i)", "164.502(a)(1)(ii)", "164.502(a)(1)(iii)", "164.502(a)(5)(i)", "164.502(i)" ], "usa-federal-irs-1075-2021": [ "PT-2" ], "usa-federal-cms-marse-2-0": [ "AP-1" ], "usa-state-ak-pipa-2009": [ "45.48.400 - .480", "45.48.410", "45.48.410.1", "45.48.410.2", "45.48.410.3", "45.48.410.4", "45.48.410.5", "45.48.410.6", "45.48.410.7", "45.48.410.8", "45.48.420", "45.48.420.1", "45.48.420.2", "45.48.420.3", "45.48.420.4" ], "usa-state-il-ipa-2009": [ "10(b)(1)" ], "usa-state-or-cpa-2023": [ "Section 5(2)(b)" ], "usa-state-tn-tipa-2025": [ "47-18-3204(a)(5)", "47-18-3204(b)" ], "usa-state-va-cdpa-2023": [ "59.1-578.F.1.b", "59.1-578.F.1.c" ], "emea-eu-gdpr-2016": [ "Article 9.2(b)", "Article 9.2(c)", "Article 9.2(d)", "Article 9.2(e)", "Article 9.2(f)", "Article 9.2(g)", "Article 9.2(h)", "Article 9.2(i)", "Article 9.2(j)", "Article 9.3", "Article 10" ], "emea-aut-fappd-2000": [ "Sec 6" ], "emea-bel-act-8-1992": [ "Sun Apr 06 2025 20:00:00 GMT-0400 (Eastern Daylight Time)" ], "emea-deu-fdpa-2017": [ "Sec 4" ], "emea-grc-pirppd-1997": [ "4" ], "emea-hun-isdfi-2011": [ "4", "5" ], "emea-irl-dpa-2003": [ "2" ], "emea-ita-pdpc-2003": [ "11" ], "emea-ken-pda-2019": [ "25(c)", "28(2)(a)", "28(2)(b)", "28(2)(c)", "28(2)(d)", "28(2)(e)", "28(2)(f)", "28(2)(f)(i)", "28(2)(f)(ii)", "28(2)(f)(iii)", "28(3)", "30(1)(a)", "30(1)(b)(i)", "30(1)(b)(ii)", "30(1)(b)(iii)", "30(1)(b)(iv)", "30(1)(b)(v)", "30(1)(b)(vi)", "30(1)(b)(vii)", "30(1)(b)(viii)", "30(2)", "30(3)", "33(1)(a)", "33(1)(b)", "33(2)", "33(3)(a)", "33(3)(b)", "33(3)(c)", "33(3)(d)", "33(3)(e)", "33(4)", "36", "37(1)(a)", "37(1)(b)", "37(2)" ], "emea-nga-dpr-2019": [ "2.1(1)(a)", "2.1(1)(a)(i)", "2.1(1)(a)(ii)", "2.2(a)", "2.2(b)", "2.2(c)", "2.2(d)", "2.2(e)", "2.4(a)" ], "emea-pol-act-29-1997": [ "23" ], "emea-qat-pdppl-2020": [ "9.2", "18.1", "18.2", "18.3", "18.4" ], "emea-rus-federal-law-27-2006": [ "5" ], "emea-sau-pdpl-2023": [ "Article 13.1" ], "emea-srb-act-9-2018": [ "5.1", "5.2", "6.1", "6.2", "6.3", "6.4", "6.5", "7", "7.1", "7.2", "14", "20" ], "emea-zaf-popia-2013": [ "2", "3", "4" ], "emea-esp-decree-1720-2007": [ "8" ], "emea-che-fadp-2025": [ "4" ], "emea-tur-lppd-2016": [ "10" ], "apac-aus-privacy-act-1998": [ "APP Part 3" ], "apac-aus-privacy-principles-2026": [ "APP 3", "APP 7" ], "apac-chn-pipl-2021": [ "5", "10", "13", "13(1)", "13(2)", "13(3)", "13(4)", "13(5)", "13(6)", "13(7)", "18", "26", "29", "30", "47" ], "apac-ind-dpdpa-2023": [ "4(1)(b)" ], "apac-ind-privacy-rules-2011": [ "5" ], "apac-jpn-ppi-2020": [ "17(1)", "17(2)", "17(2)(i)", "17(2)(ii)", "17(2)(iii)", "17(2)(iv)", "17(2)(v)", "17(2)(vi)" ], "apac-phl-dpa-2012": [ "19" ], "apac-sgp-pdpa-2012": [ "17" ], "apac-kor-pipa-2011": [ "3", "15" ], "apac-twn-pdpa-2025": [ "5", "19" ], "americas-arg-ppd-2018": [ "5.2", "7.1", "7.2", "7.4", "8" ], "americas-bhs-dpa-2003": [ "6" ], "americas-bra-lgpd-2018": [ "6.1", "10", "11" ], "americas-can-pipeda-2000": [ "Sec 5", "Principle 4" ], "americas-col-law-1581-2012": [ "4" ], "americas-mex-fdpa-2010": [ "7" ] } }, { "control_id": "PRI-04.2", "title": "Primary Sources", "family": "PRI", "description": "Mechanisms exist to ensure information is directly collected from the data subject, whenever possible.", "scf_question": "Does the organization ensure information is directly collected from the data subject, whenever possible?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure information is directly collected from the data subject, whenever possible.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "P3.1-POF3" ], "general-shared-assessments-sig-2025": [ "P.5.3" ], "emea-ken-pda-2019": [ "28(1)", "28(2)(a)", "28(2)(b)", "28(2)(c)", "28(2)(d)", "28(2)(e)", "28(2)(f)", "28(2)(f)(i)", "28(2)(f)(ii)", "28(2)(f)(iii)" ], "emea-sau-pdpl-2023": [ "Article 10" ], "apac-chn-pipl-2021": [ "10" ], "apac-nzl-privacy-act-2020": [ "Principle 2", "P2-(1)", "P2-(2)", "P2-(2)(a)", "P2-(2)(b)", "P2-(2)(c)", "P2-(2)(d)", "P2-(2)(e)(i)", "P2-(2)(e)(ii)", "P2-(2)(e)(iii)", "P2-(2)(e)(iv)", "P2-(2)(e)(v)", "P2-(2)(f)", "P2-(2)(g)(i)", "P2-(2)(g)(ii)" ] } }, { "control_id": "PRI-04.3", "title": "Identifiable Image Collection", "family": "PRI", "description": "Mechanisms exist to restrict collecting, receiving, processing, storing, transmitting and/or sharing of photographic and/or video surveillance image collection that can identify individuals to legitimate business needs.", "scf_question": "Does the organization restrict collecting, receiving, processing, storing, transmitting and/or sharing of photographic and/or video surveillance image collection that can identify individuals to legitimate business needs?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict collecting, receiving, processing, storing, transmitting and/or sharing of photographic and/or video surveillance image collection that can identify individuals to legitimate business needs.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "apac-chn-pipl-2021": [ "26" ] } }, { "control_id": "PRI-04.4", "title": "Acquired Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to promptly inform data subjects of the utilization purpose when their Personal Data (PD) is acquired and not received directly from the data subject, except where that utilization purpose was disclosed in advance to the data subject.", "scf_question": "Does the organization promptly inform data subjects of the utilization purpose when their Personal Data (PD) is acquired and not received directly from the data subject, except where that utilization purpose was disclosed in advance to the data subject?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to promptly inform data subjects of the utilization purpose when their Personal Data (PD) is acquired and not received directly from the data subject, except where that utilization purpose was disclosed in advance to the data subject.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-GV-1", "R-GV-5" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "emea-sau-pdpl-2023": [ "Article 10", "Article 14", "Article 15.2" ], "emea-srb-act-9-2018": [ "20" ], "apac-jpn-ppi-2020": [ "18(1)", "18(2)", "18(4)(i)", "18(4)(ii)", "18(4)(iii)", "18(4)(iv)" ] } }, { "control_id": "PRI-04.5", "title": "Validate Collected Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to ensure that the data subject, or authorized representative, validate Personal Data (PD) during the collection process.", "scf_question": "Does the organization ensure that the data subject, or authorized representative, validate Personal Data (PD) during the collection process?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that the data subject, or authorized representative, validate Personal Data (PD) during the collection process.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-800-53-r4": [ "DI-1(1)" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.5.a" ], "usa-federal-cms-marse-2-0": [ "DI-1(1)" ], "emea-sau-pdpl-2023": [ "Article 14" ] } }, { "control_id": "PRI-04.6", "title": "Re-Validate Collected Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to ensure that the data subject, or authorized representative, re-validate that Personal Data (PD) acquired during the collection process is still accurate.", "scf_question": "Does the organization ensure that the data subject, or authorized representative, re-validate that Personal Data (PD) acquired during the collection process is still accurate?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that the data subject, or authorized representative, re-validate that Personal Data (PD) acquired during the collection process is still accurate.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-800-53-r4": [ "DI-1(2)" ], "usa-federal-cms-marse-2-0": [ "DI-1(2)" ] } }, { "control_id": "PRI-04.7", "title": "Personal Data (PD) Collection Methods", "family": "PRI", "description": "Mechanisms exist to ensure that Personal Data (PD) collection methods are:\n(1) In accordance with applicable statutory and/or regulatory requirements;\n(2) Appropriate for the circumstances of the data subject;\n(3) Unambiguous; and\n(4) Secure.", "scf_question": "Does the organization ensure that Personal Data (PD) collection methods are:\n (1) In accordance with applicable statutory and/or regulatory requirements;\n (2) Appropriate for the circumstances of the data subject;\n (3) Unambiguous; and\n (4) Secure?", "relative_weight": 3, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Privacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.\n▪ Data/process owners are expected to take the initiative to work with Data Protection Officers (DPOs) to ensure applicable statutory, regulatory and contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that Personal Data (PD) collection methods are:\n(1) In accordance with applicable statutory and/or regulatory requirements;\n(2) Appropriate for the circumstances of the data subject;\n(3) Unambiguous; and\n(4) Secure.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document the methods used to collect personal data", "small": "∙ Personal data collection methods inventory and policy", "medium": "∙ Formal PD collection methods documentation\n∙ Privacy notice alignment", "large": "∙ Enterprise data collection inventory management\n∙ Privacy assessment for collection methods", "enterprise": "∙ Enterprise privacy management platform with data collection inventory\n∙ Automated collection method discovery" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF2" ], "general-iso-29100-2024": [ "6.7" ], "emea-sau-pdpl-2023": [ "Article 11.2" ] } }, { "control_id": "PRI-05", "title": "Personal Data (PD) Retention & Disposal", "family": "PRI", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "scf_question": "Does the organization: \n (1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n (2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n (3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-11", "E-PRI-02" ], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "U4.2", "U4.2-POF1", "U4.3", "U4.3-POF1", "U4.3-POF2", "U4.3-POF3" ], "general-aicpa-tsc-2017": [ "C1.1-POF3", "C1.2", "C1.2-POF1", "C1.2-POF2", "CC6.5", "CC6.5-POF2", "P4.0", "P4.2", "P4.2-POF1", "P4.3", "P4.3-POF2", "P4.3-POF3" ], "general-cis-csc-8-1": [ "3.5" ], "general-cis-csc-8-1-ig1": [ "3.5" ], "general-cis-csc-8-1-ig2": [ "3.5" ], "general-cis-csc-8-1-ig3": [ "3.5" ], "general-csa-cmm-4-1-0": [ "DSP-16" ], "general-govramp": [ "SI-12" ], "general-govramp-low": [ "SI-12" ], "general-govramp-low-plus": [ "SI-12" ], "general-govramp-mod": [ "SI-12" ], "general-govramp-high": [ "SI-12" ], "general-iso-27002-2022": [ "5.33", "8.1" ], "general-iso-27017-2015": [ "18.1.4" ], "general-iso-27018-2025": [ "5.33", "8.10" ], "general-iso-29100-2024": [ "6.5", "6.6" ], "general-nist-800-53-r4": [ "DM-2" ], "general-nist-800-53-r5-2": [ "AC-04(25)", "SI-12", "SI-12(03)" ], "general-nist-800-53-r5-2-privacy": [ "SI-12", "SI-12(03)" ], "general-nist-800-53-r5-2-low": [ "SI-12" ], "general-nist-800-82-r3": [ "AC-04(25)", "SI-12", "SI-12(03)" ], "general-nist-800-82-r3-low": [ "SI-12" ], "general-nist-800-82-r3-mod": [ "SI-12" ], "general-nist-800-82-r3-high": [ "SI-12" ], "general-nist-800-161-r1": [ "SI-12" ], "general-nist-800-161-r1-cscrm": [ "SI-12" ], "general-nist-800-161-r1-level-3": [ "SI-12" ], "general-nist-csf-2-0": [ "ID.AM-07" ], "general-pci-dss-4-0-1": [ "9.4.6", "9.4.7", "10.5.1" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.6", "10.5.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.6", "10.5.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.6" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.6", "9.4.7", "10.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.6", "9.4.7", "10.5.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.4.6" ], "general-scf-dpmp-2025": [ "5.0" ], "usa-federal-fbi-cjis-6-0": [ "4.2.2", "4.2.3.1", "4.2.3.2", "4.3", "SI-12", "SI-12(3)" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.5.b" ], "usa-federal-gsa-fedramp-5-low": [ "SI-12", "SI-12(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-12", "SI-12(03)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-12", "SI-12(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-12", "SI-12(03)" ], "usa-federal-omb-fipps-1973": [ "4" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(6)(i)" ], "usa-federal-irs-1075-2021": [ "SI-12" ], "usa-federal-cms-marse-2-0": [ "SI-12", "DM-2", "DM-2.a" ], "usa-state-il-bipa-2008": [ "15(a)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(C)(4)" ], "usa-state-or-cpa-2023": [ "Section 4(7)(a)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(a)(2)(C)(i)(a)", "47-18-3204(a)(4)" ], "usa-state-tx-bc521-2009": [ "521.052(b)", "521.052(b)(1)", "521.052(b)(2)", "521.052(b)(3)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SI-12" ], "usa-state-tx-txramp-2-0-level-1": [ "SI-12" ], "usa-state-tx-txramp-2-0-level-2": [ "SI-12" ], "emea-eu-ai-act-2024": [ "Article 10.5(e)" ], "emea-eu-gdpr-2016": [ "Article 5.1(e)" ], "emea-us-psd2-2015": [ "24" ], "emea-aut-fappd-2000": [ "Sec 7" ], "emea-bel-act-8-1992": [ "4-7", "21" ], "emea-deu-fdpa-2017": [ "Sec 3a", "Sec 5", "Sec 13", "Sec 14", "Sec 20" ], "emea-deu-c5-2020": [ "OPS-11", "OPS-12", "PI-03" ], "emea-grc-pirppd-1997": [ "4", "7" ], "emea-hun-isdfi-2011": [ "5" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-cmo-1-0": [ "15.4" ], "emea-isr-ppl-5741-1981": [ "8" ], "emea-ita-pdpc-2003": [ "11" ], "emea-ken-pda-2019": [ "25(g)", "34(3)", "39(1)", "39(1)(a)", "39(1)(b)", "39(1)(c)", "39(1)(d)", "39(2)" ], "emea-nga-dpr-2019": [ "2.1(1)(c)" ], "emea-nor-pda-2018": [ "8", "11", "15", "27", "28" ], "emea-pol-act-29-1997": [ "23", "26" ], "emea-rus-federal-law-27-2006": [ "5" ], "emea-sau-pdpl-2023": [ "Article 11.4", "Article 18.1", "Article 18.2.a", "Article 18.2.b" ], "emea-sau-sama-csf-1-2017": [ "3.3.11" ], "emea-srb-act-9-2018": [ "5.5", "8" ], "emea-zaf-popia-2013": [ "4", "14", "16" ], "emea-esp-decree-1720-2007": [ "8", "22" ], "emea-che-fadp-2025": [ "4" ], "emea-tur-lppd-2016": [ "5", "7" ], "emea-gbr-dpa-1998": [ "Chapter29-Schedule1-Part1-Principle 5" ], "apac-aus-privacy-act-1998": [ "APP Part 3", "APP Part 6" ], "apac-aus-privacy-principles-2026": [ "APP 4", "APP 6" ], "apac-chn-pipl-2021": [ "10", "19", "47", "47(1)", "47(2)", "47(3)", "47(4)", "47(5)" ], "apac-hkg-pdo-2022": [ "Principle 2", "Sec 26", "Principle 3", "Sec 4" ], "apac-ind-privacy-rules-2011": [ "5" ], "apac-jpn-ppi-2020": [ "19" ], "apac-mys-pdpa-2010": [ "5", "6", "10" ], "apac-phl-dpa-2012": [ "19", "21" ], "apac-sgp-pdpa-2012": [ "23", "25" ], "apac-sgp-mas-trm-2021": [ "11.1.7" ], "apac-kor-pipa-2011": [ "3", "4", "15", "19", "21", "37" ], "apac-twn-pdpa-2025": [ "5", "19" ], "americas-arg-ppd-2018": [ "5.1", "4.3", "9.2" ], "americas-bhs-dpa-2003": [ "6", "12" ], "americas-bra-lgpd-2018": [ "6.2", "6.9", "13", "14", "15", "21" ], "americas-can-pipeda-2000": [ "Sec 7", "Sec 8", "Principle 5", "Principle 6" ], "americas-chl-act-19628-1999": [ "9" ], "americas-col-law-1581-2012": [ "4" ], "americas-mex-fdpa-2010": [ "7", "8", "9", "11", "12", "13", "14" ] } }, { "control_id": "PRI-05.1", "title": "Internal Use of Personal Data (PD) For Testing, Training and Research", "family": "PRI", "description": "Mechanisms exist to address the use of Personal Data (PD) for internal testing, training and research that:\n(1) Takes measures to limit or minimize the amount of PD used for internal testing, training and research purposes; and\n(2) Authorizes the use of PD when such information is required for internal testing, training and research.", "scf_question": "Does the organization address the use of Personal Data (PD) for internal testing, training and research that:\n (1) Takes measures to limit or minimize the amount of PD used for internal testing, training and research purposes; and\n (2) Authorizes the use of PD when such information is required for internal testing, training and research?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRI-02" ], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to address the use of Personal Data (PD) for internal testing, training and research that:\n(1) Takes measures to limit or minimize the amount of PD used for internal testing, training and research purposes; and\n(2) Authorizes the use of PD when such information is required for internal testing, training and research.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "CC6.1-POF13", "P4.1" ], "general-csa-cmm-4-1-0": [ "DSP-12", "DSP-15" ], "general-iso-27002-2022": [ "5.33" ], "general-iso-27017-2015": [ "18.1.4" ], "general-iso-27018-2025": [ "5.33" ], "general-nist-800-53-r4": [ "DM-1", "DM-3", "DM-3(1)" ], "general-nist-800-53-r5-2": [ "PM-25", "PT-02", "PT-03", "SI-12(01)", "SI-12(02)" ], "general-nist-800-53-r5-2-privacy": [ "PM-25", "PT-02", "PT-03", "SI-12(01)", "SI-12(02)" ], "general-nist-800-82-r3": [ "PM-25", "PT-02", "PT-03", "SI-12(01)", "SI-12(02)" ], "general-nist-800-82-r3-low": [ "PM-25" ], "general-nist-800-82-r3-mod": [ "PM-25" ], "general-nist-800-82-r3-high": [ "PM-25" ], "general-nist-800-161-r1": [ "PM-25" ], "general-nist-800-161-r1-level-2": [ "PM-25" ], "general-pci-dss-4-0-1": [ "6.5.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.5.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.5.5" ], "general-scf-dpmp-2025": [ "3.3" ], "usa-federal-fbi-cjis-6-0": [ "4.2.2", "4.2.3.1", "4.2.3.2", "4.3", "SI-12(1)", "SI-12(2)" ], "usa-federal-gsa-fedramp-5-low": [ "PM-25", "PT-02", "PT-03", "SI-12(01)", "SI-12(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-25", "PT-02", "PT-03", "SI-12(01)", "SI-12(02)" ], "usa-federal-gsa-fedramp-5-high": [ "PM-25", "PT-02", "PT-03", "SI-12(01)", "SI-12(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-25", "PT-02", "PT-03", "SI-12(01)", "SI-12(02)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.508(a)(2)(i)(B)" ], "usa-federal-irs-1075-2021": [ "PT-2", "SI-12(CE-2)" ], "usa-federal-cms-marse-2-0": [ "DM-1", "DM-1.a", "DM-1.b", "DM-1.c", "DM-3", "DM-3.a", "DM-3.b", "DM-3(1)" ], "usa-state-or-cpa-2023": [ "Section 7(1)(c)" ], "usa-state-tn-tipa-2025": [ "47-18-3204(a)(2)", "47-18-3207(a)(1)", "47-18-3207(a)(2)", "47-18-3207(a)(3)", "47-18-3207(b)(1)", "47-18-3207(b)(2)", "47-18-3207(b)(3)", "47-18-3207(b)(3)(A)", "47-18-3207(b)(3)(B)", "47-18-3207(b)(3)(C)" ], "emea-aut-fappd-2000": [ "Sec 12" ], "emea-bel-act-8-1992": [ "4-7", "21" ], "emea-hun-isdfi-2011": [ "9" ], "emea-isr-ppl-5741-1981": [ "8" ], "emea-ita-pdpc-2003": [ "13", "20" ], "emea-ken-pda-2019": [ "25(a)", "25(b)", "25(c)", "28(2)(a)", "28(2)(b)", "28(2)(c)", "28(2)(d)", "28(2)(e)", "28(2)(f)", "28(2)(f)(i)", "28(2)(f)(ii)", "28(2)(f)(iii)", "28(3)", "30(1)(a)", "30(1)(b)(i)", "30(1)(b)(ii)", "30(1)(b)(iii)", "30(1)(b)(iv)", "30(1)(b)(v)", "30(1)(b)(vi)", "30(1)(b)(vii)", "30(1)(b)(viii)", "30(2)", "30(3)", "33(1)(a)", "33(1)(b)", "33(2)", "33(3)(a)", "33(3)(b)", "33(3)(c)", "33(3)(d)", "33(3)(e)", "33(4)", "34(1)(a)", "34(1)(b)", "34(1)(c)", "34(1)(d)", "34(2)(a)", "34(2)(b)", "34(3)", "36", "37(1)(a)", "37(1)(b)", "37(2)", "53(1)", "53(2)", "53(3)(a)", "53(3)(b)", "53(4)" ], "emea-nga-dpr-2019": [ "2.1(1)(b)", "3.1(12)" ], "emea-nor-pda-2018": [ "11", "27" ], "emea-pol-act-29-1997": [ "26" ], "emea-qat-pdppl-2020": [ "8.2", "9.4" ], "emea-srb-act-9-2018": [ "5.1", "5.3", "7", "7.1", "7.2", "20" ], "emea-zaf-popia-2013": [ "10" ], "emea-esp-decree-1720-2007": [ "8" ], "emea-gbr-dpa-1998": [ "Chapter29-Schedule1-Part1-Principle 3" ], "apac-aus-privacy-act-1998": [ "APP Part 3" ], "apac-aus-privacy-principles-2026": [ "APP 6" ], "apac-chn-pipl-2021": [ "13", "13(1)", "13(2)", "13(3)", "13(4)", "13(5)", "13(6)", "13(7)", "28", "47" ], "apac-jpn-ppi-2020": [ "16-2" ], "apac-nzl-privacy-act-2020": [ "Principle 10", "P10-(1)", "P10-(1)(a)", "P10-(1)(b)(i)", "P10-(1)(b)(ii)", "P10-(1)(c)", "P10-(1)(d)", "P10-(1)(e)(i)", "P10-(1)(e)(ii)", "P10-(1)(e)(iii)", "P10-(1)(e)(iv)", "P10-(1)(f)(i)", "P10-(1)(f)(ii)", "P10-(2)" ], "apac-phl-dpa-2012": [ "19" ], "apac-kor-pipa-2011": [ "3" ], "americas-arg-ppd-2018": [ "7.3", "9.2" ], "americas-bhs-dpa-2003": [ "6" ], "americas-col-law-1581-2012": [ "4" ] } }, { "control_id": "PRI-05.2", "title": "Personal Data (PD) Accuracy & Integrity", "family": "PRI", "description": "Mechanisms exist to ensure the accuracy and relevance of Personal Data (PD) throughout the information lifecycle by:\n(1) Keeping PD up-to-date; and \n(2) Remediating identified inaccuracies, as necessary.", "scf_question": "Does the organization ensure the accuracy and relevance of Personal Data (PD) throughout the information lifecycle by:\n (1) Keeping PD up-to-date; and \n (2) Remediating identified inaccuracies, as necessary?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the accuracy and relevance of Personal Data (PD) throughout the information lifecycle by:\n(1) Keeping PD up-to-date; and \n(2) Remediating identified inaccuracies, as necessary.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF7", "Q8.1", "Q8.1-POF2" ], "general-apec-privacy-framework-2015": [ "6" ], "general-iso-29100-2024": [ "6.7" ], "general-nist-800-53-r4": [ "DI-2" ], "general-nist-800-53-r5-2": [ "PM-24" ], "general-nist-800-53-r5-2-privacy": [ "PM-24" ], "general-nist-800-82-r3": [ "PM-24" ], "general-nist-800-82-r3-low": [ "PM-24" ], "general-nist-800-82-r3-mod": [ "PM-24" ], "general-nist-800-82-r3-high": [ "PM-24" ], "general-scf-dpmp-2025": [ "5.9" ], "general-shared-assessments-sig-2025": [ "P.5.1" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.5.a" ], "usa-federal-gsa-fedramp-5-low": [ "PM-24" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-24" ], "usa-federal-gsa-fedramp-5-high": [ "PM-24" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-24" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)(vi)" ], "usa-federal-cms-marse-2-0": [ "DI-2", "DI-2.a", "DI-2.b" ], "emea-eu-gdpr-2016": [ "Article 5.1(d)" ], "emea-ken-pda-2019": [ "25(f)" ], "emea-nor-pda-2018": [ "11" ], "emea-sau-pdpl-2023": [ "Article 14" ], "emea-srb-act-9-2018": [ "5.4" ], "emea-zaf-popia-2013": [ "14", "16" ], "emea-esp-decree-1720-2007": [ "8" ], "apac-aus-privacy-act-1998": [ "APP Part 10" ], "apac-aus-privacy-principles-2026": [ "APP 10" ], "apac-chn-pipl-2021": [ "8" ], "apac-ind-dpdpa-2023": [ "8(3)", "8(3)(a)", "8(3)(b)" ], "apac-jpn-ppi-2020": [ "19" ], "apac-mys-pdpa-2010": [ "11" ], "apac-nzl-privacy-act-2020": [ "Principle 9" ], "apac-sgp-pdpa-2012": [ "23" ], "apac-kor-pipa-2011": [ "3" ], "americas-arg-ppd-2018": [ "4.5" ], "americas-bhs-dpa-2003": [ "6" ], "americas-can-pipeda-2000": [ "Principle 6" ], "americas-col-law-1581-2012": [ "4" ], "americas-mex-fdpa-2010": [ "9" ] } }, { "control_id": "PRI-05.3", "title": "Data Masking", "family": "PRI", "description": "Mechanisms exist to mask sensitive/regulated data through data anonymization, pseudonymization, redaction or de-identification.", "scf_question": "Does the organization mask sensitive/regulated data through data anonymization, pseudonymization, redaction or de-identification?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to mask sensitive/regulated data through data anonymization, pseudonymization, redaction or de-identification.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-iso-27002-2022": [ "8.11" ], "general-iso-27018-2025": [ "8.11" ], "general-nist-800-53-r5-2": [ "SI-19(04)" ], "general-nist-800-53-r5-2-privacy": [ "SI-19(04)" ], "general-nist-800-82-r3": [ "SI-19(04)" ], "general-nist-800-160-vol-2-r1": [ "SI-19(04)" ], "general-pci-dss-4-0-1": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-b": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-c": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.4.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.4.1" ], "general-scf-dpmp-2025": [ "5.1" ], "usa-federal-gsa-fedramp-5-low": [ "SI-19(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-19(04)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-19(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-19(04)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(C)" ], "usa-state-va-cdpa-2023": [ "59.1-581.A.1" ], "apac-aus-privacy-act-1998": [ "APP Part 2" ], "apac-kor-pipa-2011": [ "3" ], "americas-arg-ppd-2018": [ "4.4" ] } }, { "control_id": "PRI-05.4", "title": "Usage Restrictions of Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to restrict collecting, receiving, processing, storing, transmitting, sharing and/or updating Personal Data (PD) to:\n(1) The purpose(s) originally collected, consistent with the data privacy notice(s);\n(2) What is authorized by the data subject, or authorized agent; and\n(3) What is consistent with applicable laws, regulations and contractual obligations.", "scf_question": "Does the organization restrict collecting, receiving, processing, storing, transmitting, sharing and/or updating Personal Data (PD) to:\n (1) The purpose(s) originally collected, consistent with the data privacy notice(s);\n (2) What is authorized by the data subject, or authorized agent; and\n (3) What is consistent with applicable laws, regulations and contractual obligations?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict collecting, receiving, processing, storing, transmitting, sharing and/or updating Personal Data (PD) to:\n(1) The purpose(s) originally collected, consistent with the data privacy notice(s);\n(2) What is authorized by the data subject, or authorized agent; and\n(3) What is consistent with applicable laws, regulations and contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0-POF3", "U4.1", "U4.1-POF1", "Q8.1-POF3" ], "general-aicpa-tsc-2017": [ "P4.0", "P4.1", "P4.1-POF1" ], "general-csa-cmm-4-1-0": [ "DSP-12", "DSP-17" ], "general-iso-27002-2022": [ "5.33" ], "general-iso-27017-2015": [ "18.1.4" ], "general-iso-27018-2025": [ "5.33" ], "general-iso-29100-2024": [ "6.6" ], "general-nist-100-1-ai-rmf": [ "MAP 1.6" ], "general-nist-privacy-framework-1-0": [ "CT.PO-P1", "CT.PO-P2" ], "general-nist-800-53-r4": [ "DM-3(1)", "UL-1" ], "general-nist-800-53-r5-2": [ "AC-23", "PM-25", "PT-02", "PT-07" ], "general-nist-800-53-r5-2-privacy": [ "AC-23", "PM-25", "PT-02", "PT-07" ], "general-nist-800-82-r3": [ "AC-23", "PM-25", "PT-02", "PT-07" ], "general-nist-800-82-r3-low": [ "PM-25" ], "general-nist-800-82-r3-mod": [ "PM-25" ], "general-nist-800-82-r3-high": [ "PM-25" ], "general-nist-800-160-vol-2-r1": [ "AC-23" ], "general-nist-800-161-r1": [ "AC-23", "PM-25" ], "general-nist-800-161-r1-flowdown": [ "AC-23" ], "general-nist-800-161-r1-level-2": [ "AC-23", "PM-25" ], "general-nist-800-161-r1-level-3": [ "AC-23" ], "general-oecd-privacy-principles-2010": [ "4" ], "general-pci-dss-4-0-1": [ "6.5.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.5.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.5.5" ], "general-scf-dpmp-2025": [ "3.3" ], "general-shared-assessments-sig-2025": [ "P.2.3" ], "usa-federal-fbi-cjis-6-0": [ "4.2.2", "4.2.3.1", "4.2.3.2", "4.3" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.2.c" ], "usa-federal-gsa-fedramp-5-low": [ "AC-23", "PM-25", "PT-02", "PT-07" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-23", "PM-25", "PT-02", "PT-07" ], "usa-federal-gsa-fedramp-5-high": [ "AC-23", "PM-25", "PT-02", "PT-07" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-23", "PM-25", "PT-02", "PT-07" ], "usa-federal-omb-fipps-1973": [ "4" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)(v)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.502(c)", "164.502(d)(1)", "164.504(g)(2)", "164.506(a)", "164.506(c)(1)", "164.506(c)(5)", "164.508(a)(1)", "164.508(a)(2)(i)(C)", "164.510(a)(1)(i)(A)", "164.510(a)(1)(i)(B)", "164.510(a)(1)(i)(C)", "164.510(a)(1)(i)(D)", "164.510(a)(1)(ii)(A)", "164.510(a)(1)(ii)(B)", "164.510(b)(4)", "164.512", "164.512(i)(1)", "164.512(j)(1)", "164.512(j)(1)(i)(A)", "164.512(j)(1)(i)(B)", "164.512(j)(1)(ii)", "164.512(j)(1)(ii)(A)", "164.512(j)(1)(ii)(B)", "164.512(j)(2)(i)", "164.512(j)(2)(ii)", "164.512(j)(3)", "164.512(j)(4)", "164.512(k)(1)(i)", "164.512(k)(1)(i)(A)", "164.512(k)(1)(i)(B)", "164.512(k)(1)(ii)", "164.512(k)(1)(iii)", "164.512(k)(1)(iv)", "164.512(k)(2)", "164.512(k)(3)", "164.512(k)(4)", "164.512(k)(4)(i)", "164.512(k)(4)(ii)", "164.512(k)(4)(iii)", "164.512(k)(5)(i)", "164.512(k)(5)(i)(A)", "164.512(k)(5)(i)(B)", "164.512(k)(5)(i)(C)", "164.512(k)(5)(i)(D)", "164.512(k)(5)(i)(E)", "164.512(k)(5)(i)(F)", "164.512(k)(5)(ii)", "164.512(k)(5)(iii)", "164.512(k)(6)(i)", "164.512(k)(6)(ii)", "164.512(k)(6)(ii)(1)", "164.514(f)(2)(i)", "164.514(g)", "164.530(i)(4)(ii)", "164.530(i)(4)(ii)(B)", "164.532(a)", "164.532(b)", "164.532(c)" ], "usa-federal-irs-1075-2021": [ "PT-2" ], "usa-federal-cms-marse-2-0": [ "UL-1" ], "usa-state-ca-ccpa-cpra-2026": [ "7023(d)(3)", "7026(f)", "7026(f)(1)", "7027(a)" ], "usa-state-nv-sb220-2019": [ "2.3" ], "usa-state-or-cpa-2023": [ "Section 4(7)(b)", "Section 5(2)(a)", "Section 5(2)(c)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(a)(2)(C)(i)(b)", "47-18-3203(a)(2)(C)(ii)", "47-18-3204(a)(6)", "47-18-3207(b)", "47-18-3207(c)", "47-18-3207(d)" ], "usa-state-tx-bc521-2009": [ "521.051(a)" ], "usa-state-tx-cdpa-2025": [ "541.052(f)(2)", "541.204(a)", "541.204(a)(1)", "541.204(a)(2)", "541.204(b)" ], "usa-state-va-cdpa-2023": [ "59.1-577.1.C", "59.1-578.A.2", "59.1-578.F.1.c" ], "emea-eu-ai-act-2024": [ "Article 10.5(c)", "Article 10.5(d)" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 1.1(3)(e)" ], "emea-aut-fappd-2000": [ "Sec 12" ], "emea-bel-act-8-1992": [ "4-7", "21" ], "emea-hun-isdfi-2011": [ "9" ], "emea-isr-ppl-5741-1981": [ "8" ], "emea-ita-pdpc-2003": [ "13", "20" ], "emea-ken-pda-2019": [ "44", "45(a)", "45(a)(i)", "45(a)(ii)", "45(b)", "45(c)(i)", "45(c)(ii)", "45(c)(iii)", "46(1)(a)", "46(1)(b)", "46(2)(a)", "46(2)(b)", "47(1)", "47(2)(a)", "47(2)(b)", "47(2)(c)", "47(2)(d)", "47(3)" ], "emea-nga-dpr-2019": [ "3.1(12)" ], "emea-nor-pda-2018": [ "9" ], "emea-pol-act-29-1997": [ "27" ], "emea-qat-pdppl-2020": [ "8.2", "9.4", "10", "16", "22" ], "emea-rus-federal-law-27-2006": [ "6", "10" ], "emea-sau-pdpl-2023": [ "Article 11.3" ], "emea-srb-act-9-2018": [ "5.1", "5.3", "17", "17.1", "17.2", "17.3", "17.4", "17.5", "17.6", "17.7", "17.8", "17.9", "17.10", "18.1", "18.2", "18.3", "19" ], "emea-zaf-popia-2013": [ "15", "26" ], "emea-tur-lppd-2016": [ "6" ], "emea-gbr-dpa-1998": [ "Chapter29-Schedule1-Part1-Principle 3" ], "apac-aus-privacy-act-1998": [ "APP Part 3" ], "apac-aus-privacy-principles-2026": [ "APP 6", "APP 7", "APP 9" ], "apac-chn-cybersecurity-law-2017": [ "Article 41", "Article 44" ], "apac-chn-pipl-2021": [ "13", "13(1)", "13(2)", "13(3)", "13(4)", "13(5)", "13(6)", "13(7)", "18", "28", "29", "30", "31", "32" ], "apac-ind-dpdpa-2023": [ "7(f)", "7(g)", "7(h)", "7(i)", "8(1)" ], "apac-jpn-ppi-2020": [ "16-2" ], "apac-mys-pdpa-2010": [ "34" ], "apac-nzl-privacy-act-2020": [ "Principle 10", "P10-(1)", "P10-(1)(a)", "P10-(1)(b)(i)", "P10-(1)(b)(ii)", "P10-(1)(c)", "P10-(1)(d)", "P10-(1)(e)(i)", "P10-(1)(e)(ii)", "P10-(1)(e)(iii)", "P10-(1)(e)(iv)", "P10-(1)(f)(i)", "P10-(1)(f)(ii)", "P10-(2)" ], "apac-phl-dpa-2012": [ "19", "22", "34" ], "apac-sgp-pdpa-2012": [ "14" ], "apac-kor-pipa-2011": [ "16", "18", "23" ], "apac-twn-pdpa-2025": [ "5" ], "americas-arg-ppd-2018": [ "4.3" ], "americas-bhs-dpa-2003": [ "12" ], "americas-chl-act-19628-1999": [ "10" ], "americas-col-law-1581-2012": [ "4", "5", "6", "7" ], "americas-mex-fdpa-2010": [ "7", "9" ] } }, { "control_id": "PRI-05.5", "title": "Inventory of Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to establish and maintain a current inventory of all Technology Assets, Applications and/or Services (TAAS) that collect, receive, process, store, transmit, share, update and/or dispose Personal Data (PD).", "scf_question": "Does the organization establish and maintain a current inventory of all Technology Assets, Applications and/or Services (TAAS)that collect, receive, process, store, transmit, share, update and/or dispose Personal Data (PD)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-08" ], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish and maintain a current inventory of all Technology Assets, Applications and/or Services (TAAS) that collect, receive, process, store, transmit, share, update and/or dispose Personal Data (PD).", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.4" ], "general-iso-27002-2022": [ "5.9" ], "general-iso-27017-2015": [ "8.1.1" ], "general-iso-27018-2025": [ "5.9" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P3", "ID.IM-P6" ], "general-nist-800-53-r4": [ "SE-1" ], "general-nist-800-53-r5-2": [ "PM-05(01)" ], "general-nist-800-53-r5-2-privacy": [ "PM-05(01)" ], "general-nist-800-82-r3": [ "PM-05(01)" ], "general-nist-800-207": [ "NIST Tenet 1" ], "general-nist-csf-2-0": [ "ID.AM-07" ], "general-pci-dss-4-0-1": [ "12.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.5.1" ], "general-scf-dpmp-2025": [ "1.5" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG2.SP1" ], "usa-federal-gsa-fedramp-5-low": [ "PM-05(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-05(01)" ], "usa-federal-gsa-fedramp-5-high": [ "PM-05(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-05(01)" ], "usa-federal-irs-1075-2021": [ "PM-5(CE-1)" ], "usa-federal-cms-marse-2-0": [ "SE-1", "SE-1.a", "SE-1.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(4)(A)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-05(1)" ], "apac-kor-pipa-2011": [ "33" ] } }, { "control_id": "PRI-05.6", "title": "Personal Data (PD) Inventory Automation Support", "family": "PRI", "description": "Automated mechanisms exist to determine if Personal Data (PD) is maintained in electronic form.", "scf_question": "Does the organization use automated mechanisms to determine if Personal Data (PD) is maintained in electronic form?", "relative_weight": 1, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically determine if Personal Data (PD) is maintained in electronic form.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-privacy-framework-1-0": [ "ID.IM-P3", "ID.IM-P6" ], "general-nist-800-53-r5-2": [ "PM-05(01)" ], "general-nist-800-53-r5-2-privacy": [ "PM-05(01)" ], "general-nist-800-82-r3": [ "PM-05(01)" ], "general-scf-dpmp-2025": [ "1.5" ], "usa-federal-gsa-fedramp-5-low": [ "PM-05(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-05(01)" ], "usa-federal-gsa-fedramp-5-high": [ "PM-05(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-05(01)" ], "usa-federal-irs-1075-2021": [ "PM-5(CE-1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-05(1)" ], "emea-rus-federal-law-27-2006": [ "16" ] } }, { "control_id": "PRI-05.7", "title": "Personal Data (PD) Categories", "family": "PRI", "description": "Mechanisms exist to define and implement data handling and protection requirements for specific categories of sensitive Personal Data (PD).", "scf_question": "Does the organization define and implement data handling and protection requirements for specific categories of sensitive Personal Data (PD)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRI-07" ], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define and implement data handling and protection requirements for specific categories of sensitive Personal Data (PD).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.3", "M1.3-POF1", "D6.7" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P3" ], "general-nist-800-53-r5-2": [ "PT-07", "PT-07(01)", "PT-07(02)" ], "general-nist-800-53-r5-2-privacy": [ "PT-07", "PT-07(01)", "PT-07(02)" ], "general-nist-800-82-r3": [ "PT-07", "PT-07(01)", "PT-07(02)" ], "general-scf-dpmp-2025": [ "1.2", "1.7" ], "usa-federal-law-coppa-2024": [ "Sec. 6502.(b)(1)(B)(i)" ], "usa-federal-gsa-fedramp-5-low": [ "PT-07" ], "usa-federal-gsa-fedramp-5-mod": [ "PT-07" ], "usa-federal-gsa-fedramp-5-high": [ "PT-07" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PT-07" ], "usa-state-ca-ccpa-cpra-2026": [ "7024(j)", "7024(l)" ], "usa-state-co-privacy-act-2021": [ "6-1-1308(1)(a)(I)" ], "usa-state-or-cpa-2023": [ "Section 5(4)(a)", "Section 5(4)(e)" ], "usa-state-tx-cdpa-2025": [ "541.102(a)(1)" ], "usa-state-va-cdpa-2023": [ "59.1-578.C.4" ], "emea-eu-ai-act-2024": [ "Article 10.5" ], "emea-eu-gdpr-2016": [ "Article 13.1(e)", "Article 14.1(d)" ], "emea-ken-pda-2019": [ "47(1)", "47(2)(a)", "47(2)(b)", "47(2)(c)", "47(2)(d)", "47(3)" ], "emea-srb-act-9-2018": [ "9", "9.1", "9.2", "9.3", "9.4", "9.5", "10", "13" ], "apac-aus-privacy-principles-2026": [ "APP 9" ], "apac-chn-pipl-2021": [ "51(2)" ] } }, { "control_id": "PRI-05.8", "title": "Personal Data (PD) Formats", "family": "PRI", "description": "Mechanisms exist to retain Personal Data (PD) in a format permitting data subject identification for no longer than is necessary for legitimate business purposes.", "scf_question": "Does the organization retain Personal Data (PD) in a format permitting data subject identification for no longer than is necessary for legitimate business purposes?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to retain Personal Data (PD) in a format permitting data subject identification for no longer than is necessary for legitimate business purposes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document the formats in which personal data is stored and transferred", "small": "∙ Personal data format inventory and documentation", "medium": "∙ Formal PD format documentation\n∙ Format-specific handling requirements", "large": "∙ Enterprise data format governance\n∙ DLP controls for format-specific handling", "enterprise": "∙ Enterprise data governance platform\n∙ Automated PD format discovery and classification\n∙ Format-specific DLP controls" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "emea-eu-gdpr-2016": [ "Article 5.1(e)" ] } }, { "control_id": "PRI-06", "title": "Data Subject Empowerment", "family": "PRI", "description": "Mechanisms exist to provide authenticated data subjects the ability to:\n(1) Access their Personal Data (PD) that is being processed, stored and shared, except where the burden, risk or expense of providing access would be disproportionate to the benefit offered to the data subject through granting access;\n(2) Obtain answers on the specifics of how their PD is collected, received, processed, stored, transmitted, shared, updated and/or disposed; \n(3) Obtain the source(s) of their PD; \n(4) Obtain the categories of their PD being collected, received, processed, stored and shared; \n(5) Request correction to their PD due to inaccuracies;\n(6) Request erasure of their PD; and\n(7) Restrict the further collecting, receiving, processing, storing, transmitting, updated and/or sharing of their PD.", "scf_question": "Does the organization provide authenticated data subjects the ability to:\n (1) Access their Personal Data (PD) that is being processed, stored and shared, except where the burden, risk or expense of providing access would be disproportionate to the benefit offered to the data subject through granting access;\n (2) Obtain answers on the specifics of how their PD is collected, received, processed, stored, transmitted, shared, updated and/or disposed; \n (3) Obtain the source(s) of their PD; \n (4) Obtain the categories of their PD being collected, received, processed, stored and shared; \n (5) Request correction to their PD due to inaccuracies;\n (6) Request erasure of their PD; and\n (7) Restrict the further collecting, receiving, processing, storing, transmitting, updated and/or sharing of their PD?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRI-06" ], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide authenticated data subjects the ability to:\n(1) Access their Personal Data (PD) that is being processed, stored and shared, except where the burden, risk or expense of providing access would be disproportionate to the benefit offered to the data subject through granting access;\n(2) Obtain answers on the specifics of how their PD is collected, received, processed, stored, transmitted, shared, updated and/or disposed; \n(3) Obtain the source(s) of their PD; \n(4) Obtain the categories of their PD being collected, received, processed, stored and shared; \n(5) Request correction to their PD due to inaccuracies;\n(6) Request erasure of their PD; and\n(7) Restrict the further collecting, receiving, processing, storing, transmitting, updated and/or sharing of their PD.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "A5.1", "A5.1-POF2", "D6.7", "D6.7-POF1", "D6.7-POF2" ], "general-aicpa-tsc-2017": [ "P5.0", "P5.1", "P5.1-POF1", "P5.1-POF2", "P5.1-POF3" ], "general-apec-privacy-framework-2015": [ "8(c)" ], "general-csa-cmm-4-1-0": [ "DSP-11" ], "general-iso-29100-2024": [ "6.9", "6.1" ], "general-nist-800-53-r4": [ "IP-2" ], "general-nist-800-53-r5-2": [ "AC-03(14)", "SI-18(04)" ], "general-nist-800-53-r5-2-privacy": [ "AC-03(14)", "SI-18(04)" ], "general-nist-800-82-r3": [ "AC-03(14)", "SI-18(04)" ], "general-oecd-privacy-principles-2010": [ "7(a)" ], "general-scf-dpmp-2025": [ "6.0" ], "usa-federal-law-coppa-2024": [ "Sec. 6502.(b)(1)(B)", "Sec. 6502.(b)(1)(B)(iii)" ], "usa-federal-fbi-cjis-6-0": [ "AC-3(14)" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.6.a", "III.8.a.i", "III.8.a.i.1", "III.8.a.i.2", "III.8.a.i.3", "III.8.a.iii", "III.8.b.i", "III.8.b.ii", "III.8.d.ii", "III.8.e.i", "III.8.f.i", "III.14.e.ii" ], "usa-federal-gsa-fedramp-5-low": [ "SI-18(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-18(04)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-18(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-18(04)" ], "usa-federal-law-ferpa-2010": [ "1232h(c)(1)(A)(ii)" ], "usa-federal-omb-fipps-1973": [ "1", "6" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)(i)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.502(a)(2)(i)", "164.502(a)(2)(ii)", "164.514(h)(1)(i)", "164.514(h)(1)(ii)", "164.524(a)(1)", "164.524(a)(1)(i)", "164.524(a)(1)(ii)", "164.524(a)(1)(iii)", "164.524(a)(1)(iii)(A)", "164.524(a)(1)(iii)(B)", "164.524(a)(2)", "164.524(a)(2)(i)", "164.524(a)(2)(ii)", "164.524(a)(2)(iii)", "164.524(a)(2)(iv)", "164.524(a)(2)(v)", "164.524(a)(3)", "164.524(a)(3)(i)", "164.524(a)(3)(ii)", "164.524(a)(3)(iii)", "164.524(a)(4)", "164.524(b)(1)", "164.524(b)(2)(i)", "164.524(b)(2)(i)(A)", "164.524(b)(2)(i)(B)", "164.524(b)(2)(ii)", "164.524(b)(2)(ii)(A)", "164.524(b)(2)(ii)(B)", "164.524(c)", "164.524(c)(1)", "164.524(c)(3)(i)", "164.524(c)(3)(ii)", "164.524(c)(4)", "164.524(c)(4)(i)", "164.524(c)(4)(ii)", "164.524(c)(4)(iii)", "164.524(c)(4)(iv)", "164.524(d)", "164.524(d)(1)", "164.524(d)(2)" ], "usa-federal-cms-marse-2-0": [ "IP-2", "IP-2.a", "IP-2.b", "IP-2.c", "IP-2.d", "IP-3.a" ], "usa-state-ca-ccpa-cpra-2026": [ "7020(a)", "7020(b)", "7020(c)", "7020(d)", "7020(e)", "7020(f)", "7020(f)(1)", "7020(f)(2)", "7022(b)", "7023(c)", "7023(d)(1)", "7024(g)", "7024(h)", "7024(j)", "7027(d)", "7027(e)" ], "usa-state-co-privacy-act-2021": [ "6-1-1306(1)", "6-1-1306(1)(b)", "6-1-1306(2)(c)" ], "usa-state-nv-sb220-2019": [ "2.1", "2.2" ], "usa-state-or-ors-646a-2025": [ "646A.574(1)(a)", "646A.574(1)(a)(A)", "646A.574(1)(a)(B)", "646A.574(1)(a)(B)(i)", "646A.574(1)(a)(B)(ii)", "646A.576(1)", "646A.578(5)", "646A.578(5)(a)", "646A.578(5)(a)(A)", "646A.578(5)(a)(B)", "646A.578(5)(a)(C)" ], "usa-state-or-cpa-2023": [ "Section 3(1)(a)(A)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(a)(1)", "47-18-3203(a)(2)(A)" ], "usa-state-tx-cdpa-2025": [ "541.051(a)", "541.055(a)(1)" ], "usa-state-va-cdpa-2023": [ "59.1-577.A", "59.1-577.A.1", "59.1-577.A.2", "59.1-577.A.3", "59.1-577.A.4" ], "emea-eu-gdpr-2016": [ "Article 12.3", "Article 12.5(b)", "Article 12.6", "Article 15.1", "Article 15.1(a)", "Article 15.1(b)", "Article 15.1(c)", "Article 15.1(d)", "Article 15.1(e)", "Article 15.1(g)", "Article 15.1(h)", "Article 15.2", "Article 15.3", "Article 15.4", "Article 16", "Article 17.1", "Article 18.1", "Article 18.1(a)", "Article 18.1(b)", "Article 18.1(c)", "Article 18.1(d)" ], "emea-aut-fappd-2000": [ "Sec 26" ], "emea-bel-act-8-1992": [ "10", "12" ], "emea-deu-fdpa-2017": [ "Sec 19" ], "emea-grc-pirppd-1997": [ "11", "12" ], "emea-hun-isdfi-2011": [ "14", "15" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-ppl-5741-1981": [ "13" ], "emea-ita-pdpc-2003": [ "7" ], "emea-ken-pda-2019": [ "26(a)", "26(b)", "26(c)", "26(d)", "26(e)" ], "emea-nga-dpr-2019": [ "3.1(1)", "3.1(3)", "3.1(3)(a)", "3.1(3)(b)" ], "emea-nor-pda-2018": [ "18" ], "emea-pol-act-29-1997": [ "32" ], "emea-qat-pdppl-2020": [ "6", "21.1", "21.2" ], "emea-rus-federal-law-27-2006": [ "14" ], "emea-sau-pdpl-2023": [ "Article 4.2", "Article 4.3", "Article 4.4", "Article 4.5", "Article 21" ], "emea-srb-act-9-2018": [ "21", "23", "24", "25", "26", "28.1", "28.2", "28.3", "28.4", "28.5" ], "emea-zaf-popia-2013": [ "23" ], "emea-esp-decree-1720-2007": [ "23", "24", "27", "28", "29" ], "emea-che-fadp-2025": [ "8" ], "emea-tur-lppd-2016": [ "11" ], "apac-aus-privacy-act-1998": [ "APP Part 12" ], "apac-aus-privacy-principles-2026": [ "APP 12" ], "apac-chn-pipl-2021": [ "45", "46", "49" ], "apac-hkg-pdo-2022": [ "Principle 6", "Sec 17A", "Sec 18" ], "apac-ind-dpdpa-2023": [ "11(1)(c)", "11(2)" ], "apac-jpn-ppi-2020": [ "27(1)", "27(1)(i)", "27(1)(ii)", "27(1)(iii)", "27(1)(iv)", "27(2)(i)", "27(2)(ii)", "27(3)", "28(1)", "28(2)", "28(2)(i)", "28(2)(ii)", "28(2)(iii)", "28(3)", "28(4)", "28(5)" ], "apac-mys-pdpa-2010": [ "12", "30" ], "apac-nzl-privacy-act-2020": [ "Principle 6", "P6-(1)", "P6-(1)(a)", "P6-(1)(b)", "P6-(2)", "P6-(3)" ], "apac-phl-dpa-2012": [ "34" ], "apac-sgp-pdpa-2012": [ "21" ], "apac-kor-pipa-2011": [ "4", "35" ], "apac-twn-pdpa-2025": [ "3" ], "americas-arg-ppd-2018": [ "4.6", "13", "14.1", "14.2", "14.3", "14.4" ], "americas-bhs-dpa-2003": [ "8" ], "americas-bra-lgpd-2018": [ "6.4", "9", "17", "18.1", "18.2", "20" ], "americas-can-pipeda-2000": [ "Principle 8", "Principle 9" ], "americas-chl-act-19628-1999": [ "12" ], "americas-col-law-1581-2012": [ "8", "11" ], "americas-mex-fdpa-2010": [ "15", "22", "23", "25" ] } }, { "control_id": "PRI-06.1", "title": "Correcting Inaccurate Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to maintain a process for:\n(1) Data subjects to have inaccurate Personal Data (PD) maintained by the organization corrected or amended; and\n(2) Disseminating corrections or amendments of PD to other authorized users of the PD.", "scf_question": "Does the organization maintain a process for:\n (1) Data subjects to have inaccurate Personal Data (PD) maintained by the organization corrected or amended; and\n (2) Disseminating corrections or amendments of PD to other authorized users of the PD?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a process for:\n(1) Data subjects to have inaccurate Personal Data (PD) maintained by the organization corrected or amended; and\n(2) Disseminating corrections or amendments of PD to other authorized users of the PD.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "A5.2", "A5.2-POF2" ], "general-aicpa-tsc-2017": [ "P5.2", "P5.2-POF2" ], "general-apec-privacy-framework-2015": [ "8(c)" ], "general-iso-29100-2024": [ "6.9" ], "general-nist-800-53-r4": [ "IP-3" ], "general-nist-800-53-r5-2": [ "SI-18(04)", "SI-18(05)" ], "general-nist-800-53-r5-2-privacy": [ "SI-18(04)", "SI-18(05)" ], "general-nist-800-82-r3": [ "SI-18(04)", "SI-18(05)" ], "general-scf-dpmp-2025": [ "6.3" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.6.a" ], "usa-federal-gsa-fedramp-5-low": [ "SI-18(04)", "SI-18(05)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-18(04)", "SI-18(05)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-18(04)", "SI-18(05)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-18(04)", "SI-18(05)" ], "usa-federal-omb-fipps-1973": [ "1" ], "usa-federal-law-hipaa-simplification-2013": [ "164.526(a)(1)", "164.526(a)(2)", "164.526(a)(2)(i)", "164.526(a)(2)(ii)", "164.526(a)(2)(iii)", "164.526(a)(2)(iv)", "164.526(b)(1)" ], "usa-federal-cms-marse-2-0": [ "IP-3", "IP-3.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7023(a)", "7023(b)", "7023(d)(1)", "7023(d)(2)" ], "usa-state-co-privacy-act-2021": [ "6-1-1306(1)(c)" ], "usa-state-or-ors-646a-2025": [ "646A.574(1)(b)" ], "usa-state-or-cpa-2023": [ "Section 3(1)(b)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(a)(2)(B)" ], "usa-state-tx-cdpa-2025": [ "541.051(b)(2)" ], "usa-state-va-cdpa-2023": [ "59.1-577.A.2" ], "emea-aut-fappd-2000": [ "Sec 27" ], "emea-bel-act-8-1992": [ "10", "12" ], "emea-deu-fdpa-2017": [ "Sec 20" ], "emea-grc-pirppd-1997": [ "13" ], "emea-hun-isdfi-2011": [ "14", "15", "17" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-ppl-5741-1981": [ "14" ], "emea-ita-pdpc-2003": [ "7" ], "emea-ken-pda-2019": [ "25(f)", "26(d)", "40(1)(a)", "40(2)(a)" ], "emea-nor-pda-2018": [ "27" ], "emea-pol-act-29-1997": [ "32" ], "emea-qat-pdppl-2020": [ "5.4", "6.2" ], "emea-rus-federal-law-27-2006": [ "17" ], "emea-srb-act-9-2018": [ "5.4", "11", "29" ], "emea-zaf-popia-2013": [ "24" ], "emea-esp-decree-1720-2007": [ "23", "24", "31", "32" ], "emea-che-fadp-2025": [ "5" ], "apac-aus-privacy-act-1998": [ "APP Part 13" ], "apac-aus-privacy-principles-2026": [ "APP 13" ], "apac-chn-cybersecurity-law-2017": [ "Article 43" ], "apac-chn-csnip-2012": [ "8" ], "apac-chn-pipl-2021": [ "46", "49" ], "apac-hkg-pdo-2022": [ "Sec 22" ], "apac-ind-dpdpa-2023": [ "12(1)", "12(2)(a)", "12(2)(b)" ], "apac-jpn-ppi-2020": [ "26(1)", "26(1)(i)", "26(1)(ii)", "29(1)", "29(2)", "29(3)" ], "apac-mys-pdpa-2010": [ "34" ], "apac-nzl-privacy-act-2020": [ "P6-(2)", "Principle 7", "P7-(1)", "P7-(2)", "P7-(3)(a)", "P7-(3)(b)", "P7-(4)", "P7-(5)", "P7-(6)" ], "apac-phl-dpa-2012": [ "34" ], "apac-sgp-pdpa-2012": [ "22" ], "apac-kor-pipa-2011": [ "4", "36" ], "apac-twn-pdpa-2025": [ "3" ], "americas-arg-ppd-2018": [ "16.1", "16.3" ], "americas-bhs-dpa-2003": [ "10" ], "americas-bra-lgpd-2018": [ "18.3" ], "americas-can-pipeda-2000": [ "Principle 10" ], "americas-chl-act-19628-1999": [ "13" ], "americas-col-law-1581-2012": [ "8", "11" ], "americas-mex-fdpa-2010": [ "24", "28", "29" ] } }, { "control_id": "PRI-06.2", "title": "Notice of Correction or Processing Change", "family": "PRI", "description": "Mechanisms exist to notify affected data subjects if their Personal Data (PD) has been corrected, amended or deleted.", "scf_question": "Does the organization notify affected data subjects if their Personal Data (PD) has been corrected, amended or deleted?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to notify affected data subjects if their Personal Data (PD) has been corrected, amended or deleted.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "P3.1-POF4", "P5.2", "P5.2-POF2", "P5.2-POF3" ], "general-nist-privacy-framework-1-0": [ "CT.PO-P4", "CM.PO-P1" ], "general-nist-800-53-r5-2": [ "SI-18(05)" ], "general-nist-800-53-r5-2-privacy": [ "SI-18(05)" ], "general-nist-800-82-r3": [ "SI-18(05)" ], "general-scf-dpmp-2025": [ "6.4" ], "usa-federal-gsa-fedramp-5-low": [ "SI-18(05)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-18(05)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-18(05)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-18(05)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.526(c)", "164.526(c)(1)", "164.526(c)(2)", "164.526(c)(3)", "164.526(c)(3)(i)", "164.526(c)(3)(ii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7022(e)", "7023(f)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(b)(1)" ], "emea-hun-isdfi-2011": [ "14", "15", "17", "18" ], "emea-irl-dpa-2003": [ "2" ], "emea-ita-pdpc-2003": [ "10" ], "emea-nga-dpr-2019": [ "3.1(13)" ], "emea-pol-act-29-1997": [ "32" ], "emea-qat-pdppl-2020": [ "6.2" ], "emea-rus-federal-law-27-2006": [ "18" ], "emea-srb-act-9-2018": [ "34", "34.1", "34.2", "34.3", "34.4", "34.5" ], "emea-zaf-popia-2013": [ "24" ], "emea-esp-decree-1720-2007": [ "23", "24", "31", "32" ], "apac-aus-privacy-act-1998": [ "APP Part 13" ], "apac-aus-privacy-principles-2026": [ "APP 13" ], "apac-chn-pipl-2021": [ "22", "46", "49" ], "apac-jpn-ppi-2020": [ "18(3)", "18(4)(i)", "18(4)(ii)", "18(4)(iii)", "18(4)(iv)", "29(1)", "29(2)", "29(3)" ], "apac-nzl-privacy-act-2020": [ "P6-(2)" ], "apac-phl-dpa-2012": [ "34" ], "apac-sgp-pdpa-2012": [ "23" ], "apac-kor-pipa-2011": [ "4", "36" ], "americas-arg-ppd-2018": [ "16.2" ], "americas-bhs-dpa-2003": [ "11" ], "americas-bra-lgpd-2018": [ "18.9" ], "americas-col-law-1581-2012": [ "8", "11" ] } }, { "control_id": "PRI-06.3", "title": "Appeal Adverse Decision", "family": "PRI", "description": "Mechanisms exist to maintain a process for data subjects to appeal an adverse decision.", "scf_question": "Does the organization maintain a process for data subjects to appeal an adverse decision?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a process for data subjects to appeal an adverse decision.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "P5.2" ], "general-nist-800-53-r5-2": [ "PM-26" ], "general-nist-800-53-r5-2-privacy": [ "PM-26" ], "general-nist-800-82-r3": [ "PM-26" ], "general-nist-800-82-r3-low": [ "PM-26" ], "general-nist-800-82-r3-mod": [ "PM-26" ], "general-nist-800-82-r3-high": [ "PM-26" ], "general-nist-800-161-r1": [ "PM-26" ], "general-nist-800-161-r1-level-2": [ "PM-26" ], "general-nist-800-161-r1-level-3": [ "PM-26" ], "general-scf-dpmp-2025": [ "6.5" ], "usa-federal-gsa-fedramp-5-low": [ "PM-26" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-26" ], "usa-federal-gsa-fedramp-5-high": [ "PM-26" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-26" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)(ii)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.524(d)(4)" ], "usa-state-ca-ccpa-cpra-2026": [ "7023(d)(1)", "7023(f)(3)" ], "usa-state-co-privacy-act-2021": [ "6-1-1306(3)(a)" ], "usa-state-or-ors-646a-2025": [ "646A.576(6)", "646A.576(6)(a)", "646A.576(6)(b)", "646A.576(6)(c)", "646A.576(6)(d)" ], "usa-state-or-cpa-2023": [ "Section 4(6)(a)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(c)" ], "usa-state-tx-cdpa-2025": [ "541.053(a)" ], "usa-state-va-cdpa-2023": [ "59.1-577.C" ], "emea-aut-fappd-2000": [ "Sec 28" ], "emea-grc-pirppd-1997": [ "13" ], "emea-hun-isdfi-2011": [ "14", "15", "17", "18" ], "emea-irl-dpa-2003": [ "2" ], "emea-rus-federal-law-27-2006": [ "17" ], "emea-zaf-popia-2013": [ "63", "74" ], "emea-esp-decree-1720-2007": [ "23", "24" ], "apac-jpn-ppi-2020": [ "31" ], "apac-phl-dpa-2012": [ "34" ], "apac-kor-pipa-2011": [ "38" ], "americas-bra-lgpd-2018": [ "18.9" ], "americas-can-pipeda-2000": [ "Sec 11" ], "americas-col-law-1581-2012": [ "15" ] } }, { "control_id": "PRI-06.4", "title": "User Feedback Management", "family": "PRI", "description": "Mechanisms exist to maintain a process to efficiently and effectively respond to requests, complaints, concerns or questions from authenticated data subjects about Personal Data (PD) the organization collects, receives, processes, stores, transmits, shares, updates and/or disposes.", "scf_question": "Does the organization maintain a process to efficiently and effectively respond to requests, complaints, concerns or questions from authenticated data subjects about Personal Data (PD) the organization collects, receives, processes, stores, transmits, shares, updates and/or disposes?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a process to efficiently and effectively respond to requests, complaints, concerns or questions from authenticated data subjects about Personal Data (PD) the organization collects, receives, processes, stores, transmits, shares, updates and/or disposes.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "A5.1-POF4", "A5.2-POF1", "A5.2-POF3", "M9.1", "M9.1-POF2", "M9.1-POF3" ], "general-aicpa-tsc-2017": [ "P4.3-POF1", "P5.1", "P5.1-POF4", "P5.1-POF5", "P5.2", "P5.2-POF1", "P5.2-POF3", "P5.2-POF4", "P6.7-POF2", "P8.1", "P8.1-POF1", "P8.1-POF2", "P8.1-POF3" ], "general-iso-29100-2024": [ "6.1" ], "general-nist-privacy-framework-1-0": [ "GV.MT-P7", "CT.PO-P4", "CM.AW-P2" ], "general-nist-800-53-r4": [ "IP-4", "IP-4(1)" ], "general-nist-800-53-r5-2": [ "PM-26" ], "general-nist-800-53-r5-2-privacy": [ "PM-26" ], "general-nist-800-82-r3": [ "PM-26" ], "general-nist-800-82-r3-low": [ "PM-26" ], "general-nist-800-82-r3-mod": [ "PM-26" ], "general-nist-800-82-r3-high": [ "PM-26" ], "general-nist-800-161-r1": [ "PM-26" ], "general-nist-800-161-r1-level-2": [ "PM-26" ], "general-nist-800-161-r1-level-3": [ "PM-26" ], "general-oecd-privacy-principles-2010": [ "7(b)(i)", "7(b)(ii)", "7(b)(iii)", "7(c)", "7(d)" ], "general-scf-dpmp-2025": [ "6.1" ], "general-tisax-6-0-3": [ "9.6.1" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.7.a.i", "III.8.i.i", "III.11.d.i" ], "usa-federal-gsa-fedramp-5-low": [ "PM-26" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-26" ], "usa-federal-gsa-fedramp-5-high": [ "PM-26" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-26" ], "usa-federal-omb-fipps-1973": [ "6" ], "usa-federal-law-hipaa-simplification-2013": [ "164.526(b)(2)(i)", "164.526(b)(2)(i)(A)", "164.526(b)(2)(i)(B)", "164.526(b)(2)(ii)", "164.526(b)(2)(ii)(A)", "164.526(b)(2)(ii)(B)", "164.526(d)", "164.526(d)(1)", "164.526(d)(1)(i)", "164.526(d)(1)(ii)", "164.526(d)(1)(iii)", "164.526(d)(1)(iv)", "164.526(d)(2)", "164.526(d)(3)", "164.526(d)(4)", "164.526(d)(5)(i)", "164.526(d)(5)(ii)", "164.526(d)(5)(iii)", "164.526(e)", "164.526(f)", "164.530(d)(1)", "164.530(d)(2)" ], "usa-federal-cms-marse-2-0": [ "IP-4", "IP-4(1)" ], "usa-state-ca-ccpa-cpra-2026": [ "7021(a)", "7021(b)", "7022(e)", "7022(f)", "7022(f)(1)", "7023(a)", "7023(d)(2)(A)", "7023(d)(2)(B)", "7023(d)(2)(C)", "7023(d)(2)(D)", "7023(f)(1)", "7023(f)(2)", "7023(f)(3)", "7023(f)(4)", "7023(i)", "7023(j)", "7023(k)", "7024(c)", "7024(c)(1)", "7024(c)(2)", "7024(c)(3)", "7024(c)(4)", "7024(d)", "7024(d)(1)", "7024(d)(2)", "7024(e)", "7024(e)(1)", "7024(e)(2)", "7024(k)", "7024(k)(1)", "7024(k)(2)", "7024(k)(3)", "7024(k)(4)", "7024(k)(5)", "7024(k)(6)", "7027(h)", "7027(k)" ], "usa-state-co-privacy-act-2021": [ "6-1-1306(1)", "6-1-1306(2)(a)", "6-1-1306(2)(b)", "6-1-1306(3)(b)", "6-1-1306(3)(c)" ], "usa-state-nv-sb220-2019": [ "2.4" ], "usa-state-or-ors-646a-2025": [ "646A.576(5)", "646A.576(5)(a)", "646A.576(5)(b)", "646A.576(5)(c)", "646A.576(5)(d)", "646A.576(5)(e)", "646A.576(5)(e)(A)", "646A.576(5)(e)(B)" ], "usa-state-or-cpa-2023": [ "Section 4(5)(a)", "Section 4(5)(b)", "Section 4(5)(c)", "Section 4(5)(d)", "Section 4(5)(e)", "Section 4(5)(e)(A)", "Section 4(5)(e)(B)", "Section 4(6)(b)", "Section 4(6)(c)", "Section 4(6)(d)", "Section 5(5)(a)(A)", "Section 5(5)(a)(B)", "Section 5(5)(a)(C)", "Section 5(5)(b)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(b)(1)", "47-18-3203(b)(2)", "47-18-3203(b)(3)", "47-18-3203(b)(4)", "47-18-3204(e)(1)(A)", "47-18-3204(e)(1)(B)", "47-18-3204(e)(1)(C)", "47-18-3204(e)(2)", "47-18-3207(b)(3)", "47-18-3207(b)(3)(A)", "47-18-3207(b)(3)(B)", "47-18-3207(b)(3)(C)" ], "usa-state-tx-cdpa-2025": [ "541.051(b)(1)", "541.052(b)", "541.052(c)", "541.052(d)", "541.053(c)", "541.053(d)", "541.055(a)(2)", "541.055(a)(3)", "541.055(b)" ], "usa-state-va-cdpa-2023": [ "59.1-577.B.1", "59.1-577.B.2", "59.1-577.B.3", "59.1-577.B.4", "59.1-577.C" ], "emea-eu-gdpr-2016": [ "Article 12.4" ], "emea-hun-isdfi-2011": [ "14", "15", "17" ], "emea-ita-pdpc-2003": [ "9" ], "emea-ken-pda-2019": [ "40(1)(b)" ], "emea-nga-dpr-2019": [ "2.8", "2.8(a)", "2.8(b)", "3.1(2)", "3.1(4)", "3.1(5)", "3.1(11)(a)", "3.1(11)(b)", "3.1(11)(c)", "3.1(11)(d)", "3.1(13)" ], "emea-qat-pdppl-2020": [ "5.3", "5.4", "6.3" ], "emea-srb-act-9-2018": [ "21", "21.1", "21.2", "22", "22.1", "22.2", "23", "23.x", "24", "24.x", "25", "25.x", "26", "26.1", "26.2", "26.3", "26.4", "26.5", "26.6", "26.7", "26.8", "27.1", "27.2", "27.3", "27.4", "27.5", "27.6", "27.7" ], "emea-esp-decree-1720-2007": [ "26" ], "apac-aus-privacy-act-1998": [ "APP Part 13" ], "apac-aus-privacy-principles-2026": [ "APP 12", "APP 13" ], "apac-chn-cybersecurity-law-2017": [ "Article 43" ], "apac-chn-pipl-2021": [ "45", "46", "50" ], "apac-jpn-ppi-2020": [ "27(3)", "28(2)", "28(2)(i)", "28(2)(ii)", "28(2)(iii)", "28(3)", "28(4)", "28(5)", "31", "32(1)", "32(2)", "32(3)", "32(4)" ], "apac-kor-pipa-2011": [ "37" ], "americas-arg-ppd-2018": [ "16.2", "16.6" ], "americas-bhs-dpa-2003": [ "11" ], "americas-bra-lgpd-2018": [ "18", "19", "21" ], "americas-col-law-1581-2012": [ "12", "15" ], "americas-mex-fdpa-2010": [ "30" ] } }, { "control_id": "PRI-06.5", "title": "Right to Erasure", "family": "PRI", "description": "Mechanisms exist to maintain a process to erase a data subject's Personal Data (PD), in accordance with applicable laws, regulations and contractual obligations pertaining to the retention of their PD.", "scf_question": "Does the organization maintain a process to erase a data subject's Personal Data (PD), in accordance with applicable laws, regulations and contractual obligations pertaining to the retention of their PD?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a process to erase a data subject's Personal Data (PD), in accordance with applicable laws, regulations and contractual obligations pertaining to the retention of their PD.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "P4.3-POF1" ], "general-scf-dpmp-2025": [ "6.6" ], "usa-state-ca-ccpa-cpra-2026": [ "7022(b)(1)", "7022(f)(2)" ], "usa-state-co-privacy-act-2021": [ "6-1-1306(1)(d)" ], "usa-state-or-ors-646a-2025": [ "646A.574(1)(c)" ], "usa-state-or-cpa-2023": [ "Section 3(1)(c)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(a)(2)(C)", "47-18-3203(a)(2)(C)(i)(a)", "47-18-3203(a)(2)(C)(i)(b)", "47-18-3203(a)(2)(C)(ii)" ], "usa-state-tx-cdpa-2025": [ "541.051(b)(3)" ], "usa-state-va-cdpa-2023": [ "59.1-577.A.3" ], "emea-eu-gdpr-2016": [ "Article 17.1(a)", "Article 17.1(b)", "Article 17.1(c)", "Article 17.1(d)", "Article 17.1(e)", "Article 17.1(f)", "Article 17.2", "Article 17.3", "Article 17.3(a)", "Article 17.3(b)", "Article 17.3(c)", "Article 17.3(d)", "Article 17.3(e)" ], "emea-ken-pda-2019": [ "26(e)", "40(1)(b)", "40(2)(b)", "40(3)" ], "emea-nga-dpr-2019": [ "3.1(13)" ], "emea-qat-pdppl-2020": [ "5.3" ], "emea-srb-act-9-2018": [ "30", "30.x", "32", "32.1", "32.2" ], "apac-chn-cybersecurity-law-2017": [ "Article 43" ], "apac-chn-pipl-2021": [ "47", "47(1)", "47(2)", "47(3)", "47(4)", "47(5)", "49" ], "apac-ind-dpdpa-2023": [ "8(7)(a)", "12(1)", "12(3)" ], "apac-jpn-ppi-2020": [ "30(1)", "30(2)", "30(3)", "30(4)", "30(5)", "30(6)", "30(7)", "33(1)", "33(2)", "34", "34(1)", "34(2)", "34(3)", "35(1)", "35(2)" ], "americas-arg-ppd-2018": [ "16.5", "16.7" ], "americas-bra-lgpd-2018": [ "18.4", "18.6" ] } }, { "control_id": "PRI-06.6", "title": "Data Portability", "family": "PRI", "description": "Mechanisms exist to format exports of Personal Data (PD) in a structured, machine-readable format that allows data subjects to transfer their PD to another controller without hindrance.", "scf_question": "Does the organization format exports of Personal Data (PD) in a structured, machine-readable format that allows data subjects to transfer their PD to another controller without hindrance?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to format exports of Personal Data (PD) in a structured, machine-readable format that allows data subjects to transfer their PD to another controller without hindrance.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "P6.7-POF2" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P4", "CT.DM-P6" ], "general-scf-dpmp-2025": [ "5.7" ], "usa-federal-law-hipaa-simplification-2013": [ "164.524(c)(2)(i)", "164.524(c)(2)(ii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7024(g)" ], "usa-state-co-privacy-act-2021": [ "6-1-1306(1)(e)" ], "usa-state-or-ors-646a-2025": [ "646A.574(2)" ], "usa-state-or-cpa-2023": [ "Section 3(2)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(a)(2)(D)" ], "usa-state-va-cdpa-2023": [ "59.1-577.A.4" ], "emea-eu-gdpr-2016": [ "Article 20.1" ], "emea-ken-pda-2019": [ "38(1)", "38(2)", "38(3)", "38(4)", "38(5)(a)", "38(5)(b)", "38(6)", "38(7)" ], "emea-nga-dpr-2019": [ "3.1(6)", "3.1(14)", "3.1(14)(a)", "3.1(14)(b)", "3.1(14)(c)", "3.1(15)" ], "emea-qat-pdppl-2020": [ "6.3" ], "emea-sau-ecc-1-2018": [ "4-2-3-1" ], "emea-srb-act-9-2018": [ "21", "22", "36", "36.1", "36.2" ], "americas-arg-ppd-2018": [ "15.1", "15.2", "15.3" ], "americas-bra-lgpd-2018": [ "18.5", "40" ] } }, { "control_id": "PRI-06.7", "title": "Personal Data (PD) Exports", "family": "PRI", "description": "Mechanisms exist to export a data subject's available Personal Data (PD) in a readily usable format, upon an authenticated request.", "scf_question": "Does the organization process an export of a data subject's available Personal Data (PD) in a readily usable format, upon an authenticated request?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to export a data subject's available Personal Data (PD) in a readily usable format, upon an authenticated request.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "A5.1-POF3", "D6.7" ], "general-aicpa-tsc-2017": [ "P6.7-POF2" ], "general-apec-privacy-framework-2015": [ "8(a)", "8(b)", "8(b)(i)", "8(b)(ii)", "8(b)(iii)", "8(b)(iv)" ], "general-nist-privacy-framework-1-0": [ "CT.DM-P6" ], "general-oecd-privacy-principles-2010": [ "7(b)", "7(b)(iv)" ], "general-scf-dpmp-2025": [ "5.7" ], "usa-state-ca-ccpa-cpra-2026": [ "7024(g)" ], "usa-state-co-privacy-act-2021": [ "6-1-1306(1)(e)" ], "usa-state-or-ors-646a-2025": [ "646A.574(1)(a)(C)" ], "usa-state-or-cpa-2023": [ "Section 3(1)(a)(C)", "Section 3(2)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(a)(2)(D)" ], "usa-state-tx-cdpa-2025": [ "541.051(b)(4)" ], "usa-state-va-cdpa-2023": [ "59.1-577.A.4" ], "emea-eu-gdpr-2016": [ "Article 20.1", "Article 20.1(b)" ], "emea-ken-pda-2019": [ "38(1)", "38(2)", "38(3)", "38(4)", "38(5)(a)", "38(5)(b)", "38(6)", "38(7)" ], "emea-nga-dpr-2019": [ "3.1(6)", "3.1(14)", "3.1(14)(a)", "3.1(14)(b)", "3.1(14)(c)" ], "emea-qat-pdppl-2020": [ "6.3" ], "emea-srb-act-9-2018": [ "21", "22" ], "apac-chn-pipl-2021": [ "45" ], "apac-ind-dpdpa-2023": [ "11(1)(a)" ] } }, { "control_id": "PRI-06.8", "title": "Data Subject Authentication", "family": "PRI", "description": "Mechanisms exist to utilize reasonable consumer expectations to verify a data subject's identity, prior to taking action to disclose, share, correct, amend and/or delete Personal Data (PD).", "scf_question": "Does the organization utilize reasonable consumer expectations to verify a data subject's identity, prior to taking action to disclose, share, correct, amend and/or delete Personal Data (PD)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize reasonable consumer expectations to verify a data subject's identity, prior to taking action to disclose, share, correct, amend and/or delete Personal Data (PD).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Verify identity before providing personal data to data subject", "small": "∙ Identity verification procedure for data subject requests", "medium": "∙ Formal data subject authentication policy\n∙ Identity proofing for DSAR fulfillment", "large": "∙ Enterprise DSAR platform with data subject identity verification", "enterprise": "∙ Enterprise privacy management platform (e.g., OneTrust)\n∙ Automated identity verification for DSARs\n∙ Multi-factor data subject authentication" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "A5.1-POF1" ], "general-scf-dpmp-2025": [ "6.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7060(a)", "7060(b)", "7060(c)", "7060(c)(1)", "7060(c)(2)", "7060(c)(3)", "7060(c)(3)(A)", "7060(c)(3)(B)", "7060(c)(3)(C)", "7060(c)(3)(D)", "7060(c)(3)(E)", "7060(c)(3)(F)", "7060(d)", "7060(e)", "7060(f)", "7060(g)", "7060(h)", "7061(a)", "7061(b)", "7062(a)", "7062(b)", "7062(c)", "7062(d)", "7062(f)", "7062(g)" ], "usa-state-co-privacy-act-2021": [ "6-1-1306(1)", "6-1-1306(2)(d)" ], "usa-state-or-ors-646a-2025": [ "646A.576(2)" ] } }, { "control_id": "PRI-07", "title": "Information Sharing With Third Parties", "family": "PRI", "description": "Mechanisms exist to disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject.", "scf_question": "Does the organization disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRI-05", "E-TPM-01" ], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "D6.1-POF3", "D6.1-POF4", "D6.4-POF1", "S7.3" ], "general-aicpa-tsc-2017": [ "P6.1", "P6.1-POF1" ], "general-csa-cmm-4-1-0": [ "DSP-13" ], "general-govramp": [ "AC-21" ], "general-govramp-mod": [ "AC-21" ], "general-govramp-high": [ "AC-21" ], "general-iso-27002-2022": [ "5.33" ], "general-iso-27017-2015": [ "18.1.4" ], "general-iso-27018-2025": [ "5.33" ], "general-iso-29100-2024": [ "6.1" ], "general-nist-privacy-framework-1-0": [ "CT.PO-P2" ], "general-nist-800-53-r4": [ "UL-2" ], "general-nist-800-53-r5-2": [ "AC-21" ], "general-nist-800-53-r5-2-privacy": [ "AC-21" ], "general-nist-800-53-r5-2-mod": [ "AC-21" ], "general-nist-800-82-r3": [ "AC-21" ], "general-nist-800-82-r3-mod": [ "AC-21" ], "general-nist-800-82-r3-high": [ "AC-21" ], "general-nist-800-161-r1": [ "AC-21" ], "general-nist-800-161-r1-level-1": [ "AC-21" ], "general-nist-800-161-r1-level-2": [ "AC-21" ], "general-scf-dpmp-2025": [ "10.2" ], "general-tisax-6-0-3": [ "9.5.2" ], "usa-federal-fbi-cjis-6-0": [ "AC-21" ], "usa-federal-gsa-fedramp-5-low": [ "AC-21" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-21" ], "usa-federal-gsa-fedramp-5-high": [ "AC-21" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-21" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(e)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.506(c)(1)", "164.506(c)(2)", "164.506(c)(3)", "164.506(c)(4)", "164.508(a)(1)", "164.508(a)(4)(i)" ], "usa-federal-irs-1075-2021": [ "AC-21" ], "usa-federal-cms-marse-2-0": [ "AC-21", "UL-2", "UL-2.a", "UL-2.b", "UL-2.c", "UL-2.d" ], "usa-state-or-cpa-2023": [ "Section 6(1)(a)", "Section 6(1)(c)" ], "emea-aut-fappd-2000": [ "Sec 10" ], "emea-isr-cmo-1-0": [ "10.5" ], "emea-ken-pda-2019": [ "25(h)", "42(2)(a)", "42(2)(b)", "42(3)" ], "emea-nga-dpr-2019": [ "2.4(b)" ], "emea-sau-pdpl-2023": [ "Article 8" ], "emea-srb-act-9-2018": [ "5" ], "emea-zaf-popia-2013": [ "18", "28", "30", "31" ], "apac-aus-privacy-principles-2026": [ "APP 7", "APP 8" ], "apac-chn-pipl-2021": [ "20", "21", "22", "27", "38(3)", "41", "42", "49" ], "apac-ind-dpdpa-2023": [ "8(2)" ], "apac-jpn-ppi-2020": [ "23(1)(i)", "23(1)(ii)", "23(1)(iii)", "23(1)(iv)", "23(2)", "23(2)(i)", "23(2)(ii)", "23(2)(iii)", "23(2)(iv)", "23(2)(v)", "23(2)(vi)", "23(2)(vii)", "23(2)(viii)", "23(3)", "23(4)", "23(5)(i)", "23(5)(ii)", "23(5)(iii)", "23(6)", "23(1)", "26(1)", "26(1)(i)", "26(1)(ii)", "26(2)", "26(3)", "26(4)", "26-2(1)", "26-2(1)(i)", "26-2(1)(ii)", "26-2(2)", "26-2(3)" ], "apac-mys-pdpa-2010": [ "9" ], "apac-nzl-ism-3-9": [ "20.1.6.C.01", "20.1.6.C.02", "20.1.7.C.01", "20.1.7.C.02", "20.1.8.C.01", "20.1.9.C.01", "20.1.10.C.01", "20.1.10.C.02", "20.1.11.C.01", "20.1.12.C.01", "20.1.13.C.01", "20.2.3.C.01", "20.2.4.C.01", "20.2.5.C.01", "20.2.6.C.01", "20.2.6.C.02", "20.2.6.C.03", "20.2.7.C.01", "20.2.8.C.01", "20.2.9.C.01", "20.2.9.C.02", "20.2.9.C.03", "20.2.9.C.04", "20.2.10.C.01", "20.2.10.C.02", "20.2.11.C.01", "20.2.11.C.02", "20.2.11.C.03" ], "apac-sgp-pdpa-2012": [ "26" ], "apac-kor-pipa-2011": [ "17", "26", "27" ], "americas-arg-ppd-2018": [ "11.1", "11.2", "11.3", "11.4", "12.1", "16.4" ], "americas-can-pipeda-2000": [ "Sec 20", "Sec 23" ], "americas-col-law-1581-2012": [ "26" ] } }, { "control_id": "PRI-07.1", "title": "Data Privacy Requirements for Contractors & Service Providers", "family": "PRI", "description": "Mechanisms exist to include data privacy requirements in contracts and other acquisition-related documents that establish data privacy roles and responsibilities for contractors and service providers.", "scf_question": "Does the organization include data privacy requirements in contracts and other acquisition-related documents that establish data privacy roles and responsibilities for contractors and service providers?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRI-05", "E-TPM-01" ], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to include data privacy requirements in contracts and other acquisition-related documents that establish data privacy roles and responsibilities for contractors and service providers.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "D6.4" ], "general-aicpa-tsc-2017": [ "P6.1-POF1", "P6.4", "P6.4-POF3" ], "general-cis-csc-8-1": [ "15.4" ], "general-cis-csc-8-1-ig2": [ "15.4" ], "general-cis-csc-8-1-ig3": [ "15.4" ], "general-csa-cmm-4-1-0": [ "DSP-13", "IPY-04" ], "general-csa-iot-2": [ "CLS-04" ], "general-iso-27002-2022": [ "5.31", "5.33" ], "general-iso-27017-2015": [ "18.1.4" ], "general-iso-27018-2025": [ "5.1(a)", "5.31", "5.33" ], "general-iso-29100-2024": [ "6.1" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P3" ], "general-nist-800-53-r4": [ "AR-3" ], "general-nist-800-218": [ "PO.1" ], "general-nist-csf-2-0": [ "GV.SC-05" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A05:2025", "A07:2025", "A09:2025", "A10:2025" ], "general-scf-dpmp-2025": [ "10.3" ], "general-tisax-6-0-3": [ "9.5.2" ], "usa-federal-law-hipaa-simplification-2013": [ "164.504(e)(2)(i)", "164.504(e)(2)(ii)(A)", "164.504(e)(2)(ii)(B)", "164.504(e)(2)(ii)(C)", "164.504(e)(4)(i)", "164.504(e)(4)(i)(A)", "164.504(e)(4)(i)(B)", "164.504(e)(4)(i)(B)(ii)", "164.504(e)(4)(i)(B)(ii)(A)" ], "usa-federal-cms-marse-2-0": [ "AR-3", "AR-3.a", "AR-3.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7012(g)(2)", "7022(c)", "7022(c)(1)", "7022(c)(2)", "7022(c)(3)", "7022(c)(4)", "7022(d)", "7023(c)", "7024(i)", "7050(a)", "7050(a)(1)", "7050(a)(2)", "7050(a)(3)", "7050(a)(4)", "7050(b)", "7050(c)", "7050(d)", "7050(e)", "7050(f)", "7050(g)", "7050(h)", "7050(h)(1)", "7050(h)(2)", "7051(a)", "7051(a)(1)", "7051(a)(2)", "7051(a)(3)", "7051(a)(4)", "7051(a)(5)", "7051(a)(6)", "7051(a)(7)", "7051(a)(8)", "7051(a)(9)", "7053(a)(1)", "7053(a)(2)", "7053(a)(3)", "7053(a)(4)" ], "usa-state-il-pipa-2006": [ "45(b)" ], "usa-state-or-ors-646a-2025": [ "646A.581(2)" ], "usa-state-or-cpa-2023": [ "Section 6(1)", "Section 6(1)(a)", "Section 6(2)", "Section 7(1)(a)(C)" ], "usa-state-tn-tipa-2025": [ "47-18-3205(a)", "47-18-3205(a)(1)", "47-18-3205(a)(2)", "47-18-3205(b)", "47-18-3205(b)(1)", "47-18-3205(b)(2)", "47-18-3205(b)(3)", "47-18-3205(b)(4)", "47-18-3205(b)(5)", "47-18-3205(c)", "47-18-3205(d)" ], "usa-state-tx-cdpa-2025": [ "541.104(a)(1)", "541.104(a)(2)", "541.104(a)(3)", "541.104(b)(1)", "541.104(b)(2)", "541.104(b)(3)", "541.104(b)(4)", "541.104(b)(5)", "541.104(b)(6)(A)", "541.104(b)(6)(B)", "541.104(b)(6)(C)", "541.104(b)(6)(D)", "541.104(b)(6)(E)", "541.104(c)", "541.106(a)(3)", "541.106(d)" ], "usa-state-va-cdpa-2023": [ "59.1-578.B", "59.1-579.A", "59.1-579.A.1", "59.1-579.A.2", "59.1-579.A.3", "59.1-579.B", "59.1-579.B.3", "59.1-579.B.4", "59.1-579.B.5", "59.1-581.A.3", "59.1-581.E" ], "emea-eu-gdpr-2016": [ "Article 28.1", "Article 28.2", "Article 28.3", "Article 28.3(a)", "Article 28.3(b)", "Article 28.3(c)", "Article 28.3(d)", "Article 28.3(e)", "Article 28.3(f)", "Article 28.3(g)", "Article 28.3(h)", "Article 28.4", "Article 28.5", "Article 28.6", "Article 28.7", "Article 28.8", "Article 28.9", "Article 28.10", "Article 29", "Article 46.3(a)" ], "emea-aut-fappd-2000": [ "Sec 10" ], "emea-deu-c5-2020": [ "HR-06", "PI-02" ], "emea-isr-cmo-1-0": [ "11.1" ], "emea-ken-pda-2019": [ "25(h)", "40(2)", "40(2)(a)", "40(2)(b)", "40(3)", "42(2)(a)", "42(2)(b)", "42(3)" ], "emea-nga-dpr-2019": [ "2.4(b)", "2.7" ], "emea-qat-pdppl-2020": [ "12" ], "emea-sau-sacs-002-2022": [ "TPC-25" ], "emea-srb-act-9-2018": [ "5", "11", "30", "30.x", "32", "32.1", "32.2", "33", "45", "45.x", "46" ], "emea-zaf-popia-2013": [ "11", "20", "21" ], "apac-aus-privacy-principles-2026": [ "APP 7" ], "apac-chn-pipl-2021": [ "20", "21", "27", "38(3)", "42" ], "apac-ind-dpdpa-2023": [ "8(2)", "8(7)(b)" ], "apac-jpn-ppi-2020": [ "22", "23(1)(i)", "23(1)(ii)", "23(1)(iii)", "23(1)(iv)", "23(2)", "23(2)(i)", "23(2)(ii)", "23(2)(iii)", "23(2)(iv)", "23(2)(v)", "23(2)(vi)", "23(2)(vii)", "23(2)(viii)", "23(3)", "23(4)", "23(5)(i)", "23(5)(ii)", "23(5)(iii)", "23(6)", "23(1)", "26(1)", "26(1)(i)", "26(1)(ii)", "26(2)", "26(3)", "26(4)", "26-2(1)", "26-2(1)(i)", "26-2(1)(ii)", "26-2(2)", "26-2(3)" ], "apac-nzl-privacy-act-2020": [ "Principle 5", "P5-(a)", "P5-(a)(i)", "P5-(a)(ii)", "P5-(a)(iii)", "P5-(b)" ], "apac-kor-pipa-2011": [ "26", "27" ], "americas-arg-ppd-2018": [ "11.4" ], "americas-bra-lgpd-2018": [ "35", "39" ], "americas-can-pipeda-2000": [ "Sec 20", "Sec 23" ] } }, { "control_id": "PRI-07.2", "title": "Joint Processing of Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to clearly define and communicate the organization's role in processing Personal Data (PD) in the data processing ecosystem.", "scf_question": "Does the organization clearly define and communicate its role in processing Personal Data (PD) in the data processing ecosystem?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRI-05", "E-TPM-01" ], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to clearly define and communicate the organization's role in processing Personal Data (PD) in the data processing ecosystem.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-csa-cmm-4-1-0": [ "DSP-13" ], "general-nist-privacy-framework-1-0": [ "ID.BE-P1" ], "general-scf-dpmp-2025": [ "11.1" ], "usa-state-or-cpa-2023": [ "Section 6(1)(a)" ], "usa-state-tn-tipa-2025": [ "47-18-3205(d)" ], "emea-ken-pda-2019": [ "42(2)(a)", "42(2)(b)", "42(3)" ], "emea-srb-act-9-2018": [ "5", "11", "30", "30.x", "32", "32.1", "32.2", "33", "43" ], "apac-chn-pipl-2021": [ "20", "21", "27", "38(3)" ], "apac-jpn-ppi-2020": [ "22", "23(1)(i)", "23(1)(ii)", "23(1)(iii)", "23(1)(iv)", "23(2)", "23(2)(i)", "23(2)(ii)", "23(2)(iii)", "23(2)(iv)", "23(2)(v)", "23(2)(vi)", "23(2)(vii)", "23(2)(viii)", "23(3)", "23(4)", "23(5)(i)", "23(5)(ii)", "23(5)(iii)", "23(6)", "23(1)", "26(1)", "26(1)(i)", "26(1)(ii)", "26(2)", "26(3)", "26(4)", "26-2(1)", "26-2(1)(i)", "26-2(1)(ii)", "26-2(2)", "26-2(3)" ] } }, { "control_id": "PRI-07.3", "title": "Obligation To Inform Third-Parties", "family": "PRI", "description": "Mechanisms exist to inform applicable third-parties of any modification, deletion or other change that affects shared Personal Data (PD).", "scf_question": "Does the organization inform applicable third-parties of any modification, deletion or other change that affects shared Personal Data (PD)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to inform applicable third-parties of any modification, deletion or other change that affects shared Personal Data (PD).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-csa-cmm-4-1-0": [ "DSP-13" ], "general-nist-privacy-framework-1-0": [ "CM.AW-P5" ], "general-scf-dpmp-2025": [ "6.4" ], "usa-state-ca-ccpa-cpra-2026": [ "7022(b)(2)", "7022(b)(3)", "7022(f)(4)", "7023(c)", "7026(f)(2)", "7027(g)(2)", "7027(g)(3)" ], "usa-state-va-cdpa-2023": [ "59.1-579.B.2" ], "emea-ken-pda-2019": [ "40(2)", "40(2)(a)", "40(2)(b)", "40(3)" ], "emea-nga-dpr-2019": [ "3.1(10)" ], "emea-srb-act-9-2018": [ "30", "30.x", "32", "32.1", "32.2", "33" ], "apac-chn-pipl-2021": [ "46" ], "apac-jpn-ppi-2020": [ "22", "23(1)(i)", "23(1)(ii)", "23(1)(iii)", "23(1)(iv)", "23(2)", "23(2)(i)", "23(2)(ii)", "23(2)(iii)", "23(2)(iv)", "23(2)(v)", "23(2)(vi)", "23(2)(vii)", "23(2)(viii)", "23(3)", "23(4)", "23(5)(i)", "23(5)(ii)", "23(5)(iii)", "23(6)", "23(1)" ] } }, { "control_id": "PRI-07.4", "title": "Reject Unauthenticated or Untrustworthy Disclosure Requests", "family": "PRI", "description": "Mechanisms exist to reject unauthenticated, or untrustworthy, disclosure requests.", "scf_question": "Does the organization reject unauthenticated, or untrustworthy, disclosure requests?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to reject unauthenticated, or untrustworthy, disclosure requests.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "P5.1-POF4", "P5.2-POF1", "P5.2-POF3" ], "general-csa-cmm-4-1-0": [ "DSP-18" ], "general-scf-dpmp-2025": [ "6.0", "6.1" ], "usa-federal-law-hipaa-simplification-2013": [ "164.524(d)(2)(i)", "164.524(d)(2)(ii)", "164.524(d)(2)(iii)", "164.524(d)(3)" ], "usa-state-ca-ccpa-cpra-2026": [ "7022(a)", "7023(b)", "7024(a)", "7024(b)", "7026(e)" ], "usa-state-or-cpa-2023": [ "Section 4(5)(e)(B)" ], "usa-state-tn-tipa-2025": [ "47-18-3203(b)(4)" ], "usa-state-tx-cdpa-2025": [ "541.052(e)" ], "emea-srb-act-9-2018": [ "21.2", "22.2" ], "apac-chn-pipl-2021": [ "45", "46", "49" ] } }, { "control_id": "PRI-07.5", "title": "Justification To Reject Disclosure Requests", "family": "PRI", "description": "Mechanisms exist to reject data subject access requests that are categorized as:\n(1) Harassing; \n(2) Repetitive; or\n(3) Fraudulent.", "scf_question": "Does the organization reject data subject access requests that are categorized as:\n (1) Harassing; \n (2) Repetitive; or\n (3) Fraudulent?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to reject data subject access requests that are categorized as:\n(1) Harassing; \n(2) Repetitive; or\n(3) Fraudulent.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-csa-cmm-4-1-0": [ "DSP-18" ], "usa-federal-doc-data-privacy-framework-2023": [ "III.8.g.i", "III.8.h.i" ], "usa-state-ca-ccpa-cpra-2026": [ "7023(g)", "7023(h)", "7027(f)", "7027(j)" ], "emea-srb-act-9-2018": [ "21.2", "22.2" ], "apac-chn-pipl-2021": [ "45", "46", "49" ] } }, { "control_id": "PRI-08", "title": "Personal Data (PD) Control Testing, Training & Monitoring", "family": "PRI", "description": "Mechanisms exist to conduct testing, training and monitoring activities for Personal Data (PD) controls.", "scf_question": "Does the organization conduct testing, training and monitoring activities for Personal Data (PD) controls?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct testing, training and monitoring activities for Personal Data (PD) controls.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "P8.0", "P8.1-POF6" ], "general-iso-27002-2022": [ "5.36", "8.8" ], "general-iso-27017-2015": [ "18.2.2" ], "general-iso-27018-2025": [ "5.36", "8.8" ], "general-nist-800-53-r4": [ "AR-4" ], "general-nist-800-53-r5-2": [ "PM-14" ], "general-nist-800-53-r5-2-privacy": [ "PM-14" ], "general-nist-800-82-r3": [ "PM-14" ], "general-nist-800-82-r3-low": [ "PM-14" ], "general-nist-800-82-r3-mod": [ "PM-14" ], "general-nist-800-82-r3-high": [ "PM-14" ], "general-nist-800-161-r1": [ "PM-14" ], "general-nist-800-161-r1-level-1": [ "PM-14" ], "general-nist-800-161-r1-level-2": [ "PM-14" ], "general-pci-dss-4-0-1": [ "A3.1.4" ], "general-scf-dpmp-2025": [ "10.4" ], "usa-federal-gsa-fedramp-5-low": [ "PM-14" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-14" ], "usa-federal-gsa-fedramp-5-high": [ "PM-14" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-14" ], "usa-federal-irs-1075-2021": [ "PM-14" ], "usa-federal-cms-marse-2-0": [ "PM-14", "PM-14.a", "PM-14.a.1", "PM-14.a.2", "PM-14.b", "AR-4", "AR-4.a", "AR-4.b" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-14" ], "emea-zaf-popia-2013": [ "19" ] } }, { "control_id": "PRI-09", "title": "Personal Data (PD) Lineage", "family": "PRI", "description": "Mechanisms exist to maintain a process to document the lineage of Personal Data (PD) by recording how the organization collects, receives, processes, stores, transmits, shares, updates and/or disposes PD.", "scf_question": "Does the organization document the lineage of Personal Data (PD) by recording how the organization collects, receives, processes, stores, transmits, shares, updates and/or disposes PD?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a process to document the lineage of Personal Data (PD) by recording how the organization collects, receives, processes, stores, transmits, shares, updates and/or disposes PD.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-privacy-framework-1-0": [ "CM.AW-P4", "CM.AW-P6" ], "general-nist-800-53-r5-2": [ "SA-04(12)" ], "general-nist-800-53-r5-2-privacy": [ "SA-04(12)" ], "general-nist-800-82-r3": [ "SA-04(12)" ], "general-nist-800-82-r3-low": [ "SA-04(12)" ], "general-nist-800-82-r3-mod": [ "SA-04(12)" ], "general-nist-800-82-r3-high": [ "SA-04(12)" ], "general-scf-dpmp-2025": [ "5.1", "5.13" ], "usa-federal-gsa-fedramp-5-low": [ "SA-04(12)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-04(12)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-04(12)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-04(12)" ], "usa-federal-irs-1075-2021": [ "SA-4(CE-12)" ], "emea-zaf-popia-2013": [ "17" ] } }, { "control_id": "PRI-10", "title": "Data Quality Management", "family": "PRI", "description": "Mechanisms exist to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.", "scf_question": "Does the organization manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "P7.0", "P7.1", "P7.1-POF1", "P7.1-POF2" ], "general-nist-privacy-framework-1-0": [ "CT.PO-P4" ], "general-nist-800-53-r5-2": [ "PM-22", "PM-23", "PM-24" ], "general-nist-800-53-r5-2-privacy": [ "PM-22", "PM-23", "PM-24" ], "general-nist-800-82-r3": [ "PM-22", "PM-23", "PM-24" ], "general-nist-800-82-r3-low": [ "PM-22", "PM-23", "PM-24" ], "general-nist-800-82-r3-mod": [ "PM-22", "PM-23", "PM-24" ], "general-nist-800-82-r3-high": [ "PM-22", "PM-23", "PM-24" ], "general-nist-800-161-r1": [ "PM-22", "PM-23" ], "general-nist-800-161-r1-level-1": [ "PM-22", "PM-23" ], "general-nist-800-161-r1-level-2": [ "PM-22" ], "general-oecd-privacy-principles-2010": [ "2" ], "general-scf-dpmp-2025": [ "5.11" ], "usa-federal-gsa-fedramp-5-low": [ "PM-22", "PM-23", "PM-24" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-22", "PM-23", "PM-24" ], "usa-federal-gsa-fedramp-5-high": [ "PM-22", "PM-23", "PM-24" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-22", "PM-23", "PM-24" ], "usa-federal-omb-fipps-1973": [ "5" ], "usa-federal-law-hipaa-simplification-2013": [ "164.512(i)(1)(i)(B)", "164.512(i)(1)(i)(B)(1)", "164.512(i)(1)(i)(B)(2)", "164.512(i)(1)(i)(B)(3)" ], "usa-state-ca-ccpa-cpra-2026": [ "7023(c)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-22" ], "emea-srb-act-9-2018": [ "5.4", "11" ], "emea-zaf-popia-2013": [ "4" ], "apac-chn-pipl-2021": [ "8" ], "americas-bra-lgpd-2018": [ "6.5" ] } }, { "control_id": "PRI-10.1", "title": "Data Quality Automation", "family": "PRI", "description": "Automated mechanisms exist to support the evaluation of data quality across the information lifecycle.", "scf_question": "Does the organization use automated mechanisms to support the evaluation of data quality across the information lifecycle?", "relative_weight": 1, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically support the evaluation of data quality across the information lifecycle.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-800-53-r5-2": [ "PT-03(02)" ], "general-nist-800-53-r5-2-privacy": [ "PT-03(02)" ], "general-nist-800-82-r3": [ "PT-03(02)" ], "general-scf-dpmp-2025": [ "5.11" ], "usa-federal-gsa-fedramp-5-low": [ "PT-03(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "PT-03(02)" ], "usa-federal-gsa-fedramp-5-high": [ "PT-03(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PT-03(02)" ] } }, { "control_id": "PRI-10.2", "title": "Data Analytics Bias", "family": "PRI", "description": "Mechanisms exist to evaluate its analytical processes for potential bias.", "scf_question": "Does the organization evaluate its analytical processes for potential bias?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to evaluate its analytical processes for potential bias.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-scf-dpmp-2025": [ "5.16" ] } }, { "control_id": "PRI-11", "title": "Data Tagging", "family": "PRI", "description": "Mechanisms exist to issue data modeling guidelines to support tagging of sensitive/regulated data.", "scf_question": "Does the organization issue data modeling guidelines to support tagging of sensitive/regulated data?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to issue data modeling guidelines to support tagging of sensitive/regulated data.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-800-53-r5-2": [ "PT-03(01)" ], "general-nist-800-53-r5-2-privacy": [ "PT-03(01)" ], "general-nist-800-82-r3": [ "PT-03(01)" ], "general-scf-dpmp-2025": [ "5.0", "5.2" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.2", "4.3", "4.3.2", "4.3.3" ], "usa-federal-gsa-fedramp-5-low": [ "PT-03(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "PT-03(01)" ], "usa-federal-gsa-fedramp-5-high": [ "PT-03(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PT-03(01)" ] } }, { "control_id": "PRI-12", "title": "Updating Personal Data (PD) Process", "family": "PRI", "description": "Mechanisms exist to identify and record:\n(1) The process(es) used to update Personal Data (PD); and\n(2) The frequency that such updates occur.", "scf_question": "Does the organization identify and record:\n(1) The process(es) used to update Personal Data (PD); and\n(2) The frequency that such updates occur?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Privacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and record:\n(1) The process(es) used to update Personal Data (PD); and\n(2) The frequency that such updates occur.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "P5.2", "P5.2-POF2" ], "general-scf-dpmp-2025": [ "6.2" ], "usa-federal-law-hipaa-simplification-2013": [ "164.526(a)(1)", "164.526(b)(1)", "164.526(e)", "164.526(f)" ], "usa-state-ca-ccpa-cpra-2026": [ "7023(b)", "7023(b)(1)", "7023(b)(1)(A)", "7023(b)(1)(B)", "7023(b)(1)(C)", "7023(b)(2)" ], "emea-sau-pdpl-2023": [ "Article 17.1" ], "emea-zaf-popia-2013": [ "16" ] } }, { "control_id": "PRI-12.1", "title": "Enabling Data Subjects To Update Personal Data (PD)", "family": "PRI", "description": "Mechanisms exist to enable data subjects to update their Personal Data (PD).", "scf_question": "Does the organization enable data subjects to update their Personal Data (PD)?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enable data subjects to update their Personal Data (PD).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Provide users with the ability to correct their personal data", "small": "∙ Data subject update process for personal data correction", "medium": "∙ Formal data subject update right implementation\n∙ Self-service correction capability", "large": "∙ Enterprise self-service privacy portal for data updates\n∙ DSAR management for corrections", "enterprise": "∙ Enterprise privacy self-service portal (e.g., OneTrust)\n∙ Automated correction workflows\n∙ Backend system integration for data updates" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7023(a)", "7023(b)" ], "apac-ind-dpdpa-2023": [ "12(2)(c)" ] } }, { "control_id": "PRI-13", "title": "Data Management Board", "family": "PRI", "description": "Mechanisms exist to establish a written charter for a Data Management Board (DMB) and assigned organization-defined roles to the DMB.", "scf_question": "Does the organization establish a written charter for a Data Management Board (DMB) and assigned organization-defined roles to the DMB?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish a written charter for a Data Management Board (DMB) and assigned organization-defined roles to the DMB.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-nist-800-53-r5-2": [ "PM-23", "PM-24" ], "general-nist-800-53-r5-2-privacy": [ "PM-23", "PM-24" ], "general-nist-800-82-r3": [ "PM-23", "PM-24" ], "general-nist-800-82-r3-low": [ "PM-23", "PM-24" ], "general-nist-800-82-r3-mod": [ "PM-23", "PM-24" ], "general-nist-800-82-r3-high": [ "PM-23", "PM-24" ], "general-nist-800-161-r1": [ "PM-23" ], "general-nist-800-161-r1-level-1": [ "PM-23" ], "general-scf-dpmp-2025": [ "11.4" ], "general-shared-assessments-sig-2025": [ "P.8" ], "usa-federal-gsa-fedramp-5-low": [ "PM-23", "PM-24" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-23", "PM-24" ], "usa-federal-gsa-fedramp-5-high": [ "PM-23", "PM-24" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-23", "PM-24" ] } }, { "control_id": "PRI-14", "title": "Documenting Data Processing Activities", "family": "PRI", "description": "Mechanisms exist to document Personal Data (PD) processing activities that covers collection, receiving, processing, storage, transmission, sharing, updating and/or disposal actions with sufficient detail to demonstrate conformity with applicable statutory, regulatory and contractual requirements.", "scf_question": "Does the organization document Personal Data (PD) processing activities that covers collection, receiving, processing, storage, transmission, sharing, updating and/or disposal actions with sufficient detail to demonstrate conformity with applicable statutory, regulatory and contractual requirements?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document Personal Data (PD) processing activities that covers collection, receiving, processing, storage, transmission, sharing, updating and/or disposal actions with sufficient detail to demonstrate conformity with applicable statutory, regulatory and contractual requirements.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "D6.2", "D6.2-POF1" ], "general-aicpa-tsc-2017": [ "CC2.3", "P8.1-POF4", "P8.1-POF5" ], "general-coso-2013": [ "15" ], "general-nist-privacy-framework-1-0": [ "CM.AW-P4", "CM.AW-P6" ], "general-nist-800-53-r4": [ "AR-6" ], "general-nist-800-53-r5-2": [ "PM-27" ], "general-nist-800-53-r5-2-privacy": [ "PM-27" ], "general-nist-800-82-r3": [ "PM-27" ], "general-nist-800-82-r3-low": [ "PM-27" ], "general-nist-800-82-r3-mod": [ "PM-27" ], "general-nist-800-82-r3-high": [ "PM-27" ], "general-nist-800-161-r1": [ "PM-27" ], "general-nist-800-161-r1-level-2": [ "PM-27" ], "general-nist-800-161-r1-level-3": [ "PM-27" ], "general-scf-dpmp-2025": [ "5.8", "11.5" ], "general-shared-assessments-sig-2025": [ "L.1" ], "usa-federal-cms-marse-2-0": [ "AR-6", "DM-2(1)" ], "usa-state-tx-cdpa-2025": [ "541.052(f)(1)" ], "emea-eu-ai-act-2024": [ "Article 10.5(f)" ], "emea-eu-gdpr-2016": [ "Article 30.1", "Article 30.1(a)", "Article 30.1(b)", "Article 30.1(c)", "Article 30.1(d)", "Article 30.1(e)", "Article 30.1(f)", "Article 30.1(g)", "Article 30.2", "Article 30.2(a)", "Article 30.2(b)", "Article 30.2(c)", "Article 30.2(d)", "Article 30.3" ], "emea-qat-pdppl-2020": [ "6.2" ], "emea-sau-pdpl-2023": [ "Article 31", "Article 31.1", "Article 31.2", "Article 31.3", "Article 31.4", "Article 31.5", "Article 31.6" ], "emea-srb-act-9-2018": [ "47", "47.x", "48", "52", "52.1", "52.2", "52.3", "52.4" ], "americas-bra-lgpd-2018": [ "38" ] } }, { "control_id": "PRI-14.1", "title": "Accounting of Disclosures", "family": "PRI", "description": "Mechanisms exist to provide data subjects with an accounting of disclosures of their Personal Data (PD) controlled by:\n(1) The organization; and/or\n(2) Relevant third-parties that their PD was shared with.", "scf_question": "Does the organization provide data subjects with an accounting of disclosures of their Personal Data (PD) controlled by:\n(1) The organization; and/or\n(2) Relevant third-parties that their PD was shared with?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRI-01" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide data subjects with an accounting of disclosures of their Personal Data (PD) controlled by:\n(1) The organization; and/or\n(2) Relevant third-parties that their PD was shared with.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-3", "R-SA-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "D6.2", "D6.2-POF1", "D6.3", "D6.3-POF1" ], "general-aicpa-tsc-2017": [ "P6.2", "P6.2-POF1", "P6.3", "P6.3-POF1" ], "general-csa-cmm-4-1-0": [ "DSP-18" ], "general-nist-privacy-framework-1-0": [ "CM.AW-P4" ], "general-nist-800-53-r4": [ "AR-8" ], "general-nist-800-53-r5-2": [ "PM-21" ], "general-nist-800-53-r5-2-privacy": [ "PM-21" ], "general-nist-800-82-r3": [ "PM-21" ], "general-nist-800-82-r3-low": [ "PM-21" ], "general-nist-800-82-r3-mod": [ "PM-21" ], "general-nist-800-82-r3-high": [ "PM-21" ], "general-nist-800-161-r1": [ "PM-21" ], "general-nist-800-161-r1-level-1": [ "PM-21" ], "general-nist-800-161-r1-level-2": [ "PM-21" ], "general-scf-dpmp-2025": [ "5.8" ], "usa-federal-law-hipaa-simplification-2013": [ "164.528(a)(1)", "164.528(a)(1)(i)", "164.528(a)(1)(ii)", "164.528(a)(1)(iii)", "164.528(a)(1)(iv)", "164.528(a)(1)(v)", "164.528(a)(1)(vi)", "164.528(a)(1)(vii)", "164.528(a)(1)(viii)", "164.528(a)(1)(ix)", "164.528(b)", "164.528(b)(1)", "164.528(b)(2)", "164.528(b)(2)(i)", "164.528(b)(2)(ii)", "164.528(b)(2)(iii)", "164.528(b)(2)(iv)", "164.528(b)(3)", "164.528(b)(3)(i)", "164.528(b)(3)(ii)", "164.528(b)(3)(iii)", "164.528(b)(4)(i)", "164.528(b)(4)(i)(A)", "164.528(b)(4)(i)(B)", "164.528(b)(4)(i)(C)", "164.528(b)(4)(i)(D)", "164.528(b)(4)(i)(E)", "164.528(b)(4)(i)(F)", "164.528(b)(4)(ii)", "164.528(c)(1)", "164.528(c)(1)(i)", "164.528(c)(1)(ii)", "164.528(c)(1)(ii)(A)", "164.528(c)(1)(ii)(B)", "164.528(c)(2)", "164.528(d)", "164.528(d)(1)", "164.528(d)(2)", "164.528(d)(3)" ], "usa-federal-irs-1075-2021": [ "PM-21" ], "usa-federal-cms-marse-2-0": [ "AU-2-IS.4", "AR-8", "AR-8.a", "AR-8.a.1", "AR-8.a.2", "AR-8.b", "AR-8.c" ], "usa-state-or-cpa-2023": [ "Section 3(1)(a)(B)(i)", "Section 3(1)(a)(B)(ii)" ], "emea-qat-pdppl-2020": [ "6.2" ], "emea-srb-act-9-2018": [ "33" ], "emea-zaf-popia-2013": [ "17" ], "apac-ind-dpdpa-2023": [ "11(1)(b)" ], "apac-jpn-ppi-2020": [ "25(1)", "25(2)" ], "apac-phl-dpa-2012": [ "20" ], "americas-bra-lgpd-2018": [ "18.7", "37" ] } }, { "control_id": "PRI-14.2", "title": "Notification of Disclosure Request To Data Subject", "family": "PRI", "description": "Mechanisms exist to notify data subjects of applicable legal requests to disclose Personal Data (PD).", "scf_question": "Does the organization notify data subjects of applicable legal requests to disclose Personal Data (PD)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to notify data subjects of applicable legal requests to disclose Personal Data (PD).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-3", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-csa-cmm-4-1-0": [ "DSP-18" ], "general-scf-dpmp-2025": [ "4.0", "4.1" ], "emea-qat-pdppl-2020": [ "6.2" ], "emea-sau-pdpl-2023": [ "Article 24.2" ], "emea-srb-act-9-2018": [ "33", "35" ] } }, { "control_id": "PRI-15", "title": "Register As A Data Controller and/or Data Processor", "family": "PRI", "description": "Mechanisms exist to register as a data controller and/or data processor, including registering databases containing Personal Data (PD) with the appropriate Data Authority, when necessary.", "scf_question": "Does the organization register as a data controller and/or data processor, including registering databases containing Personal Data (PD) with the appropriate Data Authority, when necessary?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRI-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to register as a data controller and/or data processor, including registering databases containing Personal Data (PD) with the appropriate Data Authority, when necessary.", "4": "Privacy (PRI) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-IR-3", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-scf-dpmp-2025": [ "1.3" ], "general-tisax-6-0-3": [ "9.3.1" ], "usa-state-vt-act-171-2018": [ "2446(a)(1)" ], "emea-aut-fappd-2000": [ "Sec 16", "Sec 17" ], "emea-bel-act-8-1992": [ "17" ], "emea-deu-fdpa-2017": [ "Sec 4d", "Sec 4e" ], "emea-grc-pirppd-1997": [ "6" ], "emea-hun-isdfi-2011": [ "65", "66" ], "emea-irl-dpa-2003": [ "17" ], "emea-isr-ppl-5741-1981": [ "8", "9" ], "emea-ita-pdpc-2003": [ "26", "37" ], "emea-ken-pda-2019": [ "18(1)", "18(2)", "18(2)(a)", "18(2)(b)", "18(2)(c)", "18(2)(d)", "19(1)", "19(2)", "19(2)(a)", "19(2)(b)", "19(2)(c)", "19(2)(d)", "19(2)(e)", "19(2)(f)", "19(2)(g)", "19(3)", "19(4)", "19(5)", "19(6)", "19(7)", "20" ], "emea-nor-pda-2018": [ "33" ], "emea-pol-act-29-1997": [ "40" ], "emea-rus-federal-law-27-2006": [ "23" ], "emea-esp-decree-1720-2007": [ "60" ], "emea-che-fadp-2025": [ "11" ], "emea-tur-lppd-2016": [ "16" ], "apac-hkg-pdo-2022": [ "Sec 15" ], "apac-mys-pdpa-2010": [ "14", "15" ], "apac-phl-dpa-2012": [ "46", "47", "48" ], "apac-sgp-pdpa-2012": [ "39" ], "apac-kor-pipa-2011": [ "32" ], "americas-arg-ppd-2018": [ "21.1", "21.2", "21.3", "24" ], "americas-col-law-1581-2012": [ "25" ] } }, { "control_id": "PRI-16", "title": "Potential Human Rights Abuses", "family": "PRI", "description": "Mechanisms exist to constrain the supply of physical and/or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/or contractual obligations.", "scf_question": "Does the organization constrain the supply of physical and/or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/or contractual obligations?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to constrain the supply of physical and/or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/or contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management\n∙ Board of Directors (Bod) Ethics Committee", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management\n∙ Board of Directors (Bod) Ethics Committee" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-4", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-shared-assessments-sig-2025": [ "O.12" ], "apac-chn-cybersecurity-law-2017": [ "Article 24" ], "apac-chn-data-security-law-2021": [ "7", "8", "9", "11", "14", "15", "16", "18", "19", "20", "28", "31", "32", "33", "36", "37", "38", "48", "53" ], "apac-chn-pipl-2021": [ "11", "12", "18", "26", "38(4)", "40", "47(5)" ] } }, { "control_id": "PRI-17", "title": "Data Subject Communications", "family": "PRI", "description": "Mechanisms exist to craft disclosures and communications to data subjects in a manner that is concise, unambiguous and understandable by a reasonable person.", "scf_question": "Does the organization craft disclosures and communications to data subjects in a manner that is concise, unambiguous and understandable by a reasonable person?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.\n▪ Communications with data subjects is designed to be readily accessible and written in a manner that is concise, unambiguous and understandable by a reasonable person.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to craft disclosures and communications to data subjects in a manner that is concise, unambiguous and understandable by a reasonable person.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "P6.7-POF3" ], "general-scf-dpmp-2025": [ "1.8" ], "usa-state-ca-ccpa-cpra-2026": [ "7003(a)", "7004(a)(3)", "7222(b)", "7222(b)(1)", "7222(b)(2)", "7222(b)(3)", "7222(b)(3)(A)", "7222(b)(4)", "7222(b)(4)(A)", "7222(c)", "7222(c)(1)", "7222(c)(2)", "7222(c)(2)(A)", "7222(c)(2)(B)", "7222(c)(2)(C)", "7222(d)", "7222(e)", "7222(f)", "7222(g)", "7222(h)", "7222(i)", "7222(j)", "7222(k)" ], "usa-state-co-privacy-act-2021": [ "6-1-1306(1)" ], "usa-state-va-cdpa-2023": [ "59.1-577.B.2" ] } }, { "control_id": "PRI-17.1", "title": "Conspicuous Link To Data Privacy Notice", "family": "PRI", "description": "Mechanisms exist to include a conspicuous link to the organization's data privacy notice on all consumer-facing websites and mobile applications.", "scf_question": "Does the organization include a conspicuous link to its data privacy notice on all consumer-facing websites and mobile applications?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to include a conspicuous link to the organization's data privacy notice on all consumer-facing websites and mobile applications.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-scf-dpmp-2025": [ "1.9" ], "usa-state-ca-ccpa-cpra-2026": [ "7003(c)", "7003(d)" ] } }, { "control_id": "PRI-17.2", "title": "Notice of Financial Incentive", "family": "PRI", "description": "Mechanisms exist to provide data subjects with a Notice of Financial Incentive that explains the material terms of a financial incentive, price or service difference so the data subject can make an informed decision about whether to participate.", "scf_question": "Does the organization provide data subjects with a Notice of Financial Incentive that explains the material terms of a financial incentive, price or service difference so the data subject can make an informed decision about whether to participate?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide data subjects with a Notice of Financial Incentive that explains the material terms of a financial incentive, price or service difference so the data subject can make an informed decision about whether to participate.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-scf-dpmp-2025": [ "1.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7010(g)", "7080(e)" ] } }, { "control_id": "PRI-17.3", "title": "Data Subject Communications Documentation", "family": "PRI", "description": "Mechanisms exist to maintain records of data subject requests and responses in accordance with an established documentation retention schedule that adheres to applicable statutory, regulatory and/or contractual obligations.", "scf_question": "Does the organization maintain records of data subject requests and responses in accordance with an established documentation retention schedule that adheres to applicable statutory, regulatory and/or contractual obligations?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain records of data subject requests and responses in accordance with an established documentation retention schedule that adheres to applicable statutory, regulatory and/or contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Keep records of communications with data subjects", "small": "∙ Data subject communication log and documentation", "medium": "∙ Formal data subject communications documentation policy", "large": "∙ Enterprise DSAR tracking and documentation platform", "enterprise": "∙ Enterprise privacy management platform (e.g., OneTrust)\n∙ Automated DSAR documentation and audit trail" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7101(a)", "7101(b)", "7101(c)", "7101(d)", "7101(e)" ], "usa-state-va-cdpa-2023": [ "59.1-577.B.5" ] } }, { "control_id": "PRI-17.4", "title": "Data Subject Communications Metrics", "family": "PRI", "description": "Mechanisms exist to collect metrics associated with data subject requests and responses.", "scf_question": "Does the organization collect metrics associated with data subject requests and responses?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to collect metrics associated with data subject requests and responses.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Track response times for data subject requests", "small": "∙ Data subject communication metrics tracking", "medium": "∙ Formal DSAR metrics program\n∙ Track response times and volumes", "large": "∙ Enterprise DSAR metrics dashboard and reporting", "enterprise": "∙ Enterprise privacy analytics platform\n∙ Automated DSAR SLA tracking and reporting\n∙ Regulatory reporting capability" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7102(a)(1)", "7102(a)(1)(A)", "7102(a)(1)(B)", "7102(a)(1)(C)", "7102(a)(1)(D)", "7102(a)(1)(E)", "7102(a)(1)(F)", "7102(a)(1)(G)", "7102(a)(1)(H)" ] } }, { "control_id": "PRI-17.5", "title": "Data Subject Communications Disclosure", "family": "PRI", "description": "Mechanisms exist to publicly disclose applicable data subject communications metrics, as required by statutory and/or regulatory obligations.", "scf_question": "Does the organization publicly disclose applicable data subject communications metrics, as required by statutory and/or regulatory obligations?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to publicly disclose applicable data subject communications metrics, as required by statutory and/or regulatory obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Disclose data subject communication metrics as required by law", "small": "∙ Disclose DSAR metrics in privacy report or regulatory filings as required", "medium": "∙ Formal data subject communications disclosure program", "large": "∙ Enterprise privacy reporting platform for regulatory disclosures", "enterprise": "∙ Enterprise privacy management and reporting platform\n∙ Automated regulatory disclosure generation" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7102(a)(2)", "7102(b)" ] } }, { "control_id": "PRI-18", "title": "Data Controller Communications", "family": "PRI", "description": "Mechanisms exist to receive and process data controller communications pertaining to:\n(1) Receiving and responding to data subject requests;\n(2) Updating/correcting Personal Data (PD); \n(3) Accounting for disclosures of PD; and\n(4) Accounting for PD that is stored, processed and/or transmitted on behalf of the data controller.", "scf_question": "Does the organization receive and process data controller communications pertaining to:\n (1) Receiving and responding to data subject requests;\n (2) Updating/correcting Personal Data (PD); \n (3) Accounting for disclosures of PD; and\n (4) Accounting for PD that is stored, processed and/or transmitted on behalf of the data controller?", "relative_weight": 7, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to receive and process data controller communications pertaining to:\n(1) Receiving and responding to data subject requests;\n(2) Updating/correcting Personal Data (PD); \n(3) Accounting for disclosures of PD; and\n(4) Accounting for PD that is stored, processed and/or transmitted on behalf of the data controller.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "small": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "medium": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "large": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management", "enterprise": "∙ Data classification program\n∙ Data privacy program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Product / project management" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-tsc-2017": [ "P6.7-POF3" ], "usa-state-tx-cdpa-2025": [ "541.053(a)", "541.055(a)(1)" ] } }, { "control_id": "PRI-19", "title": "Automated Decision-Making Technology (ADMT) For Data Subject Actions", "family": "PRI", "description": "Mechanisms exist to ensure data subject actions utilizing Automated Decision-Making Technology (ADMT) where computation replaces, or substantially replaces, human decisionmaking, conforms with all applicable statutory, regulatory and/or contractual obligations.", "scf_question": "Does the organization ensure data subject actions utilizing Automated Decision-Making Technology (ADMT) where computation replaces, or substantially replaces, human decisionmaking, conforms with all applicable statutory, regulatory and/or contractual obligations?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure data subject actions utilizing Automated Decision-Making Technology (ADMT) where computation replaces, or substantially replaces, human decisionmaking, conforms with all applicable statutory, regulatory and/or contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Inform users when automated decisions are made about them", "small": "∙ ADMT disclosure policy in privacy notice", "medium": "∙ Formal ADMT governance policy\n∙ Disclosure requirements for automated decision-making", "large": "∙ Enterprise ADMT governance program\n∙ Transparency requirements\n∙ Impact assessments", "enterprise": "∙ Enterprise ADMT governance framework\n∙ Automated disclosure mechanisms\n∙ GDPR Art. 22 and CCPA compliance\n∙ DPIA program" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": {} }, { "control_id": "PRI-19.1", "title": "Automated Decision-Making Technology (ADMT) Use Notification", "family": "PRI", "description": "Mechanisms exist to notify data subjects of their rights through a pre-use notice when their Personal Data (PD) will be processed by an Automated Decision-Making Technology (ADMT).", "scf_question": "Does the organization notify data subjects of their rights through a pre-use notice when their Personal Data (PD) will be processed by an Automated Decision-Making Technology (ADMT)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to notify data subjects of their rights through a pre-use notice when their Personal Data (PD) will be processed by an Automated Decision-Making Technology (ADMT).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Notify users when ADMT is used in decisions affecting them", "small": "∙ ADMT use notification policy\n∙ Privacy notice updates for ADMT", "medium": "∙ Formal ADMT notification process\n∙ Real-time or pre-decision user notification", "large": "∙ Enterprise ADMT notification program\n∙ Automated user notification for ADMT decisions", "enterprise": "∙ Enterprise privacy management platform\n∙ Automated ADMT disclosure\n∙ Regulatory compliance mapping (GDPR, CCPA)" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7010(c)", "7220(a)", "7220(b)", "7220(b)(1)", "7220(b)(2)", "7220(b)(3)", "7220(c)", "7220(c)(1)", "7220(c)(2)", "7220(c)(2)(A)", "7220(c)(2)(B)", "7220(c)(3)", "7220(c)(4)", "7220(c)(5)", "7220(c)(5)(A)", "7220(c)(5)(B)", "7220(c)(5)(C)", "7220(e)", "7220(e)(1)", "7220(e)(2)", "7220(e)(3)", "7220(e)(4)" ] } }, { "control_id": "PRI-19.2", "title": "Automated Decision-Making Technology (ADMT) Opt-Out Consent", "family": "PRI", "description": "Mechanisms exist to provide concise, unambiguous and understandable instructions on how data subjects can opt-out of Automated Decision-Making Technology (ADMT).", "scf_question": "Does the organization provide concise, unambiguous and understandable instructions on how data subjects can opt-out of Automated Decision-Making Technology (ADMT)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide concise, unambiguous and understandable instructions on how data subjects can opt-out of Automated Decision-Making Technology (ADMT).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Provide opt-out option for automated decision-making", "small": "∙ ADMT opt-out policy and procedure", "medium": "∙ Formal ADMT opt-out process\n∙ User-accessible opt-out mechanism", "large": "∙ Enterprise ADMT opt-out management\n∙ Automated opt-out processing and honoring", "enterprise": "∙ Enterprise consent management platform with ADMT opt-out (e.g., OneTrust)\n∙ Automated opt-out processing across systems" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7010(d)", "7221(a)", "7221(b)", "7221(b)(1)", "7221(b)(1)(A)", "7221(b)(1)(B)", "7221(b)(2)", "7221(b)(2)(A)", "7221(b)(2)(B)", "7221(b)(3)", "7221(b)(3)(A)", "7221(b)(3)(B)", "7221(c)", "7221(d)", "7221(e)", "7221(f)", "7221(g)", "7221(h)", "7221(m)", "7221(n)", "7221(n)(1)", "7221(n)(2)" ] } }, { "control_id": "PRI-19.3", "title": "Automated Decision-Making Technology (ADMT) Transparency", "family": "PRI", "description": "Mechanisms exist to provide data subjects with sufficient details of the logic and parameters used by Automated Decision-Making Technology (ADMT) to process the Personal Data (PD) to generate an output with respect to the data subject.", "scf_question": "Does the organization provide data subjects with sufficient details of the logic and parameters used by Automated Decision-Making Technology (ADMT) to process the Personal Data (PD) to generate an output with respect to the data subject?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide data subjects with sufficient details of the logic and parameters used by Automated Decision-Making Technology (ADMT) to process the Personal Data (PD) to generate an output with respect to the data subject.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Explain how automated decisions are made to affected users", "small": "∙ ADMT transparency policy\n∙ Explanation of ADMT logic in privacy notice", "medium": "∙ Formal ADMT transparency program\n∙ Explainability requirements for ADMT systems", "large": "∙ Enterprise ADMT transparency program\n∙ Explainable AI (XAI) for ADMT systems", "enterprise": "∙ Enterprise AI explainability framework for ADMT\n∙ XAI tools (SHAP, LIME)\n∙ Regulatory compliance (GDPR Art. 13-15, 22)" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7222(a)" ] } }, { "control_id": "PRI-20", "title": "Data Brokers", "family": "PRI", "description": "Mechanisms exist to ensure data brokers that collect Personal Data (PD) from a source other than directly from the data subject adhere to all applicable statutory, regulatory and/or contractual obligations.", "scf_question": "Does the organization ensure data brokers that collect Personal Data (PD) from a source other than directly from the data subject adhere to all applicable statutory, regulatory and/or contractual obligations?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure data brokers that collect Personal Data (PD) from a source other than directly from the data subject adhere to all applicable statutory, regulatory and/or contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data broker awareness and opt-out process where applicable", "small": "∙ Data broker awareness and opt-out process where applicable", "medium": "∙ Data broker awareness and opt-out process where applicable", "large": "∙ Enterprise data broker monitoring and opt-out program", "enterprise": "∙ Enterprise data broker governance program\n∙ Automated data broker discovery and opt-out (e.g., DeleteMe)\n∙ Regulatory compliance" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7012(i)" ] } }, { "control_id": "PRI-21", "title": "Notice of Right To Opt-Out", "family": "PRI", "description": "Mechanisms exist to include a notification to data subjects within the data privacy notice of:\n(1) Their right to direct an organization that sells or shares their Personal Data (PD) to stop selling or sharing their PD; and\n(2) The methods available to exercise that right.", "scf_question": "Does the organization include a notification to data subjects within the data privacy notice of:\n(1) Their right to direct an organization that sells or shares their Personal Data (PD) to stop selling or sharing their PD; and\n(2) The methods available to exercise that right?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to include a notification to data subjects within the data privacy notice of:\n(1) Their right to direct an organization that sells or shares their Personal Data (PD) to stop selling or sharing their PD; and\n(2) The methods available to exercise that right.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Include opt-out right in privacy notice", "small": "∙ Privacy notice with opt-out rights disclosure", "medium": "∙ Formal notice of right-to-opt-out policy and procedure", "large": "∙ Enterprise opt-out rights management program\n∙ Automated opt-out processing", "enterprise": "∙ Enterprise consent management platform (e.g., OneTrust)\n∙ Automated opt-out rights notification and processing\n∙ CCPA/GDPR compliance" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "general-aicpa-pmf-2020": [ "C3.1-POF2" ], "usa-state-ca-ccpa-cpra-2026": [ "7013(a)", "7013(b)", "7013(d)", "7013(f)", "7013(f)(1)", "7013(f)(2)", "7026(a)" ], "usa-state-co-privacy-act-2021": [ "6-1-1306(1)(a)(I)", "6-1-1306(1)(a)(I)(A)", "6-1-1306(1)(a)(I)(B)", "6-1-1306(1)(a)(I)(C)", "6-1-1306(1)(a)(III)", "6-1-1306(1)(a)(IV)(A)", "6-1-1306(1)(a)(IV)(B)", "6-1-1306(1)(a)(IV)(C)" ], "usa-state-or-ors-646a-2025": [ "646A.574(1)(d)", "646A.574(1)(d)(A)", "646A.574(1)(d)(B)", "646A.574(1)(d)(C)" ], "usa-state-va-cdpa-2023": [ "59.1-577.A.5" ] } }, { "control_id": "PRI-21.1", "title": "Opt-Out Links", "family": "PRI", "description": "Mechanisms exist to publish conspicuous links for data subjects to exercise their rights to:\n(1) Limit the collection and/or use of Personal Data (PD); and\n(2) Not sell or share PD.", "scf_question": "Does the organization publish conspicuous links for data subjects to exercise their rights to:\n(1) Limit the collection and/or use of Personal Data (PD); and\n(2) Not sell or share PD?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nPrivacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to publish conspicuous links for data subjects to exercise their rights to:\n(1) Limit the collection and/or use of Personal Data (PD); and\n(2) Not sell or share PD.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Add opt-out link to website privacy page", "small": "∙ Opt-out link on website privacy policy page", "medium": "∙ Formal opt-out link implementation\n∙ Compliant opt-out mechanism on all relevant pages", "large": "∙ Enterprise opt-out link management\n∙ Automated opt-out processing from link", "enterprise": "∙ Enterprise consent management platform with opt-out link automation\n∙ GPC signal recognition\n∙ CCPA compliance" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7014(h)", "7026(a)", "7026(b)", "7026(c)", "7026(d)", "7026(g)", "7026(h)", "7060(b)" ], "usa-state-va-cdpa-2023": [ "59.1-577.A.5" ] } }, { "control_id": "PRI-21.2", "title": "Alternative Out-Out Link", "family": "PRI", "description": "Mechanisms exist to publish a single, clearly-labeled link that allows data subjects to efficiently exercise their opt-out rights to:\n(1) Limit the collection and/or use of Personal Data (PD); and\n(2) Not sell or share PD.", "scf_question": "Does the organization publish a single, clearly-labeled link that allows data subjects to efficiently exercise their opt-out rights to:\n(1) Limit the collection and/or use of Personal Data (PD); and\n(2) Not sell or share PD?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Privacy (PRI) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRI domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Data privacy-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.", "2": "Privacy (PRI) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Data privacy management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Data privacy management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and/or contractual data privacy obligations for Personal Data (PD) are properly identified and implemented.", "3": "Privacy (PRI) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRI domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRI domain capabilities are well-documented and kept current by process owners.\n▪ A data privacy team, or similar function, is appropriately staffed and supported to implement and maintain PRI domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of data privacy operations (e.g., privacy notice management software, customer management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRI domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to publish a single, clearly-labeled link that allows data subjects to efficiently exercise their opt-out rights to:\n(1) Limit the collection and/or use of Personal Data (PD); and\n(2) Not sell or share PD.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Provide alternative opt-out option (e.g., email or phone)", "small": "∙ Alternative opt-out method policy (phone, email, web form)", "medium": "∙ Formal alternative opt-out mechanism policy and implementation", "large": "∙ Enterprise multi-channel opt-out management program", "enterprise": "∙ Enterprise privacy platform with multi-channel opt-out management (e.g., OneTrust)\n∙ Automated opt-out processing across channels" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Data Privacy", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7015(a)", "7015(b)", "7015(b)(1)", "7015(b)(2)", "7015(b)(3)", "7015(c)", "7015(c)(1)", "7015(c)(2)" ] } }, { "control_id": "PRM-01", "title": "Security, Compliance & Resilience Protection Portfolio Management", "family": "PRM", "description": "Mechanisms exist to facilitate the implementation of resource planning controls that provide a portfolio management approach to achieve security, compliance and resilience objectives.", "scf_question": "Does the organization facilitate the implementation of resource planning controls that provide a portfolio management approach to achieve security, compliance and resilience objectives?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRM-02" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Project & Resource Management (PRM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Project management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.", "2": "Project & Resource Management (PRM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Project & Resource Management -related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Project & Resource Management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ A Project Management Office (PMO), or project management function, enables the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all high-value projects.\n▪ Quarterly Business Review (QBR), or similar status reporting, exists to provide recurring reports on the state of the cybersecurity and data protection program.", "3": "Project & Resource Management (PRM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are well-documented and kept current by process owners.\n▪ A Project Management Office (PMO), or similar function, is appropriately staffed and supported to implement and maintain PRM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of project and resource management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ An implemented and operational capability exists to facilitate the implementation of resource planning controls that provide a portfolio management approach to achieve security, compliance and resilience objectives.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Include security tasks in project plans", "small": "∙ Security requirements in project planning\n∙ Project security checklist", "medium": "∙ Security integrated into project management methodology\n∙ Security gates", "large": "∙ Enterprise project management with security integration (e.g., Jira, MS Project)", "enterprise": "∙ Enterprise PPM platform with security integration\n∙ Dedicated security architects\n∙ Security portfolio risk management" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Project & Resource Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2", "CC3.1", "CC3.1-POF4", "CC3.4", "CC5.2" ], "general-bsi-200-1-1-0": [ "4.1.3", "4.1.4", "4.1.5", "5", "7" ], "general-cobit-2019": [ "EDM02.01", "EDM02.02", "EDM02.03", "EDM02.04", "EDM04.01", "EDM04.02", "EDM04.03", "APO05.01", "APO05.02", "APO05.03", "APO05.04", "APO05.05", "APO12.05", "BAI01.05", "BAI01.08", "BAI01.09", "BAI02.02", "BAI02.04" ], "general-coso-2013": [ "6", "9", "14" ], "general-govramp": [ "PL-01" ], "general-govramp-low": [ "PL-01" ], "general-govramp-low-plus": [ "PL-01" ], "general-govramp-mod": [ "PL-01" ], "general-govramp-high": [ "PL-01" ], "general-iso-22301-2019": [ "6.2.1", "6.2.2" ], "general-iso-27001-2022": [ "5.1(e)" ], "general-iso-27002-2022": [ "5.4", "5.8" ], "general-iso-27017-2015": [ "5.1", "6.1.5", "7.2.1" ], "general-iso-27018-2025": [ "5.4", "5.8" ], "general-iso-27701-2025": [ "7.1" ], "general-iso-31000-2018": [ "5.3", "5.4.4" ], "general-iso-42001-2023": [ "7.1", "A.4.2", "A.6.1" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(b)" ], "general-nist-100-1-ai-rmf": [ "MANAGE 2.1", "MANAGE 2.2" ], "general-nist-800-53-r4": [ "PL-1" ], "general-nist-800-53-r5-2": [ "PL-01" ], "general-nist-800-53-r5-2-privacy": [ "PL-01" ], "general-nist-800-53-r5-2-low": [ "PL-01" ], "general-nist-800-82-r3": [ "PL-01" ], "general-nist-800-161-r1": [ "PL-1" ], "general-nist-800-161-r1-cscrm": [ "PL-1" ], "general-nist-800-161-r1-level-2": [ "PL-1" ], "general-nist-800-171-r2": [ "NFO - PL-1" ], "general-nist-800-171-r3": [ "03.16.01" ], "general-nist-csf-2-0": [ "GV.RM", "GV.RR-03" ], "general-scf-dpmp-2025": [ "1.4" ], "usa-federal-dow-cert-rmm-1-2": [ "EF:SG1.SP3", "FRM:SG1", "FRM:SG1.SP1", "FRM:SG1.SP2", "FRM:SG2", "FRM:SG2.SP1", "FRM:SG2.SP2", "FRM:SG2.SP3", "FRM:SG3", "FRM:SG3.SP1", "FRM:SG4", "FRM:SG4.SP1", "FRM:SG4.SP2", "FRM:SG5", "FRM:SG5.SP1", "FRM:SG5.SP2", "FRM:SG5.SP3", "FRM:GG1.GP1", "FRM:GG2", "FRM:GG2.GP2", "SC:SG1", "SC:SG1.SP1", "SC:SG1.SP2", "SC:SG2", "SC:SG2.SP1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EN.CMONI" ], "usa-federal-fbi-cjis-6-0": [ "PL-1" ], "usa-federal-doe-c2m2-2-1": [ "RISK-1f", "ARCHITECTURE-1e" ], "usa-federal-sro-fca-crm-2023": [ "609.935(d)", "609.935(e)" ], "usa-federal-gsa-fedramp-5-low": [ "PL-01" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-01" ], "usa-federal-gsa-fedramp-5-high": [ "PL-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-01" ], "usa-federal-irs-1075-2021": [ "PL-1" ], "usa-federal-cms-marse-2-0": [ "PL-1" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PL-01" ], "usa-state-tx-txramp-2-0-level-1": [ "PL-01" ], "usa-state-tx-txramp-2-0-level-2": [ "PL-01" ], "emea-eu-eba-ict-srm-2025": [ "3.2.1(6)", "3.6.1(61)", "3.6.1(62)", "3.6.1(64)", "3.6.1(65)", "3.6.1(66)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "2.3", "7.4", "7.5", "8.3" ], "emea-isr-cmo-1-0": [ "17.5" ], "emea-sau-cscc-1-2019": [ "1-1" ], "emea-sau-ecc-1-2018": [ "1-1-3", "1-2-3" ], "emea-zaf-popia-2013": [ "19" ], "emea-esp-ccn-stic-825-2023": [ "9" ], "apac-aus-ism-2024-june": [ "ISM-0720", "ISM-0732" ], "apac-aus-ps-cps-230-2023": [ "25" ], "apac-aus-ps-cps-234-2019": [ "13", "15" ], "apac-ind-sebi-2024": [ "GV.RR.S4" ], "apac-jpn-ismap": [ "4.5.1.1" ], "apac-nzl-ism-3-9": [ "3.2.15.C.01" ], "apac-sgp-mas-trm-2021": [ "5.1.1", "5.1.2", "5.1.3", "5.1.4" ], "amaericas-can-osfi-self-assessment": [ "1.1", "6.22" ], "americas-can-osfi-b13-2022": [ "1.2.1" ], "americas-can-itsp-10-171-2025": [ "03.16.01" ] } }, { "control_id": "PRM-01.1", "title": "Strategic Plan & Objectives", "family": "PRM", "description": "Mechanisms exist to establish a:\n(1) Strategic security, compliance and resilience-specific business plan; and \n(2) Set of objectives to achieve that plan.", "scf_question": "Does the organization establish a:\n(1) Strategic security, compliance and resilience-specific business plan; and \n(2) Set of objectives to achieve that plan?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRM-01" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Project & Resource Management (PRM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Project & Resource Management -related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Project & Resource Management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ A Project Management Office (PMO), or project management function, enables the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all high-value projects.\n▪ Quarterly Business Review (QBR), or similar status reporting, exists to provide recurring reports on the state of the cybersecurity and data protection program.", "3": "Project & Resource Management (PRM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are well-documented and kept current by process owners.\n▪ A Project Management Office (PMO), or similar function, is appropriately staffed and supported to implement and maintain PRM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of project and resource management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ An implemented and operational capability exists to establish a:\n(1) Strategic security, compliance and resilience-specific business plan; and \n(2) Set of objectives to achieve that plan.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Include security tasks in project plans", "small": "∙ Security requirements in project planning\n∙ Project security checklist", "medium": "∙ Documented cybersecurity and data protection-specific business plan", "large": "∙ Documented cybersecurity and data protection-specific business plan", "enterprise": "∙ Documented cybersecurity and data protection-specific business plan" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Project & Resource Management", "crosswalks": { "general-bsi-200-1-1-0": [ "4.1.2", "7" ], "general-cobit-2019": [ "APO01.01", "APO01.02", "APO01.03", "APO02.02", "APO02.05", "APO02.06" ], "general-iso-22301-2019": [ "6.2.1" ], "general-iso-31000-2018": [ "5.3", "5.4.1", "5.4.4" ], "general-iso-42001-2023": [ "4.1", "4.2" ], "general-nist-100-1-ai-rmf": [ "MAP 1.3" ], "general-nist-800-37-r2": [ "TASK P-8" ], "general-nist-csf-2-0": [ "GV", "GV.OC-04", "GV.RM", "GV.OV-01" ], "usa-federal-dow-cert-rmm-1-2": [ "EF:SG1", "EF:SG1.SP1", "EF:SG1.SP2", "EF:SG2.SP1" ], "usa-federal-doe-c2m2-2-1": [ "RISK-1a", "ARCHITECTURE-1a", "PROGRAM-1a", "PROGRAM-1b", "PROGRAM-1c", "PROGRAM-1d", "PROGRAM-1e" ], "usa-federal-sro-fca-crm-2023": [ "609.935", "609.935(a)" ], "usa-state-ca-ccpa-cpra-2026": [ "7100(b)", "7102(a)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.1(4)", "3.2.1(5)(a)", "3.2.1(5)(b)", "3.2.1(5)(c)" ], "emea-eu-dora-2023": [ "Article 6.8", "Article 6.8(a)", "Article 6.8(b)", "Article 6.8(c)", "Article 6.8(d)", "Article 6.8(e)", "Article 6.8(f)", "Article 6.8(g)", "Article 6.8(h)" ], "emea-deu-bsrit-2017": [ "1.1", "1.2", "1.2(a)", "1.2(b)", "1.2(c)", "1.2(d)", "1.2(e)", "1.2(f)" ], "emea-sau-cscc-1-2019": [ "1-1", "1-1-1" ], "emea-sau-ecc-1-2018": [ "1-1-1", "1-1-2" ], "emea-sau-sama-csf-1-2017": [ "3.1.2" ], "apac-aus-ism-2024-june": [ "ISM-0039", "ISM-0720" ], "apac-aus-ps-cps-234-2019": [ "13", "15" ], "apac-ind-sebi-2024": [ "GV.RR.S4" ], "apac-jpn-ismap": [ "5.1.1.2" ], "apac-nzl-ism-3-9": [ "2.3.25.C.01", "2.3.25.C.02", "2.3.29.C.01" ], "apac-sgp-mas-trm-2021": [ "3.1.4", "3.1.5" ], "amaericas-can-osfi-self-assessment": [ "1.1", "6.7" ], "americas-can-osfi-b13-2022": [ "1.2.1" ] } }, { "control_id": "PRM-01.2", "title": "Targeted Capability Maturity Levels", "family": "PRM", "description": "Mechanisms exist to define and identify targeted capability maturity levels.", "scf_question": "Does the organization define and identify targeted capability maturity levels?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRM-04" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Project & Resource Management (PRM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Project management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Project & Resource Management (PRM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are well-documented and kept current by process owners.\n▪ A Project Management Office (PMO), or similar function, is appropriately staffed and supported to implement and maintain PRM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of project and resource management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ An implemented and operational capability exists to define and identify targeted capability maturity levels.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS" ], "possible_solutions": { "micro_small": "∙ Documented security, compliance and resilience maturity goals\n∙ SCF Secure, Compliant & Resilient Capability Maturity Model (SCR-CMM)", "small": "∙ Documented security, compliance and resilience maturity goals\n∙ SCF Secure, Compliant & Resilient Capability Maturity Model (SCR-CMM)", "medium": "∙ Documented security, compliance and resilience maturity goals\n∙ SCF Secure, Compliant & Resilient Capability Maturity Model (SCR-CMM)", "large": "∙ Documented security, compliance and resilience maturity goals\n∙ SCF Secure, Compliant & Resilient Capability Maturity Model (SCR-CMM)", "enterprise": "∙ Documented security, compliance and resilience maturity goals\n∙ SCF Secure, Compliant & Resilient Capability Maturity Model (SCR-CMM)" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Project & Resource Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.1-POF5" ], "general-cobit-2019": [ "APO02.03", "APO02.05" ], "general-iso-22301-2019": [ "6.2.1" ], "general-iso-31000-2018": [ "5.4.4" ], "apac-aus-ps-cps-234-2019": [ "15" ], "apac-jpn-ismap": [ "4.4.5.2" ], "amaericas-can-osfi-self-assessment": [ "6.7" ], "americas-can-osfi-b13-2022": [ "1.2.1" ] } }, { "control_id": "PRM-02", "title": "Security, Compliance & Resilience Resource Management", "family": "PRM", "description": "Mechanisms exist to address all capital planning and investment requests, including the resources needed to implement the Security, Compliance & Resilience Program (SCRP) and document all exceptions to this requirement.", "scf_question": "Does the organization address all capital planning and investment requests, including the resources needed to implement the Security, Compliance & Resilience Program (SCRP) and document all exceptions to this requirement?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRM-02" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Project & Resource Management (PRM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Project management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.", "2": "Project & Resource Management (PRM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Project & Resource Management -related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Project & Resource Management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ A Project Management Office (PMO), or project management function, enables the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all high-value projects.\n▪ The PM function enables project involvement for Information Assurance Program (IAP) as part of the organization's established project management processes to ensure both cybersecurity and data protection principles are identified and implemented.\n▪ Quarterly Business Review (QBR), or similar status reporting, exists to provide recurring reports on the state of the cybersecurity and data protection program.", "3": "Project & Resource Management (PRM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are well-documented and kept current by process owners.\n▪ A Project Management Office (PMO), or similar function, is appropriately staffed and supported to implement and maintain PRM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of project and resource management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ An implemented and operational capability exists to address all capital planning and investment requests, including the resources needed to implement the Security, Compliance & Resilience Program (SCRP) and document all exceptions to this requirement.", "4": "Project & Resource Management (PRM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Generic budget for IT products and services", "small": "∙ Generic budget for IT products and services", "medium": "∙ Dedicated cybersecurity budget\n∙ Dedicated data protection budget", "large": "∙ Dedicated cybersecurity budget\n∙ Dedicated data protection budget", "enterprise": "∙ Dedicated cybersecurity budget\n∙ Dedicated data protection budget" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Project & Resource Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4" ], "general-bsi-200-1-1-0": [ "4.1.3", "5" ], "general-cobit-2019": [ "EDM02.01", "EDM02.02", "EDM02.03", "EDM02.04", "EDM04.01", "EDM04.02", "EDM04.03" ], "general-iso-22301-2019": [ "6.3(c)", "6.3(d)", "7.1", "8.3.4", "8.3.4(a)", "8.3.4(b)", "8.3.4(c)", "8.3.4(d)", "8.3.4(e)", "8.3.4(f)", "8.3.4(g)", "8.3.4(h)" ], "general-iso-27001-2022": [ "5.1(c)", "7.1" ], "general-iso-27002-2022": [ "5.4" ], "general-iso-27017-2015": [ "5.1", "7.2.1" ], "general-iso-27018-2025": [ "5.4" ], "general-iso-27701-2025": [ "7.1" ], "general-iso-31000-2018": [ "5.4.4" ], "general-iso-31010-2009": [ "6.3" ], "general-iso-42001-2023": [ "5.1", "7.1", "A.6.2.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(b)" ], "general-nist-100-1-ai-rmf": [ "MANAGE 2.1" ], "general-nist-800-53-r4": [ "PM-3" ], "general-nist-800-53-r5-2": [ "PM-03" ], "general-nist-800-53-r5-2-privacy": [ "PM-03" ], "general-nist-800-82-r3": [ "PM-03" ], "general-nist-800-82-r3-low": [ "PM-03" ], "general-nist-800-82-r3-mod": [ "PM-03" ], "general-nist-800-82-r3-high": [ "PM-03" ], "general-nist-800-161-r1": [ "PM-3" ], "general-nist-800-161-r1-level-1": [ "PM-3" ], "general-nist-800-161-r1-level-2": [ "PM-3" ], "general-nist-csf-2-0": [ "GV.RR-03" ], "general-scf-dpmp-2025": [ "11.0" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:GG2.GP3", "AM:GG2.GP3", "COMM:GG2.GP3", "COMP:GG2.GP3", "CTRL:GG2.GP3", "EC:SG4.SP5", "EC:GG2.GP3", "EF:SG2", "EF:GG2.GP3", "EXD:GG2.GP3", "FRM:GG2.GP3", "HRM:GG2.GP3", "ID:GG2.GP3", "IMC:GG2.GP3", "KIM:GG2.GP3", "MA:GG2.GP3", "MON:GG2.GP3", "OPD:GG2.GP3", "OPF:GG2.GP3", "OTA:GG2.GP3", "PM:GG2.GP3", "RISK:GG2.GP3", "RRD:GG2.GP3", "RRM:GG2.GP3", "RTSE:GG2.GP3", "SC:GG2.GP3", "TM:GG2.GP3", "VAR:GG2.GP3", "GG2.GP3" ], "usa-federal-irs-1075-2021": [ "PM-3" ], "usa-federal-cms-marse-2-0": [ "PM-3", "PM-3.a", "PM-3.b", "PM-3.c" ], "usa-federal-nispom-2020": [ "§117.18(c)(1)(ii)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(d)(4)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-03" ], "emea-eu-eba-ict-srm-2025": [ "3.6.1(61)", "3.6.1(62)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-deu-bsrit-2017": [ "2.3" ], "emea-isr-cmo-1-0": [ "17.5", "17.8", "17.9" ], "emea-sau-cscc-1-2019": [ "1-1" ], "emea-sau-ecc-1-2018": [ "1-1-3" ], "emea-sau-otcc-1-2022": [ "1-4", "1-4-1", "1-4-1-1" ], "apac-aus-ism-2024-june": [ "ISM-0732" ], "apac-aus-ps-cps-230-2023": [ "25" ], "apac-aus-ps-cps-234-2019": [ "13", "15" ], "apac-jpn-ismap": [ "4.5.1.1", "4.5.5.3" ], "apac-nzl-ism-3-9": [ "3.2.15.C.01" ], "apac-sgp-mas-trm-2021": [ "5.1.1", "5.1.2", "5.1.3", "5.1.4", "5.2.1", "5.2.2", "5.5.1", "5.5.2" ], "amaericas-can-osfi-self-assessment": [ "1.1", "6.22" ], "americas-can-osfi-b13-2022": [ "1.2.1" ] } }, { "control_id": "PRM-02.1", "title": "Prioritization To Address Evolving Risks & Threats", "family": "PRM", "description": "Mechanisms exist to integrate foundational cybersecurity practices with advanced technologies to maintain situation awareness of and minimize the organization's exposure to evolving risks and threats.", "scf_question": "Does the organization integrate foundational cybersecurity practices with advanced technologies to maintain situation awareness of and minimize the organization's exposure to evolving risks and threats?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Project & Resource Management (PRM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Project management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.", "2": "Project & Resource Management (PRM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Project & Resource Management -related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Project & Resource Management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ A Project Management Office (PMO), or project management function, enables the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all high-value projects.\n▪ The PM function enables project involvement for Information Assurance Program (IAP) as part of the organization's established project management processes to ensure both cybersecurity and data protection principles are identified and implemented.\n▪ Quarterly Business Review (QBR), or similar status reporting, exists to provide recurring reports on the state of the cybersecurity and data protection program.", "3": "Project & Resource Management (PRM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are well-documented and kept current by process owners.\n▪ A Project Management Office (PMO), or similar function, is appropriately staffed and supported to implement and maintain PRM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of project and resource management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ An implemented and operational capability exists to integrate foundational cybersecurity practices with advanced technologies to maintain situation awareness of and minimize the organization's exposure to evolving risks and threats.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Include security tasks in project plans", "small": "∙ Security requirements in project planning\n∙ Project security checklist", "medium": "∙ Security integrated into project management methodology\n∙ Security gates", "large": "∙ Enterprise project management with security integration (e.g., Jira, MS Project)", "enterprise": "∙ Enterprise PPM platform with security integration\n∙ Dedicated security architects\n∙ Security portfolio risk management" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Project & Resource Management", "crosswalks": { "general-cobit-2019": [ "APO12.05", "BAI01.07", "BAI01.08", "BAI01.09", "BAI02.03", "BAI11.06" ], "general-cr-cmm-2026": [ "CR3.1.6" ], "general-iso-31000-2018": [ "5.3", "5.4.4" ], "general-iso-31010-2009": [ "4.3.2", "6.3" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.3" ], "apac-jpn-ismap": [ "4.5.5.3" ] } }, { "control_id": "PRM-03", "title": "Allocation of Resources", "family": "PRM", "description": "Mechanisms exist to identify and allocate resources for management, operational, technical and data protection requirements within business process planning for projects / initiatives.", "scf_question": "Does the organization identify and allocate resources for management, operational, technical and data protection requirements within business process planning for projects / initiatives?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRM-01", "E-PRM-02" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Project & Resource Management (PRM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Project management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.", "2": "Project & Resource Management (PRM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Project & Resource Management -related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Project & Resource Management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ A Project Management Office (PMO), or project management function, enables the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all high-value projects.\n▪ The PM function enables project involvement for Information Assurance Program (IAP) as part of the organization's established project management processes to ensure both cybersecurity and data protection principles are identified and implemented.\n▪ Quarterly Business Review (QBR), or similar status reporting, exists to provide recurring reports on the state of the cybersecurity and data protection program.", "3": "Project & Resource Management (PRM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are well-documented and kept current by process owners.\n▪ A Project Management Office (PMO), or similar function, is appropriately staffed and supported to implement and maintain PRM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of project and resource management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ An implemented and operational capability exists to identify and allocate resources for management, operational, technical and data protection requirements within business process planning for projects / initiatives.", "4": "Project & Resource Management (PRM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Include security tasks in project plans", "small": "∙ Security requirements in project planning\n∙ Project security checklist", "medium": "∙ Cybersecurity road map\n∙ Prioritized list of cybersecurity expenses", "large": "∙ Cybersecurity road map\n∙ Prioritized list of cybersecurity expenses", "enterprise": "∙ Cybersecurity road map\n∙ Prioritized list of cybersecurity expenses" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Project & Resource Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4", "CC3.1-POF4", "CC4.1" ], "general-bsi-200-1-1-0": [ "4.1.2" ], "general-cobit-2019": [ "EDM02.01", "EDM02.02", "EDM02.03", "EDM02.04", "EDM04.01", "EDM04.02", "EDM04.03", "APO06.01", "APO06.02", "APO06.03", "APO06.04", "APO06.05", "BAI01.05" ], "general-coso-2013": [ "16" ], "general-govramp": [ "SA-02" ], "general-govramp-low": [ "SA-02" ], "general-govramp-low-plus": [ "SA-02" ], "general-govramp-mod": [ "SA-02" ], "general-govramp-high": [ "SA-02" ], "general-iso-31000-2018": [ "5.3", "5.4.4" ], "general-iso-31010-2009": [ "4.3.2" ], "general-iso-42001-2023": [ "5.1", "7.1", "A.4.2" ], "general-nist-100-1-ai-rmf": [ "MANAGE 2.1" ], "general-nist-800-53-r4": [ "SA-2" ], "general-nist-800-53-r5-2": [ "SA-02" ], "general-nist-800-53-r5-2-privacy": [ "SA-02" ], "general-nist-800-53-r5-2-low": [ "SA-02" ], "general-nist-800-82-r3": [ "SA-02" ], "general-nist-800-82-r3-low": [ "SA-02" ], "general-nist-800-82-r3-mod": [ "SA-02" ], "general-nist-800-82-r3-high": [ "SA-02" ], "general-nist-800-161-r1": [ "SA-2" ], "general-nist-800-161-r1-cscrm": [ "SA-2" ], "general-nist-800-161-r1-level-1": [ "SA-2" ], "general-nist-800-161-r1-level-2": [ "SA-2" ], "general-nist-800-171-r2": [ "NFO - SA-2" ], "general-nist-csf-2-0": [ "GV.RR-03" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EN.CMONI" ], "usa-federal-fbi-cjis-6-0": [ "SA-2" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-5b", "THREAT-3b", "RISK-5b", "ACCESS-4b", "SITUATION-4b", "RESPONSE-5b", "THIRD-PARTIES-3b", "WORKFORCE-5b", "ARCHITECTURE-6b", "PROGRAM-3b" ], "usa-federal-sro-fca-crm-2023": [ "609.935(b)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-02" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-02" ], "usa-federal-gsa-fedramp-5-high": [ "SA-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-02" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(2)(iii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(2)(iii)" ], "usa-federal-irs-1075-2021": [ "SA-2" ], "usa-federal-cms-marse-2-0": [ "SA-2", "SA-2.a", "SA-2.b", "SA-2.c", "SA-2.d" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(d)(4)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-02" ], "emea-eu-ai-act-2024": [ "Article 17.1(l)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.1(3)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-deu-bsrit-2017": [ "2.3" ], "emea-isr-cmo-1-0": [ "17.5" ], "emea-sau-cscc-1-2019": [ "1-1" ], "emea-sau-ecc-1-2018": [ "1-6-4" ], "apac-aus-ism-2024-june": [ "ISM-0732" ], "apac-aus-ps-cps-230-2023": [ "25" ], "apac-aus-ps-cps-234-2019": [ "15" ], "apac-ind-sebi-2024": [ "GV.RR.S4" ], "apac-jpn-ismap": [ "4.5.1.2", "4.5.5.3" ], "apac-sgp-mas-trm-2021": [ "5.2.1", "5.2.2" ], "amaericas-can-osfi-self-assessment": [ "6.22" ], "americas-can-osfi-b13-2022": [ "1.2.1" ] } }, { "control_id": "PRM-04", "title": "Security, Compliance & Resilience In Project Management", "family": "PRM", "description": "Mechanisms exist to assess security, compliance and resilience controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements.", "scf_question": "Does the organization assess security, compliance and resilience controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRM-03", "E-PRM-05" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Project & Resource Management (PRM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Project management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.", "2": "Project & Resource Management (PRM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Project & Resource Management -related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Project & Resource Management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ A Project Management Office (PMO), or project management function, enables the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all high-value projects.\n▪ The PM function enables project involvement for Information Assurance Program (IAP) as part of the organization's established project management processes to ensure both cybersecurity and data protection principles are identified and implemented.", "3": "Project & Resource Management (PRM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are well-documented and kept current by process owners.\n▪ A Project Management Office (PMO), or similar function, is appropriately staffed and supported to implement and maintain PRM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of project and resource management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ An implemented and operational capability exists to assess security, compliance and resilience controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements.", "4": "Project & Resource Management (PRM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Product / project management", "small": "∙ Product / project management", "medium": "∙ Product / project management", "large": "∙ Product / project management\n∙ Program Management Office (PMO)", "enterprise": "∙ Product / project management\n∙ Program Management Office (PMO)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Project & Resource Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.1", "CC4.1", "CC5.2" ], "general-bsi-200-1-1-0": [ "4.1.4" ], "general-cobit-2019": [ "EDM03.01", "BAI01.01", "BAI01.02", "BAI01.03", "BAI01.04", "BAI01.06", "BAI03.01", "BAI03.02", "BAI11.01", "BAI11.02", "BAI11.03", "BAI11.04", "BAI11.05", "BAI11.06", "BAI11.07", "BAI11.08", "BAI11.09" ], "general-coso-2013": [ "6", "11", "16" ], "general-csa-iot-2": [ "LGL-02" ], "general-govramp": [ "CA-02" ], "general-govramp-low": [ "CA-02" ], "general-govramp-low-plus": [ "CA-02" ], "general-govramp-mod": [ "CA-02" ], "general-govramp-high": [ "CA-02" ], "general-iso-21434-2021": [ "RQ-06-01" ], "general-iso-27002-2022": [ "5.8" ], "general-iso-27017-2015": [ "6.1.5" ], "general-iso-27018-2025": [ "5.8" ], "general-iso-31000-2018": [ "5.3", "5.4.2", "5.4.4", "5.4.5", "6.2" ], "general-iso-31010-2009": [ "4.3.2", "5.7", "6.6" ], "general-iso-42001-2023": [ "7.4", "A.4.2", "A.6.2.2" ], "general-nist-privacy-framework-1-0": [ "CT.PO-P1", "CT.PO-P4", "CM.AW-P3" ], "general-nist-800-53-r4": [ "CA-2" ], "general-nist-800-53-r5-2": [ "CA-02" ], "general-nist-800-53-r5-2-privacy": [ "CA-02" ], "general-nist-800-53-r5-2-low": [ "CA-02" ], "general-nist-800-82-r3": [ "CA-02" ], "general-nist-800-82-r3-low": [ "CA-02" ], "general-nist-800-82-r3-mod": [ "CA-02" ], "general-nist-800-82-r3-high": [ "CA-02" ], "general-nist-800-161-r1": [ "CA-2" ], "general-nist-800-161-r1-cscrm": [ "CA-2" ], "general-nist-800-161-r1-level-2": [ "CA-2" ], "general-nist-800-161-r1-level-3": [ "CA-2" ], "general-owasp-top-10-2025": [ "A06:2025" ], "general-pci-dss-4-0-1": [ "1.1" ], "general-scf-dpmp-2025": [ "5.12" ], "general-tisax-6-0-3": [ "1.2.3", "5.3.1" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dow-cert-rmm-1-2": [ "EF:SG2.SP2" ], "usa-federal-fbi-cjis-6-0": [ "CA-2" ], "usa-federal-gsa-fedramp-5-low": [ "CA-02" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-02" ], "usa-federal-gsa-fedramp-5-high": [ "CA-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-02" ], "usa-federal-irs-1075-2021": [ "CA-2" ], "usa-federal-cms-marse-2-0": [ "CA-2" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CA-02" ], "usa-state-tx-txramp-2-0-level-1": [ "CA-02" ], "usa-state-tx-txramp-2-0-level-2": [ "CA-02" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(10)", "3.3.1(13)(f)", "3.6.1(62)", "3.6.1(61)", "3.6.1(63)(a)", "3.6.1(63)(b)", "3.6.1(63)(c)", "3.6.1(63)(d)", "3.6.1(63)(e)", "3.6.1(63)(f)", "3.6.1(64)", "3.6.1(65)", "3.6.1(66)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-deu-bsrit-2017": [ "7.1", "7.2", "7.3" ], "emea-isr-cmo-1-0": [ "17.5", "17.8", "17.9" ], "emea-sau-cscc-1-2019": [ "1-3", "2-13-1", "2-13-2", "2-13-3-1", "2-13-3-2", "2-13-3-3", "2-13-3-4" ], "emea-sau-ecc-1-2018": [ "1-6-1", "1-6-4" ], "emea-sau-otcc-1-2022": [ "1-4-1-2" ], "emea-sau-sacs-002-2022": [ "TPC-74" ], "emea-sau-sama-csf-1-2017": [ "3.1.5" ], "apac-aus-ism-2024-june": [ "ISM-1739" ], "apac-jpn-ismap": [ "4.5.1.1", "6.1.5", "6.1.5.1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP11", "HHSP28", "HHSP31", "HML11", "HML28", "HML31" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP24" ], "apac-sgp-mas-trm-2021": [ "5.1.1", "5.1.2", "5.1.3", "5.1.4", "5.2.1", "5.2.2", "5.4.1", "5.4.2", "5.4.3", "5.4.4", "5.8.1", "5.8.2" ], "americas-bra-lgpd-2018": [ "6.8" ], "amaericas-can-osfi-self-assessment": [ "6.7" ], "americas-can-osfi-b13-2022": [ "1.2.1", "2.3", "2.3.1", "2.4.1" ] } }, { "control_id": "PRM-05", "title": "Security, Compliance & Resilience Requirements Definition", "family": "PRM", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "scf_question": "Does the organization identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRM-03", "E-PRM-05" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Project & Resource Management (PRM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Project management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.", "2": "Project & Resource Management (PRM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Project & Resource Management -related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Project & Resource Management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ A Project Management Office (PMO), or project management function, enables the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all high-value projects.\n▪ The PM function enables project involvement for Information Assurance Program (IAP) as part of the organization's established project management processes to ensure both cybersecurity and data protection principles are identified and implemented.", "3": "Project & Resource Management (PRM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are well-documented and kept current by process owners.\n▪ A Project Management Office (PMO), or similar function, is appropriately staffed and supported to implement and maintain PRM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of project and resource management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ An implemented and operational capability exists to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "4": "Project & Resource Management (PRM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Defined technical requirements\n∙ Defined business requirements", "small": "∙ Defined technical requirements\n∙ Defined business requirements", "medium": "∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "large": "∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "enterprise": "∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed", "family_name": "Project & Resource Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2", "CC4.1", "CC5.2", "PI1.1-POF1", "PI1.1-POF2", "PI1.1-POF3" ], "general-bsi-200-1-1-0": [ "4.1.4" ], "general-cis-csc-8-1": [ "15.7" ], "general-cis-csc-8-1-ig3": [ "15.7" ], "general-cobit-2019": [ "APO01.10", "APO08.01", "BAI01.04", "BAI02.01", "BAI03.01", "BAI03.03", "BAI03.04" ], "general-coso-2013": [ "11", "14", "16" ], "general-csa-iot-2": [ "LGL-01", "LGL-02", "LGL-03", "LGL-04", "LGL-05", "LGL-06", "LGL-07", "LGL-08" ], "general-iso-21434-2021": [ "RQ-06-02", "RQ-06-02(a)", "RQ-06-02(b)", "RQ-06-02(c)", "RQ-06-03", "RQ-06-03(a)", "RQ-06-03(b)", "RQ-06-03(c)", "RQ-06-03(d)", "RQ-06-03(e)", "RQ-06-03(f)", "RQ-06-19", "RQ-06-33(c)", "RQ-10-02" ], "general-iso-27002-2022": [ "5.8", "5.9", "8.26" ], "general-iso-27017-2015": [ "6.1.5", "8.1.1", "14.1.1" ], "general-iso-27018-2025": [ "5.8", "5.9", "8.26" ], "general-iso-27701-2025": [ "6.1.1" ], "general-iso-31000-2018": [ "5.4.1" ], "general-iso-31010-2009": [ "4.3.2" ], "general-iso-42001-2023": [ "4.1", "4.2", "A.4.2", "A.6.2.2" ], "general-nist-100-1-ai-rmf": [ "MAP 1.6" ], "general-nist-privacy-framework-1-0": [ "CT.PO-P1" ], "general-nist-800-37-r2": [ "TASK P-8" ], "general-nist-800-53-r4": [ "SA-14" ], "general-nist-800-53-r5-2": [ "RA-09" ], "general-nist-800-53-r5-2-privacy": [ "RA-09" ], "general-nist-800-53-r5-2-mod": [ "RA-09" ], "general-nist-800-82-r3": [ "RA-09" ], "general-nist-800-160-vol-2-r1": [ "RA-09" ], "general-nist-800-161-r1": [ "RA-9" ], "general-nist-800-161-r1-flowdown": [ "RA-9" ], "general-nist-800-161-r1-level-1": [ "RA-9" ], "general-nist-800-161-r1-level-2": [ "RA-9" ], "general-nist-800-161-r1-level-3": [ "RA-9" ], "general-nist-800-171-r3": [ "03.16.01" ], "general-nist-800-218": [ "PO.1", "PO.1.1" ], "general-owasp-top-10-2025": [ "A06:2025" ], "general-pci-dss-4-0-1": [ "1.1" ], "general-scf-dpmp-2025": [ "5.12" ], "general-swift-cscf-2025": [ "2.8", "2.11A" ], "general-tisax-6-0-3": [ "1.2.3", "5.3.2", "8.3.1" ], "general-ul-2900-1-2017": [ "12.1(a)" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-fbi-cjis-6-0": [ "RA-9" ], "usa-federal-sro-fca-crm-2023": [ "609.935(e)" ], "usa-federal-gsa-fedramp-5-low": [ "RA-09" ], "usa-federal-gsa-fedramp-5-mod": [ "RA-09" ], "usa-federal-gsa-fedramp-5-high": [ "RA-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "RA-09" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(2)(ii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7100(b)" ], "emea-eu-ai-act-2024": [ "Article 14.3(b)" ], "emea-eu-eba-ict-srm-2025": [ "3.5(51)", "3.6.1(64)", "3.6.1(65)", "3.6.2(68)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-eu-nis2-annex-2024": [ "6.2.2(a)" ], "emea-isr-cmo-1-0": [ "17.5", "17.6" ], "emea-qat-pdppl-2020": [ "11.1", "11.2", "11.3", "11.4", "11.5", "11.6", "11.7", "11.8" ], "emea-sau-cscc-1-2019": [ "1-3-1-2", "2-13-1", "2-13-2", "2-13-3-1", "2-13-3-2", "2-13-3-3", "2-13-3-4" ], "emea-sau-ecc-1-2018": [ "1-6-1" ], "emea-sau-otcc-1-2022": [ "1-4-1", "1-4-1-1", "1-4-2" ], "emea-sau-sacs-002-2022": [ "TPC-43" ], "emea-esp-ccn-stic-825-2023": [ "7.1.3 [OP.PL.3]" ], "apac-aus-ism-2024-june": [ "ISM-0720", "ISM-1739" ], "apac-jpn-ismap": [ "4.4.3.1", "4.4.5.2", "4.5.1.1", "6.1.5.2", "14.1.1.2" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP11", "HHSP28", "HHSP31", "HML31" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP27" ], "apac-nzl-ism-3-9": [ "12.1.30.C.01", "12.1.30.C.02", "12.1.30.C.03", "12.1.32.C.01", "12.1.32.C.02", "12.1.32.C.03" ], "apac-sgp-mas-trm-2021": [ "5.1.1", "5.1.2", "5.1.3", "5.1.4", "5.3.3", "5.5.1", "5.5.2", "5.6.1", "5.6.2", "5.6.3" ], "apac-twn-pdpa-2025": [ "27" ], "amaericas-can-osfi-self-assessment": [ "6.7" ], "americas-can-osfi-b13-2022": [ "1.2.1", "2.3", "2.4.1", "2.4.2", "2.4.3", "2.8" ], "americas-can-itsp-10-171-2025": [ "03.16.01" ] } }, { "control_id": "PRM-06", "title": "Business Process Definition", "family": "PRM", "description": "Mechanisms exist to define business processes with consideration for security, compliance and resilience that determines: \n(1) The resulting risk to organizational operations, assets, individuals and other organizations; and\n(2) Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.", "scf_question": "Does the organization define business processes with consideration for security, compliance and resilience that determines: \n(1) The resulting risk to organizational operations, assets, individuals and other organizations; and\n(2) Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRM-03", "E-PRM-05" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Project & Resource Management (PRM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Project management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.", "2": "Project & Resource Management (PRM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Project & Resource Management -related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Project & Resource Management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ A Project Management Office (PMO), or project management function, enables the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all high-value projects.\n▪ The PM function enables project involvement for Information Assurance Program (IAP) as part of the organization's established project management processes to ensure both cybersecurity and data protection principles are identified and implemented.", "3": "Project & Resource Management (PRM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are well-documented and kept current by process owners.\n▪ A Project Management Office (PMO), or similar function, is appropriately staffed and supported to implement and maintain PRM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of project and resource management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ An implemented and operational capability exists to define business processes with consideration for security, compliance and resilience that determines: \n(1) The resulting risk to organizational operations, assets, individuals and other organizations; and\n(2) Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.", "4": "Project & Resource Management (PRM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "small": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "medium": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "large": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "enterprise": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Project & Resource Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.3", "CC3.1", "CC3.1-POF7", "CC3.1-POF8", "CC3.1-POF9", "CC3.1-POF10", "CC3.1-POF11", "CC3.1-POF12", "CC3.1-POF13", "CC3.1-POF14", "CC3.1-POF15", "CC3.1-POF16", "CC3.4", "CC4.1", "CC5.1", "CC5.2", "P6.7-POF1", "PI1.1", "PI1.1-POF1", "PI1.3-POF1", "PI1.3-POF2", "PI1.3-POF3", "PI1.3-POF4", "PI1.3-POF5", "PI1.4-POF1", "PI1.4-POF2", "PI1.4-POF3", "PI1.4-POF4", "PI1.5-POF1", "PI1.5-POF2", "PI1.5-POF3", "PI1.5-POF4" ], "general-bsi-200-1-1-0": [ "4.1.4" ], "general-cis-csc-8-1": [ "15.7" ], "general-cis-csc-8-1-ig3": [ "15.7" ], "general-cobit-2019": [ "APO01.10", "APO08.01", "BAI01.04", "BAI02.01", "BAI03.01", "BAI04.03" ], "general-coso-2013": [ "3", "6", "9", "10", "11", "16" ], "general-csa-iot-2": [ "LGL-02", "LGL-03", "LGL-04", "LGL-05", "LGL-06", "LGL-07", "LGL-08" ], "general-iso-27701-2025": [ "4.1", "4.2", "4.2(a)", "4.2(b)", "4.2(c)", "6.1.1" ], "general-iso-31000-2018": [ "5.4.1" ], "general-iso-31010-2009": [ "4.3.2" ], "general-iso-42001-2023": [ "4.1", "4.2", "7.4" ], "general-nist-100-1-ai-rmf": [ "MAP 1.0", "MAP 1.1", "MAP 1.4", "MAP 2.1" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P5", "ID.BE-P1", "ID.BE-P3", "GV.RM-P3", "CT.PO-P1" ], "general-nist-800-37-r2": [ "TASK P-8" ], "general-nist-800-53-r4": [ "PM-11" ], "general-nist-800-53-r5-2": [ "PM-11" ], "general-nist-800-53-r5-2-privacy": [ "PM-11" ], "general-nist-800-82-r3": [ "PM-11" ], "general-nist-800-82-r3-low": [ "PM-11" ], "general-nist-800-82-r3-mod": [ "PM-11" ], "general-nist-800-82-r3-high": [ "PM-11" ], "general-nist-800-161-r1": [ "PM-11" ], "general-nist-800-161-r1-level-1": [ "PM-11" ], "general-nist-800-161-r1-level-2": [ "PM-11" ], "general-nist-800-161-r1-level-3": [ "PM-11" ], "general-owasp-top-10-2025": [ "A06:2025" ], "general-scf-dpmp-2025": [ "5.12" ], "general-swift-cscf-2025": [ "2.8", "2.11A" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG2.SP1", "ADM:GG1.GP1", "AM:GG1.GP1", "COMM:GG1.GP1", "COMP:GG1.GP1", "CTRL:GG1.GP1", "EC:GG1.GP1", "EF:GG1.GP1", "EXD:GG1.GP1", "FRM:GG1.GP1", "HRM:GG1.GP1", "ID:GG1.GP1", "IMC:GG1.GP1", "KIM:GG1.GP1", "MA:GG1.GP1", "MON:GG1.GP1", "OPD:GG1.GP1", "OPF:GG1.GP1", "OTA:GG1.GP1", "PM:GG1.GP1", "RISK:GG1.GP1", "RRD:GG1.GP1", "RRM:GG1.GP1", "RTSE:GG1.GP1", "SC:SG2.SP2", "SC:SG2.SP3", "SC:SG3", "SC:SG3.SP1", "SC:GG1.GP1", "TM:GG1.GP1", "VAR:GG1.GP1", "GG1.GP1" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-2d" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "3.2.1" ], "usa-federal-sro-fca-crm-2023": [ "609.935(e)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(2)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(2)(i)" ], "usa-federal-cms-marse-2-0": [ "PM-11", "PM-11.a", "PM-11.b" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-11" ], "emea-eu-eba-ict-srm-2025": [ "3.5(51)", "3.6.1(64)", "3.6.1(65)", "3.6.2(68)" ], "emea-eu-dora-2023": [ "Article 8.1" ], "emea-eu-nis2-annex-2024": [ "6.2.2(a)" ], "emea-isr-cmo-1-0": [ "17.5", "17.6" ], "emea-qat-pdppl-2020": [ "11.4", "11.5", "11.6" ], "apac-jpn-ismap": [ "4.4.3.1", "4.4.5.2", "4.5.1.1", "6.1.5.5", "13.1.2", "14.1.1.2" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP27" ], "apac-nzl-ism-3-9": [ "12.1.32.C.01", "12.1.32.C.02", "12.1.32.C.03" ], "apac-sgp-mas-trm-2021": [ "5.5.1", "5.5.2" ], "americas-can-osfi-b13-2022": [ "1.2.1", "2.1", "2.3", "2.4.1", "2.4.3", "2.8" ] } }, { "control_id": "PRM-07", "title": "Secure Development Life Cycle (SDLC) Management", "family": "PRM", "description": "Mechanisms exist to ensure changes to Technology Assets, Applications and/or Services (TAAS) within the Secure Development Life Cycle (SDLC) are controlled through formal change control procedures.", "scf_question": "Does the organization ensure changes to Technology Assets, Applications and/or Services (TAAS) within the Secure Development Life Cycle (SDLC) are controlled through formal change control procedures?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRM-03" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Project & Resource Management (PRM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Project & Resource Management -related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Project & Resource Management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ A Project Management Office (PMO), or project management function, enables the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all high-value projects.\n▪ The PM function enables project involvement for Information Assurance Program (IAP) as part of the organization's established project management processes to ensure both cybersecurity and data protection principles are identified and implemented.", "3": "Project & Resource Management (PRM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are well-documented and kept current by process owners.\n▪ A Project Management Office (PMO), or similar function, is appropriately staffed and supported to implement and maintain PRM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of project and resource management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ An implemented and operational capability exists to ensure changes to Technology Assets, Applications and/or Services (TAAS) within the Secure Development Life Cycle (SDLC) are controlled through formal change control procedures.", "4": "Project & Resource Management (PRM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "small": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "medium": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "large": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "enterprise": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Project & Resource Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.2", "CC8.1", "CC8.1-POF1" ], "general-cis-csc-8-1": [ "15.7" ], "general-cis-csc-8-1-ig3": [ "15.7" ], "general-cobit-2019": [ "BAI01.01", "BAI01.02", "BAI01.03", "BAI02.04", "BAI03.09", "BAI03.11", "BAI04.03", "BAI05.01", "BAI05.07", "BAI09.03" ], "general-coso-2013": [ "11" ], "general-csa-cmm-4-1-0": [ "AIS-04" ], "general-csa-iot-2": [ "LGL-02", "LGL-03", "LGL-04", "LGL-05", "LGL-06", "LGL-07", "POL-04" ], "general-govramp": [ "SA-03" ], "general-govramp-low": [ "SA-03" ], "general-govramp-low-plus": [ "SA-03" ], "general-govramp-mod": [ "SA-03" ], "general-govramp-high": [ "SA-03" ], "general-iso-27002-2022": [ "5.8", "8.25", "8.32" ], "general-iso-27017-2015": [ "6.1.5", "12.1.2", "14.2.2" ], "general-iso-27018-2025": [ "5.8", "8.25", "8.32" ], "general-iso-31000-2018": [ "5.3", "5.4.2", "5.4.5", "6.2" ], "general-iso-31010-2009": [ "4.3.2" ], "general-iso-42001-2023": [ "A.3.3", "A.4.2", "A.6.2.2", "A.6.2.7", "A.6.2.8" ], "general-mitre-att&ck-16-1": [ "T1078", "T1078.001", "T1078.003", "T1078.004", "T1213.003", "T1574.002" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.7", "MANAGE 2.2" ], "general-nist-privacy-framework-1-0": [ "CT.PO-P1", "CT.PO-P4", "CM.AW-P3" ], "general-nist-800-37-r2": [ "TASK P-13", "TASK M-7" ], "general-nist-800-53-r4": [ "SA-3" ], "general-nist-800-53-r5-2": [ "SA-03", "SA-03(01)", "SA-08(30)" ], "general-nist-800-53-r5-2-privacy": [ "SA-03", "SA-03(01)", "SA-08(30)" ], "general-nist-800-53-r5-2-low": [ "SA-03" ], "general-nist-800-82-r3": [ "SA-03", "SA-03(01)", "SA-08(30)" ], "general-nist-800-82-r3-low": [ "SA-03" ], "general-nist-800-82-r3-mod": [ "SA-03" ], "general-nist-800-82-r3-high": [ "SA-03" ], "general-nist-800-161-r1": [ "SA-3" ], "general-nist-800-161-r1-cscrm": [ "SA-3" ], "general-nist-800-161-r1-level-1": [ "SA-3" ], "general-nist-800-161-r1-level-2": [ "SA-3" ], "general-nist-800-161-r1-level-3": [ "SA-3" ], "general-nist-800-171-r2": [ "NFO - SA-3" ], "general-nist-800-218": [ "PO.1" ], "general-nist-csf-2-0": [ "GV.SC-09", "ID.AM-08", "PR.PS-02", "PR.PS-03" ], "general-owasp-top-10-2025": [ "A06:2025" ], "general-scf-dpmp-2025": [ "5.12" ], "general-tisax-6-0-3": [ "5.3.1" ], "general-un-155-2021": [ "7.2.2.1(a)", "7.2.2.1(b)", "7.2.2.1(c)", "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.1(a)", "7.2.2.1(b)", "7.2.2.1(c)", "7.2.2.5" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG3" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNL.RLMAN" ], "usa-federal-fbi-cjis-6-0": [ "SA-3" ], "usa-federal-sro-fca-crm-2023": [ "609.935(e)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-03", "SA-03(01)", "SA-08(30)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-03", "SA-03(01)", "SA-08(30)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-03", "SA-03(01)", "SA-08(30)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-03", "SA-03(01)", "SA-08(30)" ], "usa-federal-irs-1075-2021": [ "SA-3" ], "usa-federal-cms-marse-2-0": [ "SA-3", "SA-3.a", "SA-3.b", "SA-3.c", "SA-3.d" ], "usa-federal-nispom-2020": [ "§117.18(d)", "§117.18(d)(1)", "§117.18(d)(2)", "§117.18(d)(3)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-03" ], "usa-state-tx-txramp-2-0-level-1": [ "SA-03" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-03" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(13)(f)", "3.5(55)", "3.6.1(63)(a)", "3.6.1(63)(b)", "3.6.1(63)(c)", "3.6.1(63)(d)", "3.6.1(63)(e)", "3.6.1(63)(f)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-deu-bsrit-2017": [ "7.1", "7.2", "7.3" ], "emea-isr-cmo-1-0": [ "17.4", "17.5", "17.8" ], "emea-qat-pdppl-2020": [ "11.4", "11.5", "11.6" ], "emea-sau-cscc-1-2019": [ "2-13-4" ], "emea-sau-cgiot-2024": [ "1-5-2" ], "emea-sau-sacs-002-2022": [ "TPC-74" ], "emea-esp-boe-a-2022-7191": [ "Article 8 (end)", "Article 36" ], "emea-esp-decree-311-2022": [ "36", "8 (end)" ], "apac-aus-ism-2024-june": [ "ISM-1526", "ISM-1739" ], "apac-aus-ps-cps-234-2019": [ "21(c)" ], "apac-ind-sebi-2024": [ "PR.IP.S2" ], "apac-jpn-ismap": [ "6.1.5.4", "14.1" ], "apac-sgp-mas-trm-2021": [ "5.1.2", "5.1.3", "5.1.4", "5.4.1", "5.4.2", "5.4.3", "5.4.4" ], "americas-can-osfi-b13-2022": [ "2.4", "2.4.1", "2.4.3" ] } }, { "control_id": "PRM-08", "title": "Manage Organizational Knowledge", "family": "PRM", "description": "Mechanisms exist to manage the organizational knowledge of the security, compliance and resilience staff.", "scf_question": "Does the organization manage the organizational knowledge of the security, compliance and resilience staff?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Project & Resource Management (PRM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with PRM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Project management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.", "2": "Project & Resource Management (PRM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Project & Resource Management -related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Project & Resource Management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.\n▪ A Project Management Office (PMO), or project management function, enables the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all high-value projects.", "3": "Project & Resource Management (PRM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with PRM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with PRM domain capabilities are well-documented and kept current by process owners.\n▪ A Project Management Office (PMO), or similar function, is appropriately staffed and supported to implement and maintain PRM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of project and resource management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with PRM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to manage the organizational knowledge of the security, compliance and resilience staff.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Include security tasks in project plans", "small": "∙ Security requirements in project planning\n∙ Project security checklist", "medium": "∙ Security integrated into project management methodology\n∙ Security gates", "large": "∙ Enterprise project management with security integration (e.g., Jira, MS Project)", "enterprise": "∙ Enterprise PPM platform with security integration\n∙ Dedicated security architects\n∙ Security portfolio risk management" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Project & Resource Management", "crosswalks": { "general-cobit-2019": [ "APO01.08" ], "general-scf-dpmp-2025": [ "5.12" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.D" ], "emea-eu-nis2-annex-2024": [ "4.2.4(c)" ], "apac-nzl-ism-3-9": [ "3.2.19.C.01" ] } }, { "control_id": "RSK-01", "title": "Risk Management Program", "family": "RSK", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "scf_question": "Does the organization facilitate the implementation of strategic, operational and tactical risk management controls?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-01" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Risk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of strategic, operational and tactical risk management controls.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)", "small": "∙ Risk Management Program (RMP)", "medium": "∙ Risk Management Program (RMP)", "large": "∙ Risk Management Program (RMP)", "enterprise": "∙ Risk Management Program (RMP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2-POF1", "CC3.1", "CC3.2-POF1", "CC3.2-POF3", "CC3.2-POF5", "CC3.4-POF1", "CC3.4-POF2", "CC3.4-POF3", "CC3.4-POF4", "CC3.4-POF5", "CC4.1", "CC5.1", "CC9.1" ], "general-cis-csc-8-1": [ "16.6" ], "general-cis-csc-8-1-ig2": [ "16.6" ], "general-cis-csc-8-1-ig3": [ "16.6" ], "general-cobit-2019": [ "EDM03.01", "EDM03.02", "EDM03.03", "APO12.01", "APO12.02", "APO12.03", "APO12.04", "APO12.05", "APO12.06" ], "general-coso-2013": [ "7", "8", "16" ], "general-csa-cmm-4-1-0": [ "CEK-07", "GRC-02" ], "general-csa-iot-2": [ "RSM-01", "RSM-02" ], "general-govramp": [ "RA-01" ], "general-govramp-low": [ "RA-01" ], "general-govramp-low-plus": [ "RA-01" ], "general-govramp-mod": [ "RA-01" ], "general-govramp-high": [ "RA-01" ], "general-iec-tr-60601-4-5-2021": [ "4.1" ], "general-iec-62443-2-1-2024": [ "ORG 2.1" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5", "3.5.1" ], "general-iso-27001-2022": [ "6.1.1", "6.1.1(a)", "6.1.1(b)", "6.1.1(c)", "6.1.1(d)", "6.1.1(e)(1)", "6.1.1(e)(2)", "6.1.2", "6.1.2(a)", "6.1.2(a)(1)", "6.1.2(a)(2)", "6.1.2(b)", "6.1.2(c)", "6.1.2(c)(1)", "6.1.2(c)(2)", "6.1.2(d)", "6.1.2(d)(1)", "6.1.2(d)(2)", "6.1.2(d)(3)", "6.1.2(e)", "6.1.2(e)(1)", "6.1.2(e)(2)", "8.2" ], "general-iso-27002-2022": [ "7.5" ], "general-iso-27017-2015": [ "11.1.4" ], "general-iso-27018-2025": [ "7.5" ], "general-iso-27701-2025": [ "6.1.2" ], "general-iso-31000-2018": [ "5.1", "5.3", "5.4.2", "5.4.5", "5.5", "5.7.1", "5.7.2", "6.1", "6.2", "6.3.1", "6.3.2", "6.3.3", "6.6", "6.7" ], "general-iso-31010-2009": [ "4.1", "4.2", "4.3.1", "4.3.2" ], "general-iso-42001-2023": [ "6.1.1", "6.1.2", "6.1.2(a)", "6.1.2(b)", "6.1.2(c)", "6.1.2(d)", "6.1.2(e)", "6.1.3", "6.1.3(a)", "6.1.3(b)", "6.1.3(c)", "6.1.3(d)", "6.1.3(e)", "6.1.3(f)", "6.1.3(g)", "8.2", "A.5" ], "general-mpa-csbp-5-3-1": [ "OR-2.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(5)", "4.D(1)", "4.D(3)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.3", "GOVERN 1.4", "GOVERN 1.5", "MANAGE 1.0" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 1.4" ], "general-nist-privacy-framework-1-0": [ "ID.RA-P", "ID.DE-P", "ID.DE-P1", "GV.PO-P6", "GV.RM-P", "GV.RM-P1" ], "general-nist-800-37-r2": [ "TASK P-2" ], "general-nist-800-39": [ "TASK 4-1", "TASK 4-2" ], "general-nist-800-53-r4": [ "PM-9", "RA-1" ], "general-nist-800-53-r5-2": [ "PM-09", "PM-29", "RA-01" ], "general-nist-800-53-r5-2-privacy": [ "PM-09", "PM-29", "RA-01" ], "general-nist-800-53-r5-2-low": [ "RA-01" ], "general-nist-800-82-r3": [ "PM-09", "PM-29", "RA-01" ], "general-nist-800-82-r3-low": [ "PM-09", "PM-29", "RA-01" ], "general-nist-800-82-r3-mod": [ "PM-09", "PM-29", "RA-01" ], "general-nist-800-82-r3-high": [ "PM-09", "PM-29", "RA-01" ], "general-nist-800-161-r1": [ "PM-9", "PM-29", "RA-1" ], "general-nist-800-161-r1-cscrm": [ "RA-1" ], "general-nist-800-161-r1-level-1": [ "PM-9", "PM-29", "RA-1" ], "general-nist-800-161-r1-level-2": [ "RA-1" ], "general-nist-800-161-r1-level-3": [ "RA-1" ], "general-nist-800-171-r2": [ "NFO - RA-1" ], "general-nist-800-171-r3": [ "03.11.01.a", "03.17.01.a" ], "general-nist-800-171a-r3": [ "A.03.17.03.b" ], "general-nist-csf-2-0": [ "GV", "GV.RM", "GV.RM-01", "GV.RM-03", "GV.RM-04", "GV.RM-06", "GV.RR-01", "GV.OV-02", "GV.OV-03", "GV.SC", "GV.SC-01", "GV.SC-03", "GV.SC-05", "GV.SC-09", "ID", "ID.RA", "ID.IM", "PR", "PR.IR" ], "general-pci-dss-4-0-1": [ "12.3" ], "general-scf-dpmp-2025": [ "9.0" ], "general-tisax-6-0-3": [ "1.4.1" ], "general-un-155-2021": [ "7.2.2.2(b)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(b)" ], "usa-federal-dow-cert-rmm-1-2": [ "RISK:SG1", "RISK:SG1.SP1", "RISK:SG1.SP2", "RISK:SG4.SP3", "RISK:SG6", "RISK:SG6.SP1", "RISK:SG6.SP2", "RISK:GG1.GP1", "RISK:GG2", "RISK:GG2.GP2", "TM:SG3", "TM:SG3.SP1" ], "usa-federal-fbi-cjis-6-0": [ "RA-1" ], "usa-federal-doe-c2m2-2-1": [ "RISK-1b", "RISK-1c", "RISK-1d", "RISK-1g", "RISK-1h" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.3" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "8.6" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-gsa-fedramp-5-low": [ "PM-29", "RA-01" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-29", "RA-01" ], "usa-federal-gsa-fedramp-5-high": [ "PM-29", "RA-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-29", "RA-01" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(b)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(3)", "164.306(b)(2)(iv)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(3)", "164.306(b)(2)(iv)" ], "usa-federal-irs-1075-2021": [ "PM-9", "PM-29", "RA-1" ], "usa-federal-cms-marse-2-0": [ "RA-1", "RA-1.a", "RA-1.b", "PM-9", "PM-9.a", "PM-9.b", "PM-9.c" ], "usa-federal-nerc-cip-2024": [ "CIP-013-2 1.1" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.105(a)", "17 CFR 229.106(b)(1)", "17 CFR 229.106(b)(1)(i)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(b)(1)", "500.3(m)", "500.9(a)", "500.9(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(A)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-09", "RA-01" ], "usa-state-tx-txramp-2-0-level-1": [ "RA-01" ], "usa-state-tx-txramp-2-0-level-2": [ "RA-01" ], "usa-state-vt-act-171-2018": [ "2447(b)(2)" ], "emea-eu-ai-act-2024": [ "Article 8.1", "Article 9.1", "Article 9.2", "Article 9.4", "Article 9.5", "Article 9.9", "Article 17.1(g)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.3(7)", "3.3.1(10)", "3.3.1(13)(a)", "3.3.1(13)(b)", "3.3.1(13)(c)", "3.3.1(13)(d)", "3.3.1(13)(e)", "3.3.1(13)(f)", "3.3.1(14)" ], "emea-eu-dora-2023": [ "Article 6.1", "Article 6.2", "Article 6.3", "Article 6.4", "Article 6.5", "Article 6.6", "Article 6.7", "Article 6.8", "Article 6.8(a)", "Article 6.8(b)", "Article 6.8(c)", "Article 6.8(d)", "Article 6.8(e)", "Article 6.8(f)", "Article 6.8(g)", "Article 6.8(h)", "Article 6.9", "Article 6.10", "Article 11.6" ], "emea-eu-gdpr-2016": [ "Article 32.2" ], "emea-eu-nis2-2022": [ "Article 21.1", "Article 21.2(a)", "Article 21.2(d)", "Article 21.2(f)" ], "emea-eu-nis2-annex-2024": [ "2.1.1", "2.1.2", "2.1.2(a)", "2.1.2(c)", "2.1.2(d)", "6.1.1", "6.1.3", "6.10.2(d)", "7.1", "7.3" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "12.3" ], "emea-deu-c5-2020": [ "OIS-06" ], "emea-isr-cmo-1-0": [ "1.2", "2.1", "2.2" ], "emea-sau-cscc-1-2019": [ "1-2" ], "emea-sau-cgiot-2024": [ "1-4-1" ], "emea-sau-ecc-1-2018": [ "1-5-1", "1-5-2", "1-5-4" ], "emea-sau-otcc-1-2022": [ "1-3", "1-3-1", "1-3-1-1" ], "emea-sau-sacs-002-2022": [ "TPC-31" ], "emea-sau-sama-csf-1-2017": [ "3.2.1" ], "emea-zaf-popia-2013": [ "19" ], "emea-esp-boe-a-2022-7191": [ "Article 7.1", "Article 7.2" ], "emea-esp-decree-311-2022": [ "7.1", "7.2" ], "emea-gbr-caf-4-0": [ "A2", "A2.a" ], "emea-gbr-cap-1850-2020": [ "A2" ], "emea-gbr-def-stan-05-138-2024": [ "1200", "1201", "1204" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1200" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1200", "1201" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1200", "1201", "1204" ], "apac-aus-ism-2024-june": [ "ISM-0726" ], "apac-aus-ps-cps-230-2023": [ "12(a)", "12(c)", "13", "16(a)", "16(b)", "16(c)", "16(d)", "16(e)", "16(f)", "17", "18", "19(a)", "19(b)", "19(c)", "19(d)", "19(e)" ], "apac-ind-sebi-2024": [ "GV.RM.S1" ], "apac-jpn-ismap": [ "4.4.6.1", "4.5.5.2", "4.8.1.1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP30", "HML30" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP26" ], "apac-nzl-ism-3-9": [ "5.1.9.C.01", "5.3.6.C.01", "5.3.7.C.01", "5.3.8.C.01", "5.3.9.C.01" ], "apac-sgp-mas-trm-2021": [ "4.1.1", "4.1.2", "4.1.5" ], "americas-bmu-mba-coc-2020": [ "5.3", "5.8" ], "amaericas-can-osfi-self-assessment": [ "1.3", "6.4", "6.8", "6.16", "6.24" ], "americas-can-osfi-b13-2022": [ "1.3", "1.3.1", "1.3.2", "3.1.1" ], "americas-can-itsp-10-171-2025": [ "03.11.01.A", "03.17.01.A" ] } }, { "control_id": "RSK-01.1", "title": "Risk Framing", "family": "RSK", "description": "Mechanisms exist to identify:\n(1) Assumptions affecting risk assessments, risk response and risk monitoring;\n(2) Constraints affecting risk assessments, risk response and risk monitoring;\n(3) The organizational risk tolerance; and\n(4) Priorities, benefits and trade-offs considered by the organization for managing risk.", "scf_question": "Does the organization identify:\n (1) Assumptions affecting risk assessments, risk response and risk monitoring;\n (2) Constraints affecting risk assessments, risk response and risk monitoring;\n (3) The organizational risk tolerance; and\n (4) Priorities, benefits and trade-offs considered by the organization for managing risk?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-01", "E-RSK-06", "E-RSK-07", "E-RSK-08" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify:\n(1) Assumptions affecting risk assessments, risk response and risk monitoring;\n(2) Constraints affecting risk assessments, risk response and risk monitoring;\n(3) The organizational risk tolerance; and\n(4) Priorities, benefits and trade-offs considered by the organization for managing risk.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)", "small": "∙ Risk Management Program (RMP)", "medium": "∙ Risk Management Program (RMP)", "large": "∙ Risk Management Program (RMP)", "enterprise": "∙ Risk Management Program (RMP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2-POF11", "CC3.1-POF1", "CC3.1-POF3", "CC3.1-POF6", "CC3.1-POF16", "CC3.2", "CC3.2-POF2", "CC3.2-POF8", "CC7.3-POF6" ], "general-cis-csc-8-1": [ "16.6" ], "general-cis-csc-8-1-ig2": [ "16.6" ], "general-cis-csc-8-1-ig3": [ "16.6" ], "general-cobit-2019": [ "APO12.01", "APO12.04" ], "general-coso-2013": [ "7" ], "general-csa-cmm-4-1-0": [ "A&A-06", "CEK-07" ], "general-csa-iot-2": [ "RSM-01", "RSM-02" ], "general-iso-27001-2022": [ "6.1.2", "6.1.2(a)", "6.1.2(a)(1)", "6.1.2(a)(2)", "6.1.2(b)", "6.1.2(c)", "6.1.2(c)(1)", "6.1.2(c)(2)", "6.1.2(d)", "6.1.2(d)(1)", "6.1.2(d)(2)", "6.1.2(d)(3)", "6.1.2(e)", "6.1.2(e)(1)", "6.1.2(e)(2)" ], "general-iso-27002-2022": [ "5.8" ], "general-iso-27017-2015": [ "6.1.5" ], "general-iso-27018-2025": [ "5.8" ], "general-iso-27701-2025": [ "6.1.2(a)" ], "general-iso-31000-2018": [ "5.3", "5.4.2", "6.4.2" ], "general-iso-31010-2009": [ "4.3.3", "4.3.3(a)", "4.3.3(b)", "4.3.3(c)", "6.4", "6.5" ], "general-iso-42001-2023": [ "6.1.2(d)", "6.1.2(d)(1)", "6.1.2(d)(2)", "6.1.2(d)(3)", "6.1.2(e)", "6.1.2(e)(1)", "6.1.2(e)(2)", "6.1.4", "8.4" ], "general-mpa-csbp-5-3-1": [ "OR-2.0" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.3", "GOVERN 1.4" ], "general-nist-600-1-gen-ai-profile": [ "MP-2.1-001" ], "general-nist-privacy-framework-1-0": [ "GV.RM-P3" ], "general-nist-800-39": [ "3.1", "TASK 1-1", "TASK 1-2", "TASK 1-4" ], "general-nist-800-53-r5-2": [ "PM-28" ], "general-nist-800-53-r5-2-privacy": [ "PM-28" ], "general-nist-800-82-r3": [ "PM-28" ], "general-nist-800-82-r3-low": [ "PM-28" ], "general-nist-800-82-r3-mod": [ "PM-28" ], "general-nist-800-82-r3-high": [ "PM-28" ], "general-nist-800-161-r1": [ "PM-28" ], "general-nist-800-161-r1-level-1": [ "PM-28" ], "general-nist-800-171-r3": [ "03.11.01.a" ], "general-nist-800-171a-r3": [ "A.03.11.01.a" ], "general-nist-csf-2-0": [ "GV.OC-01", "GV.RM", "GV.RM-04", "GV.RM-06", "GV.RM-07", "ID", "ID.RA-05", "ID.RA-06" ], "general-pci-dss-4-0-1": [ "12.3.1", "12.3.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.3.1", "12.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.3.1" ], "general-swift-cscf-2025": [ "7.4A" ], "general-tisax-6-0-3": [ "1.4.1" ], "general-un-155-2021": [ "7.2.2.2(b)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(b)" ], "usa-federal-doe-c2m2-2-1": [ "RISK-2m", "RISK-3b", "SITUATION-2h" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(2)(iv)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(2)(iv)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.105(a)", "17 CFR 229.106(b)(1)", "17 CFR 229.106(b)(1)(i)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(1)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(10)", "3.6.1(66)", "3.7.2(82)" ], "emea-eu-dora-2023": [ "Article 8.2" ], "emea-eu-nis2-annex-2024": [ "2.1.2(c)" ], "emea-isr-cmo-1-0": [ "2.2" ], "emea-sau-otcc-1-2022": [ "1-3-1-4", "1-3-1-5" ], "apac-jpn-ismap": [ "4.4.6.1", "4.4.7.2", "4.4.7.3" ], "apac-nzl-ism-3-9": [ "23.2.16.C.01", "23.2.17.C.01" ], "apac-sgp-mas-trm-2021": [ "4.2.1", "4.3.2" ], "americas-bmu-mba-coc-2020": [ "5.5" ], "amaericas-can-osfi-self-assessment": [ "6.15", "6.24" ], "americas-can-osfi-b13-2022": [ "1.3", "3.1.8" ], "americas-can-itsp-10-171-2025": [ "03.11.01.A" ] } }, { "control_id": "RSK-01.2", "title": "Risk Management Resourcing", "family": "RSK", "description": "Mechanisms exist to reduce the magnitude or likelihood of potential impacts by resourcing the capability required to manage technology-related risks.", "scf_question": "Does the organization reduce the magnitude or likelihood of potential impacts by resourcing the capability required to manage technology-related risks?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to reduce the magnitude or likelihood of potential impacts by resourcing the capability required to manage technology-related risks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)", "small": "∙ Risk Management Program (RMP)", "medium": "∙ Risk Management Program (RMP)", "large": "∙ Risk Management Program (RMP)", "enterprise": "∙ Risk Management Program (RMP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-iso-31000-2018": [ "5.3", "5.4.2", "5.4.4" ], "general-iso-31010-2009": [ "6.3" ], "general-iso-42001-2023": [ "5.1" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.3", "GOVERN 1.4", "MANAGE 2.1" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "emea-eu-nis2-annex-2024": [ "2.1.2(e)" ] } }, { "control_id": "RSK-01.3", "title": "Risk Tolerance", "family": "RSK", "description": "Mechanisms exist to define organizational risk tolerance, the specified range of acceptable results.", "scf_question": "Does the organization define organizational risk tolerance, the specified range of acceptable results?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-06" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define organizational risk tolerance, the specified range of acceptable results.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Defined risk tolerance", "small": "∙ Risk Management Program (RMP)\n∙ Defined risk tolerance", "medium": "∙ Risk Management Program (RMP)\n∙ Defined risk tolerance", "large": "∙ Risk Management Program (RMP)\n∙ Defined risk tolerance", "enterprise": "∙ Risk Management Program (RMP)\n∙ Defined risk tolerance" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.1-POF1", "CC3.1-POF2", "CC3.1-POF15", "CC3.2", "CC3.2-POF8" ], "general-iec-62443-2-1-2024": [ "ORG 2.1" ], "general-iso-27701-2025": [ "6.1.2(a)(1)" ], "general-iso-31000-2018": [ "5.4.2", "6.3.4" ], "general-iso-31010-2009": [ "4.3.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.3", "MAP 1.5", "MAP 3.2" ], "general-nist-privacy-framework-1-0": [ "GV.RM-P2" ], "general-nist-800-39": [ "TASK 1-3" ], "general-nist-csf-2-0": [ "GV.RM", "GV.RM-02", "GV.RR-01" ], "general-swift-cscf-2025": [ "7.4A" ], "general-ul-2900-1-2017": [ "12.1(f)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)", "17 CFR 229.106(b)(1)(i)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(1)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(10)" ], "emea-eu-nis2-annex-2024": [ "2.1.2(b)" ], "apac-aus-ps-cps-230-2023": [ "26" ], "apac-ind-sebi-2024": [ "GV.RM.S4" ], "apac-jpn-ismap": [ "4.4.7.1" ], "americas-can-osfi-b13-2022": [ "3.1.8" ] } }, { "control_id": "RSK-01.4", "title": "Risk Threshold", "family": "RSK", "description": "Mechanisms exist to define organizational risk threshold, the level of risk exposure above which risks are addressed and below which risks may be accepted.", "scf_question": "Does the organization define organizational risk threshold, the level of risk exposure above which risks are addressed and below which risks may be accepted?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-07" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define organizational risk threshold, the level of risk exposure above which risks are addressed and below which risks may be accepted.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Defined risk threshold", "small": "∙ Risk Management Program (RMP)\n∙ Defined risk threshold", "medium": "∙ Risk Management Program (RMP)\n∙ Defined risk threshold", "large": "∙ Risk Management Program (RMP)\n∙ Defined risk threshold", "enterprise": "∙ Risk Management Program (RMP)\n∙ Defined risk threshold" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.1-POF1", "CC3.1-POF2", "CC3.1-POF15", "CC3.2-POF8" ], "general-iso-27701-2025": [ "6.1.2(a)(1)" ], "general-iso-31000-2018": [ "5.4.2", "6.3.4" ], "general-iso-31010-2009": [ "4.3.3" ], "general-nist-800-39": [ "TASK 1-4" ], "general-nist-csf-2-0": [ "GV.RR-01" ], "general-swift-cscf-2025": [ "7.4A" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)", "17 CFR 229.106(b)(1)(i)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(1)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(10)" ], "emea-eu-nis2-annex-2024": [ "13.2.2(b)" ], "apac-aus-ps-cps-230-2023": [ "26" ], "apac-jpn-ismap": [ "4.4.7.1" ], "americas-can-osfi-b13-2022": [ "3.1.8" ] } }, { "control_id": "RSK-01.5", "title": "Risk Appetite", "family": "RSK", "description": "Mechanisms exist to define organizational risk appetite, the degree of uncertainty the organization is willing to accept in anticipation of a reward.", "scf_question": "Does the organization define organizational risk appetite, the degree of uncertainty the organization is willing to accept in anticipation of a reward?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-08" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Risk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define organizational risk appetite, the degree of uncertainty the organization is willing to accept in anticipation of a reward.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Defined risk tolerance", "small": "∙ Risk Management Program (RMP)\n∙ Defined risk tolerance", "medium": "∙ Risk Management Program (RMP)\n∙ Defined risk tolerance", "large": "∙ Risk Management Program (RMP)\n∙ Defined risk tolerance", "enterprise": "∙ Risk Management Program (RMP)\n∙ Defined risk tolerance" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.1-POF1", "CC3.1-POF2", "CC3.1-POF15", "CC3.2-POF8" ], "general-iso-27701-2025": [ "6.1.2(a)(1)" ], "general-iso-31000-2018": [ "5.4.2", "6.3.4" ], "general-iso-31010-2009": [ "4.3.3" ], "general-nist-privacy-framework-1-0": [ "GV.RM-P3" ], "general-nist-800-39": [ "TASK 1-4" ], "general-nist-csf-2-0": [ "GV.RM", "GV.RM-02", "GV.RR-01" ], "general-swift-cscf-2025": [ "7.4A" ], "usa-federal-dow-cert-rmm-1-2": [ "RISK:SG2", "RISK:SG2.SP1" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)", "17 CFR 229.106(b)(1)(i)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(1)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(10)", "3.3.1(13)(a)" ], "emea-eu-nis2-annex-2024": [ "2.1.2(b)" ], "emea-sau-cgiot-2024": [ "1-4-5" ], "apac-aus-ps-cps-230-2023": [ "26" ], "apac-ind-sebi-2024": [ "GV.RM.S4" ], "apac-jpn-ismap": [ "4.4.7.1" ], "americas-can-osfi-b13-2022": [ "1.3", "3.1.8" ] } }, { "control_id": "RSK-02", "title": "Risk-Based Security Categorization", "family": "RSK", "description": "Mechanisms exist to categorize Technology Assets, Applications, Services and/or Data (TAASD) in accordance with applicable laws, regulations and contractual obligations that:\n(1) Document the security categorization results (including supporting rationale) in the security plan for systems; and\n(2) Ensure the security categorization decision is reviewed and approved by the asset owner.", "scf_question": "Does the organization categorize Technology Assets, Applications, Services and/or Data (TAASD) in accordance with applicable laws, regulations and contractual obligations that:\n (1) Document the security categorization results (including supporting rationale) in the security plan for systems; and\n (2) Ensure the security categorization decision is reviewed and approved by the asset owner?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-01", "E-RSK-04", "E-BCM-08", "E-TPM-02" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to categorize TAASD in accordance with applicable laws, regulations and contractual obligations that:\n(1) Document the security categorization results (including supporting rationale) in the security plan for systems; and\n(2) Ensure the security categorization decision is reviewed and approved by the asset owner.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)", "small": "∙ Risk Management Program (RMP)", "medium": "∙ Risk Management Program (RMP)", "large": "∙ Risk Management Program (RMP)", "enterprise": "∙ Risk Management Program (RMP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2" ], "general-cis-csc-8-1": [ "16.6" ], "general-cis-csc-8-1-ig2": [ "16.6" ], "general-cis-csc-8-1-ig3": [ "16.6" ], "general-coso-2013": [ "7" ], "general-csa-cmm-4-1-0": [ "BCR-02" ], "general-csa-iot-2": [ "RSM-01", "RSM-02" ], "general-govramp": [ "RA-02" ], "general-govramp-low": [ "RA-02" ], "general-govramp-low-plus": [ "RA-02" ], "general-govramp-mod": [ "RA-02" ], "general-govramp-high": [ "RA-02" ], "general-iso-27001-2022": [ "6.1.2(d)(3)" ], "general-iso-27701-2025": [ "6.1.2(e)(2)" ], "general-mpa-csbp-5-3-1": [ "OR-2.0" ], "general-nist-800-53-r4": [ "RA-2" ], "general-nist-800-53-r5-2": [ "RA-02" ], "general-nist-800-53-r5-2-low": [ "RA-02" ], "general-nist-800-82-r3": [ "RA-02" ], "general-nist-800-82-r3-low": [ "RA-02" ], "general-nist-800-82-r3-mod": [ "RA-02" ], "general-nist-800-82-r3-high": [ "RA-02" ], "general-nist-800-161-r1": [ "RA-2" ], "general-nist-800-161-r1-cscrm": [ "RA-2" ], "general-nist-800-161-r1-level-1": [ "RA-2" ], "general-nist-800-161-r1-level-2": [ "RA-2" ], "general-nist-800-161-r1-level-3": [ "RA-2" ], "general-nist-800-171-r3": [ "03.11.01.a" ], "general-nist-csf-2-0": [ "ID.AM" ], "general-pci-dss-4-0-1": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-a": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-b": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-c": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.4.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.4.2" ], "general-un-155-2021": [ "7.2.2.2(c)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(c)" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG2.SP1", "RISK:SG4.SP2" ], "usa-federal-fbi-cjis-6-0": [ "RA-2" ], "usa-federal-doe-c2m2-2-1": [ "RISK-2d", "RISK-2i", "RISK-3a" ], "usa-federal-gsa-fedramp-5-low": [ "RA-02" ], "usa-federal-gsa-fedramp-5-mod": [ "RA-02" ], "usa-federal-gsa-fedramp-5-high": [ "RA-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "RA-02" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(2)(iv)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(2)(iv)" ], "usa-federal-cms-marse-2-0": [ "RA-2", "RA-2.a", "RA-2.b", "RA-2.e" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.105(a)", "17 CFR 229.105(b)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(3)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "RA-02" ], "usa-state-tx-txramp-2-0-level-1": [ "RA-02" ], "usa-state-tx-txramp-2-0-level-2": [ "RA-02" ], "emea-isr-cmo-1-0": [ "2.2" ], "emea-sau-otcc-1-2022": [ "1-3-1-4", "1-3-1-5" ], "apac-sgp-mas-trm-2021": [ "4.2.1" ], "amaericas-can-osfi-self-assessment": [ "6.24" ], "americas-can-itsp-10-171-2025": [ "03.11.01.A" ] } }, { "control_id": "RSK-02.1", "title": "Impact-Level Prioritization", "family": "RSK", "description": "Mechanisms exist to prioritize the impact level for Technology Assets, Applications and/or Services (TAAS) to prevent potential disruptions.", "scf_question": "Does the organization prioritize the impact level for Technology Assets, Applications and/or Services (TAAS) to prevent potential disruptions?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-08", "E-RSK-04", "E-TPM-02" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Risk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prioritize the impact level for Technology Assets, Applications and/or Services (TAAS) to prevent potential disruptions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)", "small": "∙ Risk Management Program (RMP)", "medium": "∙ Risk Management Program (RMP)", "large": "∙ Risk Management Program (RMP)", "enterprise": "∙ Risk Management Program (RMP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2-POF4" ], "general-cis-csc-8-1": [ "16.6" ], "general-cis-csc-8-1-ig2": [ "16.6" ], "general-cis-csc-8-1-ig3": [ "16.6" ], "general-csa-cmm-4-1-0": [ "A&A-06", "BCR-02", "CEK-07" ], "general-csa-iot-2": [ "RSM-01", "RSM-02" ], "general-iso-27701-2025": [ "6.1.2(e)(2)" ], "general-iso-42001-2023": [ "6.1.2(e)(2)" ], "general-nist-100-1-ai-rmf": [ "MAP 5.1", "MANAGE 1.2" ], "general-nist-800-53-r5-2": [ "RA-02(01)" ], "general-nist-800-82-r3": [ "RA-02(01)" ], "general-nist-800-171-r3": [ "03.11.01.a", "03.14.03.b" ], "general-nist-csf-2-0": [ "ID.RA-05", "ID.RA-06" ], "usa-federal-dow-cert-rmm-1-2": [ "RISK:SG4" ], "usa-federal-nerc-cip-2024": [ "CIP-002-5.1a 1.1", "CIP-002-5.1a 1.2", "CIP-002-5.1a 1.3" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(3)" ], "emea-sau-otcc-1-2022": [ "1-3-1-4", "1-3-1-5" ], "apac-nzl-ism-3-9": [ "23.2.16.C.01", "23.2.17.C.01" ], "apac-sgp-mas-trm-2021": [ "4.2.1", "4.3.1", "4.3.2" ], "americas-bmu-mba-coc-2020": [ "5.5" ], "amaericas-can-osfi-self-assessment": [ "6.24" ], "americas-can-itsp-10-171-2025": [ "03.11.01.A", "03.14.03.B" ] } }, { "control_id": "RSK-03", "title": "Risk Identification", "family": "RSK", "description": "Mechanisms exist to identify and document risks, both internal and external.", "scf_question": "Does the organization identify and document risks, both internal and external?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-04" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Risk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and document risks, both internal and external.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)", "small": "∙ Risk Management Program (RMP)", "medium": "∙ Risk Management Program (RMP)", "large": "∙ Risk Management Program (RMP)", "enterprise": "∙ Risk Management Program (RMP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2", "A1.2-POF1", "CC3.2", "CC3.2-POF1", "CC3.2-POF2", "CC3.2-POF6", "CC3.4-POF1", "CC3.4-POF2", "CC3.4-POF3", "CC3.4-POF4", "CC3.4-POF5", "CC7.2", "CC9.1" ], "general-cobit-2019": [ "APO12.01" ], "general-coso-2013": [ "7", "8" ], "general-csa-cmm-4-1-0": [ "CEK-07" ], "general-csa-iot-2": [ "RSM-01" ], "general-iso-22301-2019": [ "8.2.3(a)" ], "general-iso-27001-2022": [ "6.1.2(c)", "6.1.2(c)(1)", "6.1.2(c)(2)" ], "general-iso-27002-2022": [ "5.8" ], "general-iso-27017-2015": [ "6.1.5" ], "general-iso-27018-2025": [ "5.8" ], "general-iso-27701-2025": [ "6.1.2(c)" ], "general-iso-31000-2018": [ "5.6", "6.4.2" ], "general-iso-31010-2009": [ "5.2" ], "general-iso-42001-2023": [ "6.1.2(c)" ], "general-mpa-csbp-5-3-1": [ "OR-2.0" ], "general-nist-100-1-ai-rmf": [ "MANAGE 1.0", "MANAGE 2.3" ], "general-nist-600-1-gen-ai-profile": [ "GV-4.2-002" ], "general-nist-800-37-r2": [ "TASK P-3", "TASK P-14" ], "general-nist-800-171-r3": [ "03.11.01.a" ], "general-nist-800-171a-r3": [ "A.03.11.01.a" ], "general-nist-csf-2-0": [ "ID" ], "general-pci-dss-4-0-1": [ "12.3", "12.3.1", "12.3.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.3.1", "12.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.3.1" ], "general-swift-cscf-2025": [ "7.4A" ], "general-tisax-6-0-3": [ "1.4.1" ], "general-un-155-2021": [ "7.2.2.2(b)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(b)" ], "usa-federal-dow-cert-rmm-1-2": [ "EC:SG3", "KIM:SG3", "KIM:SG3.SP1", "RISK:SG3", "RISK:SG3.SP1", "RISK:SG3.SP2" ], "usa-federal-doe-c2m2-2-1": [ "RISK-2a", "RISK-2b", "RISK-2c", "RISK-2g", "RISK-2m" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)", "609.930(c)(1)(i)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(2)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(2)(iv)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(2)(iv)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(b)(1)", "500.9(b)(1)" ], "emea-eu-ai-act-2024": [ "Article 9.2(c)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(10)", "3.3.1(13)(b)", "3.7.2(82)" ], "emea-eu-dora-2023": [ "Article 8.2" ], "emea-eu-nis2-annex-2024": [ "2.1.2", "2.1.2(d)" ], "emea-deu-c5-2020": [ "SP-03" ], "emea-isr-cmo-1-0": [ "1.2", "2.2" ], "emea-sau-cgiot-2024": [ "1-1-2", "1-4-1", "1-4-5" ], "emea-sau-sacs-002-2022": [ "TPC-31" ], "emea-sau-sama-csf-1-2017": [ "3.2.1.1" ], "emea-zaf-popia-2013": [ "19" ], "emea-esp-boe-a-2022-7191": [ "Article 3.2" ], "emea-esp-decree-311-2022": [ "3.2" ], "emea-gbr-cap-1850-2020": [ "A2" ], "emea-gbr-def-stan-05-138-2024": [ "1200" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1200" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1200" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1200" ], "apac-aus-ism-2024-june": [ "ISM-1526" ], "apac-jpn-ismap": [ "4.4.6.1", "4.4.7.2" ], "apac-nzl-ism-3-9": [ "2.4.13.C.01", "2.4.13.C.02", "2.4.13.C.03", "2.4.13.C.04", "2.4.13.C.05", "2.4.13.C.06", "2.4.13.C.07" ], "apac-sgp-mas-trm-2021": [ "4.1.3", "4.1.4(a)" ], "americas-bmu-mba-coc-2020": [ "5.5" ], "amaericas-can-osfi-self-assessment": [ "6.24" ], "americas-can-osfi-b13-2022": [ "1.3", "3.1.1" ], "americas-can-itsp-10-171-2025": [ "03.11.01.A" ] } }, { "control_id": "RSK-03.1", "title": "Risk Catalog", "family": "RSK", "description": "Mechanisms exist to develop and keep current a catalog of applicable risks associated with the organization's business operations and technologies in use.", "scf_question": "Does the organization develop and keep current a catalog of applicable risks associated with its business operations and technologies in use?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-09" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Risk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop and keep current a catalog of applicable risks associated with the organization's business operations and technologies in use.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Documented risk catalog", "small": "∙ Risk Management Program (RMP)\n∙ Documented risk catalog", "medium": "∙ Risk Management Program (RMP)\n∙ Documented risk catalog", "large": "∙ Risk Management Program (RMP)\n∙ Documented risk catalog", "enterprise": "∙ Risk Management Program (RMP)\n∙ Documented risk catalog" }, "risks": [ "R-BC-1", "R-BC-2", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2-POF6", "CC9.1" ], "general-cobit-2019": [ "APO12.01", "APO12.04" ], "general-iso-22301-2019": [ "6.1.1" ], "general-mpa-csbp-5-3-1": [ "OR-1.2" ], "general-nist-800-39": [ "TASK 2-1" ], "general-nist-800-171-r3": [ "03.15.02.a.03" ], "general-nist-800-171a-r3": [ "A.03.11.01.a" ], "general-nist-800-172": [ "3.11.5e" ], "general-nist-csf-2-0": [ "ID" ], "general-swift-cscf-2025": [ "7.4A" ], "general-tisax-6-0-3": [ "1.4.1" ], "general-un-155-2021": [ "7.2.2.2(b)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(b)" ], "usa-federal-doe-c2m2-2-1": [ "RISK-2e", "RISK-2j" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.5E" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(2)(iv)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(2)(iv)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.105(a)", "17 CFR 229.105(b)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(1)" ], "emea-eu-nis2-annex-2024": [ "2.1.2(d)" ], "emea-deu-bsrit-2017": [ "3.3" ], "emea-sau-cgiot-2024": [ "1-4-2", "1-4-4" ], "apac-jpn-ismap": [ "4.4.7.2" ], "americas-can-osfi-b13-2022": [ "3.1.1" ], "americas-can-itsp-10-171-2025": [ "03.15.02.A.03" ] } }, { "control_id": "RSK-04", "title": "Risk Assessment", "family": "RSK", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "scf_question": "Does the organization conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of its Technology Assets, Applications, Services and/or Data (TAASD)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-04" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Risk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's TAASD.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Risk assessment\n∙ Business Impact Analysis (BIA)\n∙ Data Protection Impact Assessment (DPIA)", "small": "∙ Risk Management Program (RMP)\n∙ Risk assessment\n∙ Business Impact Analysis (BIA)\n∙ Data Protection Impact Assessment (DPIA)", "medium": "∙ Risk Management Program (RMP)\n∙ Risk assessment\n∙ Business Impact Analysis (BIA)\n∙ Data Protection Impact Assessment (DPIA)", "large": "∙ Risk Management Program (RMP)\n∙ Risk assessment\n∙ Business Impact Analysis (BIA)\n∙ Data Protection Impact Assessment (DPIA)", "enterprise": "∙ Risk Management Program (RMP)\n∙ Risk assessment\n∙ Business Impact Analysis (BIA)\n∙ Data Protection Impact Assessment (DPIA)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2", "CC3.1-POF16", "CC3.2-POF1", "CC3.2-POF2", "CC3.2-POF3", "CC3.2-POF6", "CC3.2-POF8", "CC3.2-POF9", "CC3.4-POF1", "CC3.4-POF2", "CC3.4-POF3", "CC3.4-POF4", "CC3.4-POF5", "CC7.3" ], "general-cobit-2019": [ "APO12.02" ], "general-coso-2013": [ "7" ], "general-csa-cmm-4-1-0": [ "CEK-07" ], "general-csa-iot-2": [ "RSM-01" ], "general-govramp": [ "RA-03" ], "general-govramp-low": [ "RA-03" ], "general-govramp-low-plus": [ "RA-03" ], "general-govramp-mod": [ "RA-03" ], "general-govramp-high": [ "RA-03" ], "general-iec-tr-60601-4-5-2021": [ "4.6.2" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.2", "3.5.2.3" ], "general-iso-22301-2019": [ "8.2.3", "8.2.3(b)" ], "general-iso-27001-2022": [ "6.1.2(d)", "6.1.2(d)(1)", "6.1.2(d)(2)", "6.1.2(d)(3)", "6.1.2(e)", "6.1.2(e)(1)", "6.1.2(e)(2)", "8.2" ], "general-iso-27002-2022": [ "5.8", "7.5" ], "general-iso-27017-2015": [ "6.1.5", "11.1.4" ], "general-iso-27018-2025": [ "5.8", "7.5" ], "general-iso-27701-2025": [ "6.1.2(e)" ], "general-iso-31000-2018": [ "5.6", "6.4.1", "6.4.3", "6.4.4" ], "general-iso-31010-2009": [ "4.3.4", "5.1", "5.3.1", "5.3.4", "5.3.4(a)", "5.3.4(b)", "5.3.4(c)", "5.3.5", "5.3.6", "5.4", "5.5" ], "general-iso-42001-2023": [ "6.1.2", "6.1.2(a)", "6.1.2(b)", "6.1.2(c)", "6.1.2(d)", "6.1.2(d)(1)", "6.1.2(d)(2)", "6.1.2(d)(3)", "6.1.2(e)", "6.1.2(e)(1)", "6.1.2(e)(2)", "8.2", "A.5.3", "A.5.4", "A.5.5" ], "general-mpa-csbp-5-3-1": [ "OR-2.0" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.5", "MANAGE 1.0" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P5", "GV.MT-P1" ], "general-nist-800-37-r2": [ "TASK P-3", "TASK P-14" ], "general-nist-800-39": [ "3.2", "TASK 2-2" ], "general-nist-800-53-r4": [ "RA-3" ], "general-nist-800-53-r5-2": [ "RA-03" ], "general-nist-800-53-r5-2-privacy": [ "RA-03" ], "general-nist-800-53-r5-2-low": [ "RA-03" ], "general-nist-800-66-r2": [ "164.308(a)(1)" ], "general-nist-800-82-r3": [ "RA-03" ], "general-nist-800-82-r3-low": [ "RA-03" ], "general-nist-800-82-r3-mod": [ "RA-03" ], "general-nist-800-82-r3-high": [ "RA-03" ], "general-nist-800-161-r1": [ "RA-3" ], "general-nist-800-161-r1-cscrm": [ "RA-3" ], "general-nist-800-161-r1-level-1": [ "RA-3" ], "general-nist-800-161-r1-level-2": [ "RA-3" ], "general-nist-800-161-r1-level-3": [ "RA-3" ], "general-nist-800-171-r2": [ "3.11.1" ], "general-nist-800-171-r3": [ "03.11.01.a" ], "general-nist-800-171a": [ "3.11.1[a]", "3.11.1[b]" ], "general-nist-800-171a-r3": [ "A.03.11.01.a", "A.03.11.01.b" ], "general-nist-800-172": [ "3.11.1e", "3.11.5e" ], "general-nist-csf-2-0": [ "GV.RM-06", "ID", "ID.RA-01", "ID.RA-05" ], "general-pci-dss-4-0-1": [ "12.3", "12.3.1", "12.3.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.3.1", "12.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.3.1" ], "general-scf-dpmp-2025": [ "9.1" ], "general-swift-cscf-2025": [ "7.4A" ], "general-tisax-6-0-3": [ "1.4.1" ], "general-ul-2900-1-2017": [ "12.1(d)", "12.1(e)" ], "general-un-155-2021": [ "7.2.2.2(b)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(b)" ], "usa-federal-dow-cert-rmm-1-2": [ "EC:SG3.SP1", "RISK:SG4.SP1" ], "usa-federal-fbi-cjis-6-0": [ "RA-3" ], "usa-federal-doe-c2m2-2-1": [ "RISK-2g" ], "usa-federal-dow-cmmc-2-level-2": [ "RAL2.-3.11.1" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.1E", "RA.L3-3.11.5E" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)", "609.930(c)(1)" ], "usa-federal-gsa-fedramp-5-low": [ "RA-03" ], "usa-federal-gsa-fedramp-5-mod": [ "RA-03" ], "usa-federal-gsa-fedramp-5-high": [ "RA-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "RA-03" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(b)", "314.4(b)(1)", "314.4(b)(1)(i)", "314.4(b)(1)(ii)", "314.4(b)(1)(iii)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(2)(iv)", "164.308(a)(1)(ii)(A)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(2)(iv)", "164.308(a)(1)(ii)(A)" ], "usa-federal-irs-1075-2021": [ "RA-3" ], "usa-federal-cms-marse-2-0": [ "RA-3", "RA-3.a", "RA-3.b", "RA-3.c", "RA-3.d", "RA-3.e", "RA-3-IS.1", "RA-3-IS.2" ], "usa-federal-nerc-cip-2024": [ "CIP-004-7 R3" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(a)", "17 CFR 229.106(b)(1)", "17 CFR 229.106(b)(1)(i)" ], "usa-state-ca-ccpa-cpra-2026": [ "7152(a)", "7155(a)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-nv-regulation-5-2024": [ "5.260.3" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(b)(1)", "500.9(a)", "500.9(b)", "500.9(b)(1)", "500.9(b)(2)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "RA-03", "RA-03-SID" ], "usa-state-tx-txramp-2-0-level-1": [ "RA-03" ], "usa-state-tx-txramp-2-0-level-2": [ "RA-03" ], "emea-eu-ai-act-2024": [ "Article 9.2(c)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(10)", "3.3.1(13)(b)", "3.3.3(20)", "3.7.2(82)" ], "emea-eu-dora-2023": [ "Article 8.3", "Article 8.7" ], "emea-eu-nis2-2022": [ "Article 21.1" ], "emea-eu-nis2-annex-2024": [ "2.1.1", "2.1.2", "2.1.2(e)", "2.1.2(f)", "2.1.3", "6.1.1" ], "emea-deu-bsrit-2017": [ "3.10" ], "emea-deu-c5-2020": [ "OIS-07", "SP-03" ], "emea-isr-cmo-1-0": [ "1.2", "2.2" ], "emea-sau-cscc-1-2019": [ "1-2-1-1" ], "emea-sau-cgiot-2024": [ "1-4-1", "1-4-4" ], "emea-sau-ecc-1-2018": [ "1-5-3" ], "emea-sau-otcc-1-2022": [ "1-3-1-2" ], "emea-sau-sacs-002-2022": [ "TPC-31" ], "emea-sau-sama-csf-1-2017": [ "3.2.1.2" ], "emea-zaf-popia-2013": [ "19" ], "emea-esp-boe-a-2022-7191": [ "Article 3.2", "Article 14.1", "Article 14.2" ], "emea-esp-decree-311-2022": [ "14.1", "14.2", "3.2" ], "emea-esp-ccn-stic-825-2023": [ "7.1.1 [OP.PL.1]" ], "emea-gbr-cap-1850-2020": [ "A2" ], "emea-gbr-def-stan-05-138-2024": [ "1200", "1202", "1204" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1200", "1202" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1200", "1202" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1200", "1202", "1204" ], "apac-aus-ps-cps-230-2023": [ "27(a)", "27(b)", "27(c)", "28" ], "apac-ind-sebi-2024": [ "ID.RA.S1", "ID.RA.S2" ], "apac-jpn-ismap": [ "4.4.6.1", "4.4.7.1", "4.4.7.2", "4.4.7.3", "4.4.7.4", "4.6.1.1", "6.1.5.3" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP32", "HML32" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP28" ], "apac-nzl-ism-3-9": [ "2.3.27.C.01", "2.3.27.C.02", "5.9.23.C.01", "23.2.16.C.02" ], "apac-sgp-mas-trm-2021": [ "4.1.4(b)", "4.3.2" ], "americas-bmu-mba-coc-2020": [ "5.5" ], "amaericas-can-osfi-self-assessment": [ "2.1", "6.8" ], "americas-can-osfi-b13-2022": [ "1.3", "3.1.1" ], "americas-can-itsp-10-171-2025": [ "03.11.01.A" ] } }, { "control_id": "RSK-04.1", "title": "Risk Register", "family": "RSK", "description": "Mechanisms exist to maintain a risk register that facilitates monitoring and reporting of risks.", "scf_question": "Does the organization maintain a risk register that facilitates monitoring and reporting of risks?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-RSK-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a risk register that facilitates monitoring and reporting of risks.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "small": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "medium": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "large": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "enterprise": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.2-POF3" ], "general-cobit-2019": [ "APO12.03", "APO12.05" ], "general-coso-2013": [ "7" ], "general-csa-cmm-4-1-0": [ "A&A-06", "CEK-07" ], "general-iso-31010-2009": [ "4.3.6", "5.6" ], "general-iso-42001-2023": [ "6.1.2", "9.3.2(a)", "9.3.2(b)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.5", "MEASURE 3.0", "MEASURE 3.1", "MEASURE 3.2", "MANAGE 1.4" ], "general-nist-800-171-r3": [ "03.12.02.a.01", "03.12.02.a.02" ], "general-nist-csf-2-0": [ "GV.RM-06", "ID", "ID.RA-01" ], "general-pci-dss-4-0-1": [ "12.3.1", "12.3.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.3.1", "12.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.3.1" ], "general-scf-dpmp-2025": [ "9.3" ], "general-tisax-6-0-3": [ "1.4.1" ], "usa-federal-doe-c2m2-2-1": [ "RISK-2e", "RISK-2f", "RISK-3f" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(2)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.105(a)", "17 CFR 229.105(b)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-nv-regulation-5-2024": [ "5.260.3" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(a)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(10)", "3.3.1(13)(d)" ], "emea-deu-c5-2020": [ "SP-03" ], "emea-isr-cmo-1-0": [ "2.2", "6.8" ], "emea-sau-cscc-1-2019": [ "1-2-1-2" ], "emea-sau-cgiot-2024": [ "1-4-3" ], "emea-sau-otcc-1-2022": [ "1-3-1-3", "1-3-1-6" ], "emea-sau-sacs-002-2022": [ "TPC-31" ], "emea-sau-sama-csf-1-2017": [ "3.2.1.4" ], "emea-zaf-popia-2013": [ "19" ], "emea-gbr-def-stan-05-138-2024": [ "4201" ], "emea-gbr-def-stan-05-138-l2-2024": [ "4201" ], "emea-gbr-def-stan-05-138-l3-2024": [ "4201" ], "apac-ind-sebi-2024": [ "GV.RM.S4" ], "apac-jpn-ismap": [ "4.4.7.2" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP65", "HML64" ], "apac-sgp-mas-trm-2021": [ "4.1.3", "4.1.4(d)", "4.5.2", "4.5.3" ], "americas-bmu-mba-coc-2020": [ "5.5" ], "amaericas-can-osfi-self-assessment": [ "6.24" ], "americas-can-osfi-b13-2022": [ "1.3", "3.1.1" ], "americas-can-itsp-10-171-2025": [ "03.12.02.A.01", "03.12.02.A.02" ] } }, { "control_id": "RSK-04.2", "title": "Risk Assessment Methodology", "family": "RSK", "description": "Mechanisms exist to implement a risk assessment methodology to ensure coverage for organizational components relevant for secure, compliant and resilient operations.", "scf_question": "Does the organization implement a risk assessment methodology to ensure coverage for organizational components relevant for secure, compliant and resilient operations?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement a risk assessment methodology to ensure coverage for organizational components relevant for secure, compliant and resilient operations.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document how privacy risks are identified and managed", "small": "∙ Privacy risk assessment process integrated with security risk management", "medium": "∙ Formal privacy risk management integration with security risk program", "large": "∙ Enterprise privacy risk management program (GDPR DPIA, CCPA)", "enterprise": "∙ Enterprise integrated privacy and security risk management platform\n∙ Automated DPIA workflows" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-iso-27701-2025": [ "6.1.2(a)(2)" ], "general-iso-31000-2018": [ "5.7.2", "6.4.1", "6.4.3", "6.4.4" ], "general-iso-31010-2009": [ "4.3.1", "4.3.4", "6.2", "6.7" ], "general-nist-800-172": [ "3.11.1e" ], "general-swift-cscf-2025": [ "7.4A" ], "general-un-155-2021": [ "7.2.2.2(c)", "7.2.2.2(f)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(c)", "7.2.2.2(f)" ], "usa-federal-dow-cert-rmm-1-2": [ "RISK:SG2.SP2" ], "usa-federal-doe-c2m2-2-1": [ "RISK-2g", "RISK-3c", "RISK-3d", "RISK-3e", "RISK-4b" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.1E" ], "usa-state-ca-ccpa-cpra-2026": [ "7152(a)" ], "emea-eu-nis2-annex-2024": [ "2.1.3", "6.1.2", "6.1.2(a)", "6.1.2(b)", "6.1.2(c)", "6.1.2(d)", "6.1.2(e)", "6.1.2(f)", "6.1.3", "7.2", "7.2(a)", "7.2(b)", "7.2(c)", "7.2(d)", "7.2(e)", "7.2(f)" ], "apac-jpn-ismap": [ "4.4.6.1", "4.4.7.1", "4.4.7.4" ] } }, { "control_id": "RSK-04.3", "title": "Instances Requiring A Risk Assessment", "family": "RSK", "description": "Mechanisms exist to define instances that require a risk assessment to be performed.", "scf_question": "Does the organization define instances that require a risk assessment to be performed?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-15" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define instances that require a risk assessment to be performed.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document how supply chain risks are identified", "small": "∙ Supply chain risk assessment process and checklist", "medium": "∙ Formal supply chain risk management program\n∙ Vendor risk assessments", "large": "∙ Enterprise supply chain risk management (SCRM) program", "enterprise": "∙ Enterprise SCRM platform (e.g., BitSight, OneTrust)\n∙ Automated supply chain risk monitoring\n∙ C-SCRM program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25" ], "family_name": "Risk Management", "crosswalks": { "general-mpa-csbp-5-3-1": [ "OR-2.0" ], "general-scf-dpmp-2025": [ "9.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7150(a)", "7150(b)", "7150(b)(1)", "7150(b)(2)", "7150(b)(2)(A)", "7150(b)(3)", "7150(b)(4)", "7150(b)(5)", "7150(b)(6)", "7155(a)(1)", "7155(a)(2)", "7155(a)(3)", "7155(b)" ], "apac-jpn-ismap": [ "4.4.7.3", "4.5.5.1" ] } }, { "control_id": "RSK-04.4", "title": "Risk Assessment Stakeholder Involvement", "family": "RSK", "description": "Mechanisms exist to:\n(1) Define applicable stakeholders for each risk assessment;\n(2) Involve identified stakeholders in the risk assessment process; and\n(3) Provide identified stakeholders with results of the risk assessment, upon completion.", "scf_question": "Does the organization:\n(1) Define applicable stakeholders for each risk assessment;\n(2) Involve identified stakeholders in the risk assessment process; and\n(3) Provide identified stakeholders with results of the risk assessment, upon completion?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Risk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to:\n(1) Define applicable stakeholders for each risk assessment;\n(2) Involve identified stakeholders in the risk assessment process; and\n(3) Provide identified stakeholders with results of the risk assessment, upon completion.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Consider international risks when operating cross-border", "small": "∙ International risk assessment for cross-border operations", "medium": "∙ Formal international risk assessment program\n∙ Country-specific risk profiles", "large": "∙ Enterprise international risk management program\n∙ Country risk monitoring", "enterprise": "∙ Enterprise global risk management platform\n∙ Automated country risk monitoring\n∙ Geopolitical risk intelligence integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25" ], "family_name": "Risk Management", "crosswalks": { "general-scf-dpmp-2025": [ "9.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7151(a)", "7151(b)" ] } }, { "control_id": "RSK-05", "title": "Risk Ranking", "family": "RSK", "description": "Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices.", "scf_question": "Does the organization identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-04" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Risk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "small": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "medium": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "large": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "enterprise": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.1-POF6", "CC3.2-POF4", "CC3.2-POF8" ], "general-cobit-2019": [ "APO12.03" ], "general-coso-2013": [ "7" ], "general-csa-cmm-4-1-0": [ "CEK-07" ], "general-csa-iot-2": [ "RSM-01", "RSM-02" ], "general-iso-27701-2025": [ "6.1.2(d)(3)" ], "general-iso-42001-2023": [ "6.1.2(e)(2)" ], "general-mpa-csbp-5-3-1": [ "OR-2.0" ], "general-nist-100-1-ai-rmf": [ "MANAGE 1.2" ], "general-nist-800-171-r3": [ "03.11.01.a" ], "general-nist-csf-2-0": [ "ID", "ID.RA-05", "ID.RA-06" ], "general-pci-dss-4-0-1": [ "12.3", "12.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.3.1" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(2)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(3)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(10)" ], "emea-eu-nis2-annex-2024": [ "2.1.2(e)" ], "emea-isr-cmo-1-0": [ "2.2" ], "emea-sau-sacs-002-2022": [ "TPC-31" ], "emea-sau-sama-csf-1-2017": [ "3.2.1.2" ], "emea-zaf-popia-2013": [ "19" ], "apac-sgp-mas-trm-2021": [ "4.2.1" ], "americas-bmu-mba-coc-2020": [ "5.5" ], "amaericas-can-osfi-self-assessment": [ "2.2" ], "americas-can-itsp-10-171-2025": [ "03.11.01.A" ] } }, { "control_id": "RSK-06", "title": "Risk Remediation", "family": "RSK", "description": "Mechanisms exist to remediate risks to an acceptable level.", "scf_question": "Does the organization remediate risks to an acceptable level?", "relative_weight": 10, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-RSK-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Risk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to remediate risks to an acceptable level.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "small": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "medium": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "large": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "enterprise": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1-POF4", "CC4.2", "CC5.3-POF4", "CC7.4", "CC7.4-POF8" ], "general-cis-csc-8-1": [ "18.3" ], "general-cis-csc-8-1-ig2": [ "18.3" ], "general-cis-csc-8-1-ig3": [ "18.3" ], "general-cobit-2019": [ "APO12.06" ], "general-coso-2013": [ "7", "13", "17" ], "general-csa-cmm-4-1-0": [ "CEK-07" ], "general-csa-iot-2": [ "RSM-01", "RSM-02" ], "general-iec-62443-2-1-2024": [ "ORG 2.1" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5" ], "general-iso-22301-2019": [ "8.2.3(c)" ], "general-iso-27001-2022": [ "6.1.3", "6.1.3(a)", "6.1.3(b)", "6.1.3(c)", "6.1.3(d)", "6.1.3(e)", "6.1.3(f)", "8.3" ], "general-iso-27002-2022": [ "5.8" ], "general-iso-27017-2015": [ "6.1.5" ], "general-iso-27018-2025": [ "5.8" ], "general-iso-27701-2025": [ "6.1.2(e)(2)", "6.1.3", "6.1.3(b)" ], "general-iso-31000-2018": [ "6.5.1" ], "general-iso-31010-2009": [ "4.3.5" ], "general-iso-42001-2023": [ "6.1.3", "6.1.3(a)", "6.1.3(b)", "6.1.3(c)", "6.1.3(d)", "6.1.3(e)", "6.1.3(f)", "6.1.3(g)", "8.3", "10.2", "10.2(a)", "10.2(a)(1)", "10.2(a)(2)", "10.2(b)", "10.2(b)(1)", "10.2(b)(2)", "10.2(b)(3)", "10.2(c)", "10.2(d)", "10.2(e)" ], "general-mpa-csbp-5-3-1": [ "OR-2.0" ], "general-nist-100-1-ai-rmf": [ "MANAGE 1.2", "MANAGE 4.0" ], "general-nist-800-39": [ "3.3" ], "general-nist-800-171-r2": [ "3.11.3" ], "general-nist-800-171-r3": [ "03.11.02.b", "03.12.02.a.02" ], "general-nist-800-172": [ "3.11.7e" ], "general-nist-csf-2-0": [ "GV.RM-04", "ID.RA-05", "ID.RA-06" ], "general-pci-dss-4-0-1": [ "10.7", "10.7.1", "10.7.2", "10.7.3", "12.3", "12.3.1", "A3.3.1.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.7.2", "10.7.3", "12.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.7.1", "10.7.2", "10.7.3", "12.3.1" ], "general-shared-assessments-sig-2025": [ "P.5.3" ], "general-un-155-2021": [ "7.2.2.2(c)", "7.2.2.2(d)", "7.2.2.3" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(c)", "7.2.2.2(d)", "7.2.2.3" ], "usa-federal-dow-cert-rmm-1-2": [ "RISK:SG5" ], "usa-federal-doe-c2m2-2-1": [ "RISK-4e" ], "usa-federal-dow-cmmc-2-level-2": [ "RAL2.-3.11.3" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.7E" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(2)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.4" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)(6)", "500.9(b)(3)", "500.12(b)" ], "emea-eu-ai-act-2024": [ "Article 9.2(d)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(13)(c)" ], "emea-eu-nis2-2022": [ "Article 21.4" ], "emea-eu-nis2-annex-2024": [ "2.1.1", "2.1.2", "2.1.2(g)", "2.1.2(j)" ], "emea-sau-cgiot-2024": [ "1-1-2", "1-4-1", "1-4-5" ], "emea-sau-sacs-002-2022": [ "TPC-31" ], "emea-zaf-popia-2013": [ "19" ], "emea-esp-boe-a-2022-7191": [ "Article 14.2", "Article 14.3" ], "emea-esp-decree-311-2022": [ "14.2", "14.3" ], "emea-gbr-def-stan-05-138-2024": [ "1200" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1200" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1200" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1200" ], "apac-aus-ps-cps-230-2023": [ "31" ], "apac-ind-sebi-2024": [ "ID.RA.S5" ], "apac-jpn-ismap": [ "4.6.1.1", "4.7.1.1" ], "apac-sgp-mas-trm-2021": [ "4.1.3", "4.1.4(c)", "4.4.1", "4.4.2", "4.4.3", "13.6.1", "13.6.1(a)", "13.6.1(b)", "13.6.1(c)" ], "americas-bmu-mba-coc-2020": [ "5.5" ], "amaericas-can-osfi-self-assessment": [ "2.2", "2.7", "6.8" ], "americas-can-itsp-10-171-2025": [ "03.11.02.B", "03.12.02.A.02" ] } }, { "control_id": "RSK-06.1", "title": "Risk Response", "family": "RSK", "description": "Mechanisms exist to ensure proper risk response actions were performed to remediate findings from security, compliance and/or resilience-related:\n(1) Assessments;\n(2) Audits; and/or\n(3) Incidents.", "scf_question": "Does the organization ensure proper risk response actions were performed to remediate findings from security, compliance and/or resilience-related:\n(1) Assessments;\n(2) Audits; and/or\n(3) Incidents?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-RSK-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure proper risk response actions were performed to remediate findings from security, compliance and/or resilience-related:\n(1) Assessments;\n(2) Audits; and/or\n(3) Incidents.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "small": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "medium": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "large": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "enterprise": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2-POF5" ], "general-cobit-2019": [ "APO12.06" ], "general-coso-2013": [ "7" ], "general-csa-cmm-4-1-0": [ "A&A-06", "CEK-07" ], "general-csa-iot-2": [ "RSM-01", "RSM-02" ], "general-iso-27001-2022": [ "6.1.3", "6.1.3(a)", "6.1.3(b)", "6.1.3(c)", "6.1.3(d)", "6.1.3(e)", "6.1.3(f)", "8.3" ], "general-iso-27002-2022": [ "5.8" ], "general-iso-27017-2015": [ "6.1.5" ], "general-iso-27018-2025": [ "5.8" ], "general-iso-27701-2025": [ "6.1.3" ], "general-iso-31010-2009": [ "4.3.5" ], "general-iso-42001-2023": [ "6.1.3", "6.1.3(a)", "6.1.3(b)", "6.1.3(c)", "6.1.3(d)", "6.1.3(e)", "6.1.3(f)", "6.1.3(g)", "8.3" ], "general-nist-100-1-ai-rmf": [ "MANAGE 1.3", "MANAGE 2.3", "MANAGE 2.4", "MANAGE 4.0" ], "general-nist-800-39": [ "3.3" ], "general-nist-800-53-r5-2": [ "RA-07" ], "general-nist-800-53-r5-2-privacy": [ "RA-07" ], "general-nist-800-53-r5-2-low": [ "RA-07" ], "general-nist-800-82-r3": [ "RA-07" ], "general-nist-800-82-r3-low": [ "RA-07" ], "general-nist-800-82-r3-mod": [ "RA-07" ], "general-nist-800-82-r3-high": [ "RA-07" ], "general-nist-800-161-r1": [ "RA-7" ], "general-nist-800-161-r1-cscrm": [ "RA-7" ], "general-nist-800-161-r1-level-1": [ "RA-7" ], "general-nist-800-161-r1-level-2": [ "RA-7" ], "general-nist-800-161-r1-level-3": [ "RA-7" ], "general-nist-800-171-r3": [ "03.11.02.b", "03.11.04" ], "general-nist-800-171a-r3": [ "A.03.11.04[01]", "A.03.11.04[02]", "A.03.11.04[03]" ], "general-nist-800-172": [ "3.11.6e" ], "general-nist-csf-2-0": [ "GV.RM-04", "ID.RA-05", "ID.RA-06" ], "general-pci-dss-4-0-1": [ "10.7", "10.7.1", "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.7.1", "10.7.2", "10.7.3" ], "general-scf-dpmp-2025": [ "9.4" ], "general-un-155-2021": [ "7.2.2.3" ], "general-un-ece-wp-29-2020": [ "7.2.2.3" ], "usa-federal-fbi-cjis-6-0": [ "RA-7" ], "usa-federal-doe-c2m2-2-1": [ "RISK-4e" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.6E" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-gsa-fedramp-5-low": [ "RA-07" ], "usa-federal-gsa-fedramp-5-mod": [ "RA-07" ], "usa-federal-gsa-fedramp-5-high": [ "RA-07" ], "usa-federal-gsa-fedramp-5-li-saas": [ "RA-07" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(2)" ], "usa-federal-irs-1075-2021": [ "RA-7" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(3)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "RA-07" ], "usa-state-tx-txramp-2-0-level-1": [ "RA-07" ], "usa-state-tx-txramp-2-0-level-2": [ "RA-07" ], "emea-eu-ai-act-2024": [ "Article 9.4", "Article 9.5", "Article 9.5(a)", "Article 9.5(b)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(13)(c)" ], "emea-sau-sacs-002-2022": [ "TPC-31" ], "emea-sau-sama-csf-1-2017": [ "3.2.1.3" ], "emea-zaf-popia-2013": [ "19" ], "emea-esp-boe-a-2022-7191": [ "Article 14.2", "Article 14.3" ], "emea-esp-decree-311-2022": [ "14.2", "14.3" ], "apac-jpn-ismap": [ "4.4.7.4", "4.4.8.1", "4.4.8.2", "4.4.8.5", "4.7.1.3", "4.7.1.6" ], "apac-sgp-mas-trm-2021": [ "4.1.5", "4.5.3" ], "americas-bmu-mba-coc-2020": [ "5.5" ], "amaericas-can-osfi-self-assessment": [ "6.24" ], "americas-can-itsp-10-171-2025": [ "03.11.02.B", "03.11.04" ] } }, { "control_id": "RSK-06.2", "title": "Compensating Countermeasures", "family": "RSK", "description": "Mechanisms exist to identify and implement compensating countermeasures to reduce risk and exposure to threats.", "scf_question": "Does the organization identify and implement compensating countermeasures to reduce risk and exposure to threats?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-20", "E-RSK-03" ], "pptdf": "Process", "nist_csf_function": "Respond", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and implement compensating countermeasures to reduce risk and exposure to threats.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)", "small": "∙ Risk Management Program (RMP)", "medium": "∙ Risk Management Program (RMP)", "large": "∙ Risk Management Program (RMP)", "enterprise": "∙ Risk Management Program (RMP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC9.1-POF1", "CC9.1-POF2" ], "general-cis-csc-8-1": [ "2.2" ], "general-cis-csc-8-1-ig1": [ "2.2" ], "general-cis-csc-8-1-ig2": [ "2.2" ], "general-cis-csc-8-1-ig3": [ "2.2" ], "general-iec-tr-60601-4-5-2021": [ "4.3", "5.2" ], "general-iec-62443-2-1-2024": [ "COMP 3.5" ], "general-iso-27018-2025": [ "8.31(a)" ], "general-iso-27701-2025": [ "6.1.3" ], "general-iso-31000-2018": [ "6.5.2" ], "general-iso-31010-2009": [ "4.3.5" ], "general-iso-42001-2023": [ "6.1.3(b)", "6.1.3(c)", "6.1.3(d)", "8.3" ], "general-nist-100-1-ai-rmf": [ "MANAGE 2.1" ], "general-nist-800-37-r2": [ "TASK S-2" ], "general-nist-800-39": [ "3.3", "TASK 3-1" ], "general-nist-800-171-r3": [ "03.11.02.b" ], "general-nist-csf-2-0": [ "GV.RM-04", "ID.RA-06" ], "general-pci-dss-4-0-1": [ "1.2.6", "2.2.4", "12.3.1", "12.3.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.6", "2.2.4", "12.3.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.2.6" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.4", "12.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.6", "2.2.4", "12.3.1", "12.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.6", "2.2.4", "12.3.1" ], "general-scf-dpmp-2025": [ "9.0" ], "general-un-155-2021": [ "7.2.2.3" ], "general-un-ece-wp-29-2020": [ "7.2.2.3" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.E" ], "usa-federal-fbi-cjis-6-0": [ "5.20.7.2.1" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)(2)(ii)(B)", "252.204-7012(b)(2)(ii)(C)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(2)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(d)(3)(ii)(B)(2)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(d)(3)(ii)(B)(2)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.C.1.b", "III.C.2", "III.C.3", "III.D", "III.D.4", "III.E.3" ], "usa-state-ca-ccpa-cpra-2026": [ "7002(d)(3)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(3)", "500.12(b)", "500.15(b)" ], "emea-eu-ai-act-2024": [ "Article 9.5(b)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(13)(c)" ], "emea-eu-nis2-annex-2024": [ "6.6.1(d)" ], "emea-sau-otcc-1-2022": [ "1-3-1-6", "1-3-1-7" ], "emea-sau-sacs-002-2022": [ "TPC-31" ], "emea-zaf-popia-2013": [ "19" ], "apac-aus-ism-2024-june": [ "ISM-1809" ], "apac-ind-sebi-2024": [ "EV.ST.S1", "EV.ST.S4" ], "apac-jpn-ismap": [ "4.4.8.1", "4.4.8.2" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP26", "HHSP43", "HHSP65", "HML26", "HML43", "HML64" ], "apac-nzl-ism-3-9": [ "12.4.5.C.01" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.2(b)", "4.3(c)" ], "apac-sgp-mas-trm-2021": [ "4.2.1", "4.4.2", "4.4.3" ], "americas-bmu-mba-coc-2020": [ "5.8" ], "amaericas-can-osfi-self-assessment": [ "6.16", "6.24" ], "americas-can-osfi-b13-2022": [ "3.2.6" ], "americas-can-itsp-10-171-2025": [ "03.11.02.B" ] } }, { "control_id": "RSK-06.3", "title": "Risk Treatment Options", "family": "RSK", "description": "Mechanisms exist to select appropriate risk treatment options, based on applicable risk assessment findings.", "scf_question": "Does the organization select appropriate risk treatment options, based on applicable risk assessment findings?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-13" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to select appropriate risk treatment options, based on applicable risk assessment findings.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Risk response decision policy (accept, mitigate, transfer, avoid)", "small": "∙ Risk response decision policy (accept, mitigate, transfer, avoid)", "medium": "∙ Formal risk response options policy\n∙ Documented criteria for each risk response type", "large": "∙ Enterprise risk response framework\n∙ Risk committee decision-making process", "enterprise": "∙ Enterprise GRC platform with risk response workflows\n∙ Formal risk appetite and tolerance framework" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25" ], "family_name": "Risk Management", "crosswalks": { "general-iso-21434-2021": [ "RQ-15-17", "RQ-15-17(a)", "RQ-15-17(b)", "RQ-15-17(c)", "RQ-15-17(d)" ], "general-iso-27701-2025": [ "6.1.3(a)" ], "general-iso-31000-2018": [ "6.5.2" ], "general-iso-31010-2009": [ "4.3.5", "5.3.3" ], "general-nist-800-39": [ "3.3", "TASK 3-1", "TASK 3-2" ], "general-un-155-2021": [ "7.2.2.3" ], "general-un-ece-wp-29-2020": [ "7.2.2.3" ], "usa-federal-doe-c2m2-2-1": [ "RISK-4a", "RISK-4b" ], "apac-jpn-ismap": [ "4.4.7.1", "4.4.8.1", "4.4.8.2" ] } }, { "control_id": "RSK-06.4", "title": "Risk Treatment Plan (RTP)", "family": "RSK", "description": "Mechanisms exist to formalize a Risk Treatment Plan (RTP) that applicable stakeholders will utilize to remediate identified risks according to a defined timeline.", "scf_question": "Does the organization formalize a Risk Treatment Plan (RTP) that applicable stakeholders will utilize to remediate identified risks according to a defined timeline?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-RSK-14" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to formalize a Risk Treatment Plan (RTP) that applicable stakeholders will utilize to remediate identified risks according to a defined timeline.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS" ], "possible_solutions": { "micro_small": "∙ Get management sign-off when accepting risks", "small": "∙ Risk acceptance authorization policy\n∙ Management approval for accepted risks", "medium": "∙ Formal risk acceptance process with management authorization", "large": "∙ Enterprise risk acceptance workflow with executive authorization", "enterprise": "∙ Enterprise GRC platform with risk acceptance workflow (e.g., RSA Archer, ServiceNow GRC)\n∙ Automated approval routing" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25" ], "errata": "- renamed", "family_name": "Risk Management", "crosswalks": { "general-cobit-2019": [ "APO12.06", "APO13.02" ], "general-csa-cmm-4-1-0": [ "A&A-06" ], "general-iso-21434-2021": [ "RQ-09-04", "RQ-09-05", "RQ-09-06", "RQ-09-06(a)", "RQ-09-06(b)" ], "general-iso-27701-2025": [ "6.1.3(f)", "6.1.3(g)", "8.3" ], "general-iso-31000-2018": [ "6.5.3" ], "general-iso-31010-2009": [ "4.3.5", "5.3.3" ], "general-mpa-csbp-5-3-1": [ "OR-2.0" ], "general-nist-800-37-r2": [ "TASK R-3" ], "general-nist-800-39": [ "3.3", "TASK 3-3", "TASK 3-4" ], "general-un-155-2021": [ "7.2.2.3" ], "general-un-ece-wp-29-2020": [ "7.2.2.3" ], "usa-federal-dow-cert-rmm-1-2": [ "EC:SG3.SP2", "KIM:SG3.SP2", "PM:SG2.SP2", "RISK:SG5.SP1", "RISK:SG5.SP2", "TM:SG3.SP2" ], "apac-jpn-ismap": [ "4.4.6.1", "4.4.7.1", "4.4.8.1", "4.4.8.2", "4.4.8.3", "4.4.8.4", "4.4.8.5", "4.5.5.2", "4.7.1.1", "4.7.1.4", "4.9" ] } }, { "control_id": "RSK-07", "title": "Risk Assessment Update", "family": "RSK", "description": "Mechanisms exist to routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information.", "scf_question": "Does the organization routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Risk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)", "small": "∙ Risk Management Program (RMP)", "medium": "∙ Risk Management Program (RMP)", "large": "∙ Risk Management Program (RMP)", "enterprise": "∙ Risk Management Program (RMP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-coso-2013": [ "7" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P5", "GV.MT-P1" ], "general-nist-800-171-r3": [ "03.11.01.b" ], "general-nist-800-171a-r3": [ "A.03.11.01.ODP[01]", "A.03.11.01.b" ], "general-pci-dss-4-0-1": [ "12.3.1", "12.3.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.3.1", "12.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.3.1" ], "general-un-155-2021": [ "7.2.2.2(f)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(f)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(b)(2)" ], "usa-state-ca-ccpa-cpra-2026": [ "7155(a)" ], "usa-state-nv-regulation-5-2024": [ "5.260.3" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(a)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(13)(f)" ], "emea-eu-nis2-annex-2024": [ "2.1.4" ], "emea-isr-cmo-1-0": [ "2.2" ], "emea-sau-ecc-1-2018": [ "1-5-3-2", "1-5-4" ], "emea-sau-sacs-002-2022": [ "TPC-31" ], "emea-zaf-popia-2013": [ "19" ], "apac-nzl-hisf-microsmall-2023": [ "HMS05" ], "apac-sgp-mas-trm-2021": [ "4.1.5" ], "americas-can-itsp-10-171-2025": [ "03.11.01.B" ] } }, { "control_id": "RSK-08", "title": "Business Impact Analysis (BIA)", "family": "RSK", "description": "Mechanisms exist to conduct a Business Impact Analysis (BIA) to identify and assess security, compliance and resilience risks.", "scf_question": "Does the organization conduct a Business Impact Analysis (BIA) to identify and assess security, compliance and resilience risks?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-CHG-01" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct a Business Impact Analysis (BIA) to identify and assess security, compliance and resilience risks.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)", "small": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)", "medium": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)", "large": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)", "enterprise": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2", "CC5.2", "CC9.1-POF1", "CC9.1-POF2" ], "general-cobit-2019": [ "APO12.03", "BAI04.02" ], "general-coso-2013": [ "7" ], "general-csa-cmm-4-1-0": [ "BCR-02" ], "general-csa-iot-2": [ "RSM-01", "RSM-03" ], "general-cr-cmm-2026": [ "CR1.1.1" ], "general-iso-22301-2019": [ "8.2.1", "8.2.1(a)", "8.2.1(b)", "8.2.2", "8.2.2(a)", "8.2.2(b)", "8.2.2(c)", "8.2.2(d)", "8.2.2(e)", "8.2.2(f)", "8.2.2(g)", "8.2.2(h)" ], "general-iso-27002-2022": [ "5.3" ], "general-iso-27018-2025": [ "5.30" ], "general-iso-42001-2023": [ "6.1.4", "8.4", "A.5.3", "A.5.4", "A.5.5" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.5", "MAP 1.1", "MAP 5.1" ], "general-pci-dss-4-0-1": [ "A3.2.2" ], "general-scf-dpmp-2025": [ "9.2" ], "emea-eu-eba-ict-srm-2025": [ "3.7.1(78)" ], "emea-eu-dora-2023": [ "Article 11.5" ], "emea-eu-nis2-annex-2024": [ "2.1.3", "4.1.3" ], "emea-bel-act-8-1992": [ "21" ], "emea-deu-c5-2020": [ "BCM-02" ], "emea-isr-cmo-1-0": [ "6.8", "16.6" ], "emea-sau-ecc-1-2018": [ "1-5-3-4" ], "emea-zaf-popia-2013": [ "19" ], "emea-uae-niaf-2023": [ "3.1.2" ], "emea-gbr-def-stan-05-138-2024": [ "4201" ], "emea-gbr-def-stan-05-138-l2-2024": [ "4201" ], "emea-gbr-def-stan-05-138-l3-2024": [ "4201" ], "apac-aus-ps-cps-234-2019": [ "21(d)" ], "apac-jpn-ismap": [ "4.4.7.3" ], "apac-sgp-mas-trm-2021": [ "5.1.3", "5.3.3" ], "apac-kor-pipa-2011": [ "33" ] } }, { "control_id": "RSK-09", "title": "Supply Chain Risk Management (SCRM) Plan", "family": "RSK", "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "scf_question": "Does the organization develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-02" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Risk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Supply Chain Risk Management (SCRM) Plan", "small": "∙ Risk Management Program (RMP)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Supply Chain Risk Management (SCRM) Plan", "medium": "∙ Risk Management Program (RMP)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Supply Chain Risk Management (SCRM) Plan", "large": "∙ Risk Management Program (RMP)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Supply Chain Risk Management (SCRM) Plan", "enterprise": "∙ Risk Management Program (RMP)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Supply Chain Risk Management (SCRM) Plan" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-26", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.1", "CC3.2", "CC3.2-POF7", "CC3.2-POF8", "CC4.1", "CC9.2", "CC9.2-POF1", "CC9.2-POF2", "CC9.2-POF3", "CC9.2-POF4", "CC9.2-POF7", "CC9.2-POF8", "CC9.2-POF9", "CC9.2-POF10", "CC9.2-POF11", "CC9.2-POF12" ], "general-cis-csc-8-1": [ "15.2" ], "general-cis-csc-8-1-ig2": [ "15.2" ], "general-cis-csc-8-1-ig3": [ "15.2" ], "general-cobit-2019": [ "APO12.01", "APO12.02", "APO12.03", "APO12.04" ], "general-coso-2013": [ "7", "16" ], "general-csa-iot-2": [ "SDV-02" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.8" ], "general-iso-27002-2022": [ "5.21", "8.3" ], "general-iso-27018-2025": [ "5.21", "8.30" ], "general-iso-42001-2023": [ "A.10", "A.10.2", "A.10.3" ], "general-nist-100-1-ai-rmf": [ "MANAGE 3.0" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P2", "ID.DE-P3" ], "general-nist-800-53-r4": [ "SA-12" ], "general-nist-800-53-r5-2": [ "PM-29", "PM-30", "SA-09(03)", "SR-02", "SR-07" ], "general-nist-800-53-r5-2-privacy": [ "PM-29", "SR-02", "SR-07" ], "general-nist-800-53-r5-2-low": [ "SR-02" ], "general-nist-800-82-r3": [ "PM-29", "PM-30", "SA-09(03)", "SR-02", "SR-07" ], "general-nist-800-82-r3-low": [ "PM-29", "PM-30", "SR-02" ], "general-nist-800-82-r3-mod": [ "PM-29", "PM-30", "SR-02" ], "general-nist-800-82-r3-high": [ "PM-29", "PM-30", "SR-02" ], "general-nist-800-160-vol-2-r1": [ "SR-07" ], "general-nist-800-161-r1": [ "PM-29", "PM-30", "SA-9(3)", "SR-2", "SR-7" ], "general-nist-800-161-r1-cscrm": [ "PM-30", "SR-2" ], "general-nist-800-161-r1-flowdown": [ "PM-30" ], "general-nist-800-161-r1-level-1": [ "PM-29", "PM-30", "SA-9(3)" ], "general-nist-800-161-r1-level-2": [ "PM-30", "SA-9(3)", "SR-7" ], "general-nist-800-161-r1-level-3": [ "SA-9(3)", "SR-2", "SR-7" ], "general-nist-800-171-r3": [ "03.11.01.a", "03.17.01.a", "03.17.01.b", "03.17.03.a", "03.17.03.b" ], "general-nist-800-171a-r3": [ "A.03.11.01.a", "A.03.17.01.ODP[01]", "A.03.17.01.a[01]", "A.03.17.01.a[02]", "A.03.17.01.a[03]", "A.03.17.01.a[04]", "A.03.17.01.a[05]", "A.03.17.01.a[06]", "A.03.17.01.a[07]", "A.03.17.01.a[08]", "A.03.17.01.a[09]", "A.03.17.01.a[10]", "A.03.17.01.b[01]", "A.03.17.01.b[02]", "A.03.17.01.c", "A.03.17.03.ODP[01]", "A.03.17.03.a[01]", "A.03.17.03.a[02]", "A.03.17.03.b" ], "general-nist-800-172": [ "3.11.6e", "3.11.7e" ], "general-nist-csf-2-0": [ "GV.SC", "GV.SC-01", "GV.SC-03", "GV.SC-05", "GV.SC-09", "GV.SC-10", "ID", "ID.RA", "ID.IM", "PR" ], "general-owasp-top-10-2025": [ "A03:2025" ], "general-scf-dpmp-2025": [ "9.2" ], "general-sparta": [ "CM0026" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dhs-cisa-tic-3-0": [ "3 UNL.SCRMA" ], "usa-federal-fbi-cjis-6-0": [ "SR-2" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.6E", "RA.L3-3.11.7E" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.3" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "4.2" ], "usa-federal-gsa-fedramp-5-low": [ "PM-29", "SR-02", "SR-07" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-29", "SR-02", "SR-07" ], "usa-federal-gsa-fedramp-5-high": [ "PM-29", "SR-02", "SR-07" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-29", "SR-02", "SR-07" ], "usa-federal-irs-1075-2021": [ "PM-29", "SA-9(CE-3)", "SR-2" ], "usa-federal-nerc-cip-2024": [ "CIP-013-2 R1", "CIP-013-2 R2", "CIP-013-2 R3" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(iii)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SR-02" ], "emea-eu-ai-act-2024": [ "Article 17.1(l)" ], "emea-eu-dora-2023": [ "Article 28.1", "Article 28.1(a)", "Article 28.1(b)", "Article 28.1(b)(i)", "Article 28.1(b)(ii)", "Article 28.2", "Article 28.3", "Article 28.4", "Article 28.4(a)", "Article 28.4(b)", "Article 28.4(c)", "Article 28.4(d)", "Article 28.4(e)", "Article 28.5", "Article 28.6", "Article 28.7(a)", "Article 28.7(b)", "Article 28.7(c)", "Article 28.7(d)", "Article 28.8", "Article 28.8(a)", "Article 28.8(b)", "Article 28.8(c)" ], "emea-eu-nis2-2022": [ "Article 21.2(d)", "Article 21.3" ], "emea-eu-nis2-annex-2024": [ "5.1.1", "5.1.5", "5.1.6" ], "emea-deu-c5-2020": [ "OIS-07" ], "emea-isr-cmo-1-0": [ "16.3", "17.3", "17.11" ], "emea-sau-ecc-1-2018": [ "1-5-3-3" ], "emea-gbr-caf-4-0": [ "A4", "A4.a" ], "emea-gbr-cap-1850-2020": [ "A4" ], "emea-gbr-def-stan-05-138-2024": [ "1400" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1400" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1400" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1400" ], "apac-aus-ism-2024-june": [ "ISM-0731", "ISM-1567", "ISM-1785" ], "apac-nzl-ism-3-9": [ "2.2.7.C.01", "12.7.14.C.01", "12.7.14.C.02", "12.7.14.C.03", "12.7.15.C.01", "12.7.15.C.02", "12.7.16.C.01", "12.7.16.C.02", "12.7.16.C.03", "12.7.17.C.01", "12.7.18.C.01", "12.7.18.C.02", "12.7.19.C.01", "12.7.19.C.02", "12.7.20.C.01", "12.7.20.C.02", "12.7.20.C.03", "12.7.20.C.04", "12.7.20.C.05", "12.7.21.C.01" ], "apac-sgp-mas-trm-2021": [ "5.3.1" ], "amaericas-can-osfi-self-assessment": [ "2.3", "4.25" ], "americas-can-itsp-10-171-2025": [ "03.11.01.A", "03.17.01.A", "03.17.01.B", "03.17.03.A", "03.17.03.B" ] } }, { "control_id": "RSK-09.1", "title": "Supply Chain Risk Assessment", "family": "RSK", "description": "Mechanisms exist to periodically assess supply chain risks associated with Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization periodically assess supply chain risks associated with Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-05" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to periodically assess supply chain risks associated with Technology Assets, Applications and/or Services (TAAS).", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)", "small": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)", "medium": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)", "large": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)", "enterprise": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2-POF7", "CC3.2-POF9", "CC9.2", "CC9.2-POF1", "CC9.2-POF2", "CC9.2-POF3", "CC9.2-POF7", "CC9.2-POF11" ], "general-cis-csc-8-1": [ "15.5" ], "general-cis-csc-8-1-ig3": [ "15.5" ], "general-cobit-2019": [ "APO12.01", "APO12.02", "APO12.03", "APO12.04" ], "general-coso-2013": [ "7" ], "general-iso-27002-2022": [ "8.3" ], "general-iso-27018-2025": [ "8.30" ], "general-nist-100-1-ai-rmf": [ "MANAGE 3.1" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P5", "GV.MT-P1" ], "general-nist-800-53-r5-2": [ "RA-03(01)" ], "general-nist-800-53-r5-2-low": [ "RA-03(01)" ], "general-nist-800-82-r3": [ "RA-03(01)" ], "general-nist-800-82-r3-low": [ "RA-03(01)" ], "general-nist-800-82-r3-mod": [ "RA-03(01)" ], "general-nist-800-82-r3-high": [ "RA-03(01)" ], "general-nist-800-161-r1": [ "RA-3(1)" ], "general-nist-800-161-r1-cscrm": [ "RA-3(1)" ], "general-nist-800-161-r1-flowdown": [ "RA-3(1)" ], "general-nist-800-161-r1-level-1": [ "RA-3(1)" ], "general-nist-800-161-r1-level-2": [ "RA-3(1)" ], "general-nist-800-161-r1-level-3": [ "RA-3(1)" ], "general-nist-800-171-r3": [ "03.11.01.a", "03.11.01.b", "03.17.03.a" ], "general-nist-800-172": [ "3.11.6e" ], "general-nist-csf-2-0": [ "GV.SC", "GV.SC-09" ], "general-owasp-top-10-2025": [ "A03:2025" ], "general-scf-dpmp-2025": [ "9.2" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.6E" ], "usa-federal-gsa-fedramp-5-low": [ "RA-03(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "RA-03(01)" ], "usa-federal-gsa-fedramp-5-high": [ "RA-03(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "RA-03(01)" ], "usa-federal-irs-1075-2021": [ "RA-3(CE-1)", "RA-3(CE-1).c", "RA-3(CE-1).d" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(iii)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "RA-03(1)" ], "emea-eu-dora-2023": [ "Article 28.4(a)", "Article 28.4(b)", "Article 28.4(c)", "Article 28.4(d)", "Article 28.4(e)" ], "emea-eu-nis2-annex-2024": [ "5.1.3" ], "emea-isr-cmo-1-0": [ "16.6", "17.3", "17.11" ], "emea-sau-ecc-1-2018": [ "1-5-3-3" ], "emea-gbr-cap-1850-2020": [ "A4" ], "emea-gbr-def-stan-05-138-2024": [ "1400" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1400" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1400" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1400" ], "apac-aus-ism-2024-june": [ "ISM-1452", "ISM-1567" ], "apac-ind-sebi-2024": [ "GV.SC.S7" ], "americas-can-itsp-10-171-2025": [ "03.11.01.A", "03.11.01.B", "03.17.03.A" ] } }, { "control_id": "RSK-09.2", "title": "AI & Autonomous Technologies Supply Chain Impacts", "family": "RSK", "description": "Mechanisms exist to address Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks and benefits arising from the organization's supply chain, including third-party software and data.", "scf_question": "Does the organization address Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks and benefits arising from its supply chain, including third-party software and data?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Risk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to address Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks and benefits arising from the organization's supply chain, including third-party software and data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)", "small": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)", "medium": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)", "large": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)", "enterprise": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Business Impact Analysis (BIA)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-nist-100-1-ai-rmf": [ "GOVERN 6.0", "MANAGE 3.0", "MANAGE 3.1" ] } }, { "control_id": "RSK-10", "title": "Data Protection Impact Assessment (DPIA)", "family": "RSK", "description": "Mechanisms exist to conduct a Data Protection Impact Assessment (DPIA) on Technology Assets, Applications and/or Services (TAAS) that store, process and/or transmit Personal Data (PD) to identify and remediate reasonably-expected risks.", "scf_question": "Does the organization conduct a Data Protection Impact Assessment (DPIA) on Technology Assets, Applications and/or Services (TAAS) that store, process and/or transmit Personal Data (PD) to identify and remediate reasonably-expected risks?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRI-04" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct a Data Protection Impact Assessment (DPIA) on Technology Assets, Applications and/or Services (TAAS) that store, process and/or transmit Personal Data (PD) to identify and remediate reasonably-expected risks.", "4": "Risk Management (RSK) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Privacy Impact Assessment (PIA)", "small": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Privacy Impact Assessment (PIA)", "medium": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Privacy Impact Assessment (PIA)", "large": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Privacy Impact Assessment (PIA)", "enterprise": "∙ Risk Management Program (RMP)\n∙ Data Protection Impact Assessment (DPIA)\n∙ Privacy Impact Assessment (PIA)" }, "risks": [ "R-AC-4", "R-BC-2", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.3-POF2" ], "general-aicpa-tsc-2017": [ "CC3.2", "CC5.2", "PI1.1" ], "general-cobit-2019": [ "APO12.01", "APO12.02", "APO12.03", "APO12.04" ], "general-coso-2013": [ "7" ], "general-csa-cmm-4-1-0": [ "DSP-09" ], "general-csa-iot-2": [ "GVN-07", "GVN-08", "LGL-01", "LGL-03" ], "general-iso-27002-2022": [ "5.33" ], "general-iso-27017-2015": [ "18.1.4" ], "general-iso-27018-2025": [ "5.33", "5.35(a)", "8.31(a)" ], "general-iso-27701-2025": [ "6.1.2", "6.1.2(a)", "6.1.2(a)(1)", "6.1.2(a)(2)", "6.1.2(b)", "6.1.2(c)", "6.1.2(c)(1)", "6.1.2(c)(2)", "6.1.2(d)", "6.1.2(d)(1)", "6.1.2(d)(2)", "6.1.2(d)(3)", "6.1.2(e)", "6.1.2(e)(1)", "6.1.2(e)(2)", "8.2" ], "general-iso-42001-2023": [ "6.1.4", "8.4", "A.5.3", "A.5.4", "A.5.5" ], "general-nist-100-1-ai-rmf": [ "MAP 1.1", "MEASURE 2.10" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P7", "ID.RA-P1", "ID.RA-P2", "ID.RA-P3", "ID.RA-P4", "ID.RA-P5", "ID.DE-P2", "ID.DE-P3", "GV.MT-P1" ], "general-nist-800-53-r4": [ "AR-2" ], "general-nist-800-53-r5-2": [ "RA-08" ], "general-nist-800-53-r5-2-privacy": [ "RA-08" ], "general-nist-800-82-r3": [ "RA-08" ], "general-pci-dss-4-0-1": [ "A3.2.2" ], "general-scf-dpmp-2025": [ "9.5" ], "general-shared-assessments-sig-2025": [ "P.5" ], "general-tisax-6-0-3": [ "9.4.1" ], "general-ul-2900-1-2017": [ "12.1" ], "usa-federal-irs-1075-2021": [ "RA-8" ], "usa-federal-cms-marse-2-0": [ "AR-2", "AR-2.a", "AR-2.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7152(a)", "7152(a)(1)", "7152(a)(2)", "7152(a)(3)", "7152(a)(3)(A)", "7152(a)(3)(B)", "7152(a)(3)(C)", "7152(a)(3)(D)", "7152(a)(3)(E)", "7152(a)(3)(F)", "7152(a)(3)(G)", "7152(a)(3)(G)(i)", "7152(a)(3)(G)(ii)", "7152(a)(4)", "7152(a)(5)", "7152(a)(5)(A)", "7152(a)(5)(B)", "7152(a)(5)(C)", "7152(a)(5)(D)", "7152(a)(5)(E)", "7152(a)(5)(F)", "7152(a)(5)(G)", "7152(a)(5)(H)", "7152(a)(6)", "7152(a)(6)(A)", "7152(a)(6)(A)(i)", "7152(a)(6)(A)(ii)", "7152(a)(6)(A)(iii)", "7152(a)(6)(A)(iv)", "7152(a)(7)", "7152(a)(8)", "7152(a)(9)", "7154(a)", "7155(a)", "7156(a)", "7156(b)" ], "usa-state-or-ors-646a-2025": [ "646A.586(1)(a)", "646A.586(1)(b)", "646A.586(1)(b)(A)", "646A.586(1)(b)(B)", "646A.586(1)(b)(C)", "646A.586(1)(b)(D)", "646A.586(1)(b)(D)(i)", "646A.586(1)(b)(D)(ii)", "646A.586(1)(b)(D)(iii)", "646A.586(1)(b)(D)(iv)", "646A.586(1)(c)", "646A.586(2)", "646A.586(4)", "646A.586(5)" ], "usa-state-or-cpa-2023": [ "Section 6(1)(c)", "Section 8(1)(a)", "Section 8(1)(c)", "Section 8(2)" ], "usa-state-tn-tipa-2025": [ "47-18-3206(a)", "47-18-3206(a)(1)", "47-18-3206(a)(2)", "47-18-3206(a)(3)", "47-18-3206(a)(3)(A)", "47-18-3206(a)(3)(B)", "47-18-3206(a)(3)(C)", "47-18-3206(a)(3)(D)", "47-18-3206(a)(4)", "47-18-3206(a)(5)", "47-18-3206(b)", "47-18-3206(c)", "47-18-3206(d)", "47-18-3206(e)", "47-18-3206(f)" ], "usa-state-tx-cdpa-2025": [ "541.105(a)(1)", "541.105(a)(2)", "541.105(a)(3)(A)", "541.105(a)(3)(B)", "541.105(a)(3)(C)", "541.105(a)(3)(D)", "541.105(a)(4)", "541.105(a)(5)", "541.105(b)(1)", "541.105(b)(2)(A)", "541.105(b)(2)(B)", "541.105(b)(2)(C)", "541.105(b)(2)(D)", "541.105(c)", "541.105(d)", "541.105(e)", "541.105(f)" ], "usa-state-va-cdpa-2023": [ "59.1-580.A", "59.1-580.A.1", "59.1-580.A.2", "59.1-580.A.3", "59.1-580.A.4", "59.1-580.A.5", "59.1-580.B", "59.1-580.C", "59.1-580.D", "59.1-580.E", "59.1-580.F", "59.1-580.G" ], "emea-eu-ai-act-2024": [ "Article 26.9" ], "emea-eu-gdpr-2016": [ "Article 35.1", "Article 35.3(a)", "Article 35.3(b)", "Article 35.3(c)", "Article 35.7(a)", "Article 35.7(b)", "Article 35.7(c)", "Article 35.7(d)", "Article 35.8", "Article 35.9", "Article 35.11", "Article 36.1" ], "emea-deu-c5-2020": [ "BCM-02" ], "emea-isr-cmo-1-0": [ "16.6", "17.3" ], "emea-ken-pda-2019": [ "31(1)", "31(2)(a)", "31(2)(b)", "31(2)(c)", "31(2)(d)", "31(3)", "31(4)", "31(5)", "31(6)" ], "emea-qat-pdppl-2020": [ "8.2" ], "emea-sau-ecc-1-2018": [ "1-5-3-4" ], "emea-sau-pdpl-2023": [ "Article 22" ], "emea-srb-act-9-2018": [ "54", "54.x" ], "emea-zaf-popia-2013": [ "19" ], "apac-aus-ps-cps-234-2019": [ "21(d)" ], "apac-chn-pipl-2021": [ "55", "55(1)", "55(2)", "55(3)", "55(4)", "55(5)", "56", "56(1)", "56(2)", "56(3)" ], "apac-ind-dpdpa-2023": [ "10(2)(c)(i)" ], "apac-sgp-mas-trm-2021": [ "5.1.3", "5.3.3" ], "apac-kor-pipa-2011": [ "33" ] } }, { "control_id": "RSK-11", "title": "Risk Monitoring", "family": "RSK", "description": "Mechanisms exist to ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of security, compliance and resilience controls, compliance and change management.", "scf_question": "Does the organization ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of security, compliance and resilience controls, compliance and change management?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "Risk Management (RSK) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Risk management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Risk management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ IT and/or cybersecurity personnel implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.\n▪ Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.\n▪ Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of security, compliance and resilience controls, compliance and change management.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "small": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "medium": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "large": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)", "enterprise": "∙ Risk Management Program (RMP)\n∙ Risk register\n∙ Plan of Action & Milestones (POA&M)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Risk Management", "crosswalks": { "general-nist-800-53-r5-2": [ "CA-07(04)" ], "general-nist-800-53-r5-2-privacy": [ "CA-07(04)" ], "general-nist-800-53-r5-2-low": [ "CA-07(04)" ], "general-nist-800-82-r3": [ "CA-07(04)" ], "general-nist-800-82-r3-low": [ "CA-07(04)" ], "general-nist-800-82-r3-mod": [ "CA-07(04)" ], "general-nist-800-82-r3-high": [ "CA-07(04)" ], "general-scf-dpmp-2025": [ "7.11", "9.0", "9.3" ], "usa-federal-fbi-cjis-6-0": [ "CA-7(4)" ], "usa-federal-gsa-fedramp-5-low": [ "CA-07(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-07(04)" ], "usa-federal-gsa-fedramp-5-high": [ "CA-07(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-07(04)" ], "usa-federal-irs-1075-2021": [ "CA-7(CE-4)", "CA-7(CE-4).a", "CA-7(CE-4).b", "CA-7(CE-4).c" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CA-07(4)" ], "usa-state-tx-txramp-2-0-level-1": [ "CA-07 (04)" ], "usa-state-tx-txramp-2-0-level-2": [ "CA-07 (04)" ], "emea-eu-nis2-annex-2024": [ "2.1.2(h)" ], "emea-zaf-popia-2013": [ "4" ] } }, { "control_id": "RSK-12", "title": "Risk Culture", "family": "RSK", "description": "Mechanisms exist to ensure teams are committed to a culture that considers and communicates technology-related risk.", "scf_question": "Does the organization ensure teams are committed to a culture that considers and communicates technology-related risk?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-01" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure teams are committed to a culture that considers and communicates technology-related risk.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Risk Management Program (RMP)", "small": "∙ Risk Management Program (RMP)", "medium": "∙ Risk Management Program (RMP)", "large": "∙ Risk Management Program (RMP)", "enterprise": "∙ Risk Management Program (RMP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-17", "MT-24", "MT-25", "MT-27" ], "family_name": "Risk Management", "crosswalks": { "general-nist-100-1-ai-rmf": [ "GOVERN 4.0" ], "general-nist-csf-2-0": [ "GV.RR-01" ], "emea-gbr-def-stan-05-138-2024": [ "2601" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2601" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2601" ] } }, { "control_id": "RSK-13", "title": "Executive Leadership Approval For Managing Material Risk", "family": "RSK", "description": "Mechanisms exist to obtain executive leadership approval for risk management decisions involving material risk.", "scf_question": "Does the organization obtain executive leadership approval for risk management decisions involving material risk?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-15", "E-RSK-10" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to obtain executive leadership approval for risk management decisions involving material risk.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document steps to take after a significant adverse event", "small": "∙ Lessons-learned process after significant incidents or events", "medium": "∙ Formal post-event review and resilience improvement process", "large": "∙ Enterprise resilience improvement program\n∙ Structured post-incident review", "enterprise": "∙ Enterprise resilience management program\n∙ Formal after-action review process\n∙ Continuous improvement integration" }, "risks": [ "R-AC-1", "R-EX-5", "R-GV-3", "R-GV-4", "R-IR-4" ], "threats": [ "NT-7", "MT-8", "MT-9", "MT-14", "MT-15", "MT-17" ], "family_name": "Risk Management", "crosswalks": {} }, { "control_id": "RSK-13.1", "title": "Documented Alternatives", "family": "RSK", "description": "Mechanisms exist to document alternative courses of action to ensure executive leadership is reasonably informed of options to manage material risks, including potential:\n(1) Benefits;\n(2) Drawbacks (including technical limitations);\n(3) Costs; and\n(4) Timelines.", "scf_question": "Does the organization document alternative courses of action to ensure executive leadership is reasonably informed of options to manage material risks, including potential:\n(1) Benefits;\n(2) Drawbacks (including technical limitations);\n(3) Costs; and\n(4) Timelines?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-11" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nRisk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document alternative courses of action to ensure executive leadership is reasonably informed of options to manage material risks, including potential:\n(1) Benefits;\n(2) Drawbacks (including technical limitations);\n(3) Costs; and\n(4) Timelines.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Review security measures after major incidents", "small": "∙ Post-incident security review process", "medium": "∙ Formal post-incident security review and lessons learned program", "large": "∙ Enterprise post-incident review program\n∙ Formal corrective action tracking", "enterprise": "∙ Enterprise incident management and continuous improvement platform\n∙ Automated post-incident review triggers" }, "risks": [ "R-AC-1", "R-EX-5", "R-GV-3", "R-GV-4", "R-IR-4" ], "threats": [ "NT-7", "MT-8", "MT-9", "MT-14", "MT-15", "MT-17" ], "family_name": "Risk Management", "crosswalks": {} }, { "control_id": "RSK-13.2", "title": "Documented Justification For Material Risk Management Decisions", "family": "RSK", "description": "Mechanisms exist to document executive leadership justification for selecting a specific course of action to manage material risk.", "scf_question": "Does the organization document executive leadership justification for selecting a specific course of action to manage material risk?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-15", "E-RSK-10", "E-RSK-12" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Risk Management (RSK) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with RSK domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Risk management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to identify, assess, remediate and report on risk.\n▪ Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.\n▪ Data/process owners are expected to self-manage risks associated with their Technology Assets, Applications, Services and/or Data (TAASD), based on the organization's published policies and standards, including the identification, remediation and reporting of risks.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Risk Management (RSK) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with RSK domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with RSK domain capabilities are well-documented and kept current by process owners.\n▪ A risk management team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of risk management operations (e.g., risk management solution, GRC platform, TPRM tool, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with RSK domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document executive leadership justification for selecting a specific course of action to manage material risk.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Document lessons learned and make improvements after incidents", "small": "∙ Lessons-learned documentation process after incidents", "medium": "∙ Formal lessons-learned program with corrective action tracking", "large": "∙ Enterprise lessons-learned database and improvement tracking program", "enterprise": "∙ Enterprise ITSM/GRC platform for lessons-learned management\n∙ Automated improvement tracking" }, "risks": [ "R-AC-1", "R-EX-5", "R-GV-3", "R-GV-4", "R-IR-4" ], "threats": [ "NT-7", "MT-8", "MT-9", "MT-14", "MT-15", "MT-17" ], "family_name": "Risk Management", "crosswalks": {} }, { "control_id": "SEA-01", "title": "Secure Engineering Principles", "family": "SEA", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-01", "E-TDA-02", "E-TDA-04", "E-TDA-08", "E-TDA-09" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).\n▪ IT and/or cybersecurity personnel manage separate development, testing and operational environments to reduce the risks of unauthorized access or changes to the operational environment and to ensure no impact to production TAASD.", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of TAAS.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)", "small": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)", "medium": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)", "large": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)", "enterprise": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2", "CC3.2", "CC5.1", "CC5.2", "CC6.1-POF2", "CC8.1-POF15", "CC8.1-POF18" ], "general-cis-csc-8-1": [ "12.2", "12.6", "16.0", "16.1" ], "general-cis-csc-8-1-ig2": [ "12.2", "12.6", "16.1" ], "general-cis-csc-8-1-ig3": [ "12.2", "12.6", "16.1" ], "general-cobit-2019": [ "APO03.01", "APO03.02", "APO03.03", "APO03.04", "APO03.05", "APO04.05" ], "general-coso-2013": [ "10", "11", "14" ], "general-csa-cmm-4-1-0": [ "DCS-18", "DSP-07", "I&S-01" ], "general-csa-iot-2": [ "CLS-05", "GVN-02", "SWS-04" ], "general-cr-cmm-2026": [ "CR4.3.1" ], "general-govramp": [ "SA-08", "SC-01", "SC-07(18)", "SI-01" ], "general-govramp-low": [ "SC-01", "SI-01" ], "general-govramp-low-plus": [ "SC-01", "SI-01" ], "general-govramp-mod": [ "SA-08", "SC-01", "SC-07(18)", "SI-01" ], "general-govramp-high": [ "SA-08", "SC-01", "SC-07(18)", "SI-01" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.2", "3.5.5", "3.8" ], "general-iso-21434-2021": [ "RQ-10-06" ], "general-iso-27002-2022": [ "8.12", "8.26", "8.27" ], "general-iso-27017-2015": [ "14.1.2", "14.2.5" ], "general-iso-27018-2025": [ "8.12", "8.26", "8.27" ], "general-mitre-att&ck-16-1": [ "T1005", "T1025", "T1041", "T1048", "T1048.002", "T1048.003", "T1052", "T1052.001", "T1078", "T1078.001", "T1078.003", "T1078.004", "T1134.005", "T1190", "T1213.003", "T1482", "T1559.003", "T1567", "T1574.002", "T1647" ], "general-mpa-csbp-5-3-1": [ "OR-1.0", "TS-1.14" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(b)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.2" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P4", "GV.PO-P2", "CM.AW-P3", "PR.DS-P5" ], "general-nist-800-37-r2": [ "TASK P-15" ], "general-nist-800-53-r4": [ "AR-7", "SA-8", "SA-13", "SC-1", "SC-7(18)", "SI-1" ], "general-nist-800-53-r5-2": [ "PT-01", "SA-08", "SA-15(05)", "SC-01", "SC-07(18)", "SI-01" ], "general-nist-800-53-r5-2-privacy": [ "PT-01", "SA-08", "SA-15(05)", "SC-01", "SI-01" ], "general-nist-800-53-r5-2-low": [ "SA-08", "SC-01", "SI-01" ], "general-nist-800-53-r5-2-high": [ "SC-07(18)" ], "general-nist-800-82-r3": [ "PT-01", "SA-08", "SA-15(05)", "SC-01", "SC-07(18)", "SI-01" ], "general-nist-800-82-r3-low": [ "SA-08", "SC-01", "SI-01" ], "general-nist-800-82-r3-mod": [ "SA-08", "SC-01", "SC-07(18)", "SI-01" ], "general-nist-800-82-r3-high": [ "SA-08", "SC-01", "SC-07(18)", "SI-01" ], "general-nist-800-160-vol-2-r1": [ "SA-15(05)" ], "general-nist-800-161-r1": [ "PT-1", "SA-8", "SC-1", "SI-1" ], "general-nist-800-161-r1-cscrm": [ "SA-8", "SC-1", "SI-1" ], "general-nist-800-161-r1-flowdown": [ "PT-1" ], "general-nist-800-161-r1-level-1": [ "PT-1", "SA-8", "SC-1", "SI-1" ], "general-nist-800-161-r1-level-2": [ "PT-1", "SA-8", "SC-1", "SI-1" ], "general-nist-800-161-r1-level-3": [ "PT-1", "SA-8", "SC-1", "SI-1" ], "general-nist-800-171-r2": [ "3.13.2" ], "general-nist-800-171-r3": [ "03.01.12.a", "03.01.16.a", "03.01.16.b", "03.01.16.c", "03.01.18.a", "03.13.01.c", "03.16.01" ], "general-nist-800-171a": [ "3.13.2[a]", "3.13.2[c]", "3.13.2[d]", "3.13.2[f]" ], "general-nist-800-171a-r3": [ "A.03.16.01.ODP[01]" ], "general-nist-csf-2-0": [ "PR.IR", "PR.IR-01", "PR.IR-03" ], "general-owasp-top-10-2025": [ "A01:2025", "A05:2025" ], "general-pci-dss-4-0-1": [ "1.2", "6.1", "6.2", "6.2.1", "8.5", "8.5.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.1", "8.5.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.1", "8.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.1", "8.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.1", "8.5.1" ], "general-scf-dpmp-2025": [ "5.12", "7.1" ], "general-swift-cscf-2025": [ "1.3" ], "general-tisax-6-0-3": [ "5.3.1" ], "usa-federal-dow-cert-rmm-1-2": [ "RTSE:SG1", "RTSE:SG1.SP1", "RTSE:SG1.SP2", "RTSE:SG1.SP3", "RTSE:SG1.SP4", "RTSE:SG1.SP5", "RTSE:SG2", "RTSE:SG2.SP1", "RTSE:SG2.SP2", "RTSE:SG3", "RTSE:GG1.GP1", "RTSE:GG2", "RTSE:GG2.GP2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.RESIL" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.E" ], "usa-federal-fbi-cjis-6-0": [ "SA-8", "SC-1", "SI-1" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-1b", "ARCHITECTURE-1j", "ARCHITECTURE-5g", "ARCHITECTURE-5h" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.2" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.4.a" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "3.0" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-gsa-fedramp-5-low": [ "PT-01", "SA-08", "SA-15(05)", "SC-01", "SI-01" ], "usa-federal-gsa-fedramp-5-mod": [ "PT-01", "SA-08", "SA-15(05)", "SC-01", "SC-07(18)", "SI-01" ], "usa-federal-gsa-fedramp-5-high": [ "PT-01", "SA-08", "SA-15(05)", "SC-01", "SC-07(18)", "SI-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PT-01", "SA-08", "SA-15(05)", "SC-01", "SI-01" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(1)" ], "usa-federal-irs-1075-2021": [ "PT-1", "SA-8", "SC-1", "SC-7(CE-18)", "SI-1" ], "usa-federal-cms-marse-2-0": [ "SA-8", "SC-1", "SC-7(18)", "SI-1", "AR-7" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.4" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(b)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-08", "SC-01", "SI-01" ], "usa-state-tx-txramp-2-0-level-1": [ "SC-01", "SI-01" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-08", "SC-01", "SI-01" ], "emea-eu-eba-ict-srm-2025": [ "3.7.1(79)" ], "emea-eu-dora-2023": [ "Article 9.3(a)", "Article 9.3(b)", "Article 9.3(c)", "Article 9.3(d)", "Article 9 (end)" ], "emea-eu-nis2-2022": [ "Article 21.1", "Article 21.5" ], "emea-eu-nis2-annex-2024": [ "6.2.1", "6.2.2(b)", "6.2.2(c)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-fdpa-2017": [ "Sec 4b", "Sec 9", "Sec 9a", "Sec 16", "Annex" ], "emea-deu-bsrit-2017": [ "12.1" ], "emea-deu-c5-2020": [ "COS-01" ], "emea-grc-pirppd-1997": [ "9" ], "emea-hun-isdfi-2011": [ "7", "8" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-cmo-1-0": [ "2.1", "15.6", "17.7" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "31", "33", "34", "35", "42" ], "emea-nor-pda-2018": [ "13", "14", "29" ], "emea-pol-act-29-1997": [ "1", "36", "47" ], "emea-rus-federal-law-27-2006": [ "7", "12", "19" ], "emea-sau-cgiot-2024": [ "1-5-1", "2-5-1" ], "emea-sau-ecc-1-2018": [ "1-6-3-4", "2-4-3", "2-15-3-3" ], "emea-sau-otcc-1-2022": [ "1-1-2" ], "emea-sau-sacs-002-2022": [ "TPC-43" ], "emea-sau-sama-csf-1-2017": [ "3.3.4", "3.3.8", "3.3.13" ], "emea-zaf-popia-2013": [ "19", "21" ], "emea-esp-boe-a-2022-7191": [ "Article 29" ], "emea-esp-decree-311-2022": [ "29" ], "emea-esp-ccn-stic-825-2023": [ "7.1.2 [OP.PL.2]" ], "emea-che-fadp-2025": [ "6", "7" ], "emea-tur-lppd-2016": [ "8", "12" ], "emea-uae-niaf-2023": [ "3.2.1" ], "emea-gbr-caf-4-0": [ "B4.a", "B5.b" ], "emea-gbr-cap-1850-2020": [ "B4", "B5" ], "emea-gbr-def-stan-05-138-2024": [ "2400" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2400" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2400" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2400" ], "apac-aus-privacy-act-1998": [ "APP Part 8", "APP Part 11" ], "apac-aus-ism-2024-june": [ "ISM-1739", "ISM-1743" ], "apac-aus-cop-sitc-2020": [ "Principle 4", "Principle 5", "Principle 6", "Principle 7" ], "apac-aus-ps-cps-234-2019": [ "15", "18" ], "apac-chn-csnip-2012": [ "4" ], "apac-hkg-pdo-2022": [ "Principle 4", "Sec 33" ], "apac-ind-privacy-rules-2011": [ "7", "8" ], "apac-ind-sebi-2024": [ "PR.IP.S17" ], "apac-jpn-ppi-2020": [ "20" ], "apac-jpn-ismap": [ "14.2.5", "14.2.5.1", "14.2.5.2", "14.2.5.3", "14.2.5.4", "14.2.5.5", "14.2.5.6", "14.2.5.7" ], "apac-mys-pdpa-2010": [ "9" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP16", "HML16" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP14" ], "apac-nzl-ism-3-9": [ "1.2.13.C.01", "1.2.13.C.02" ], "apac-phl-dpa-2012": [ "25", "29" ], "apac-sgp-pdpa-2012": [ "24", "26" ], "apac-sgp-mas-trm-2021": [ "5.6.1", "5.6.2", "5.6.3", "11.2.8" ], "apac-kor-pipa-2011": [ "3", "29" ], "apac-twn-pdpa-2025": [ "21" ], "americas-bhs-dpa-2003": [ "6", "12" ], "americas-bmu-mba-coc-2020": [ "4" ], "americas-bra-lgpd-2018": [ "6.7", "46", "37", "49" ], "americas-can-osfi-b13-2022": [ "1.3.1", "2", "2.1", "2.1.2", "3.2", "3.2.1" ], "americas-can-itsp-10-171-2025": [ "03.01.12.A", "03.01.16.A", "03.01.16.B", "03.01.16.C", "03.01.18.A", "03.13.01.C", "03.16.01" ], "americas-can-pipeda-2000": [ "Principle 7" ], "americas-chl-act-19628-1999": [ "7" ], "americas-col-law-1581-2012": [ "4", "26" ], "americas-mex-fdpa-2010": [ "19", "36", "37" ] } }, { "control_id": "SEA-01.1", "title": "Centralized Management of Security, Compliance & Resilience Controls", "family": "SEA", "description": "Mechanisms exist to centrally-manage the organization-wide management and implementation of security, compliance and resilience controls and related processes.", "scf_question": "Does the organization centrally-manage the organization-wide management and implementation of security, compliance and resilience controls and related processes?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-10", "E-GOV-12" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to centrally-manage the organization-wide management and implementation of security, compliance and resilience controls and related processes.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "small": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "medium": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "large": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "enterprise": "∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.1" ], "general-cis-csc-8-1": [ "16.1" ], "general-cis-csc-8-1-ig2": [ "16.1" ], "general-cis-csc-8-1-ig3": [ "16.1" ], "general-cobit-2019": [ "APO03.01", "APO03.03" ], "general-coso-2013": [ "10", "11" ], "general-csa-iot-2": [ "CLS-05", "GVN-02" ], "general-iso-27002-2022": [ "8.12" ], "general-iso-27018-2025": [ "8.12" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.2" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P2" ], "general-nist-800-53-r4": [ "PL-9" ], "general-nist-800-53-r5-2": [ "PL-09" ], "general-nist-800-53-r5-2-privacy": [ "PL-09" ], "general-nist-800-82-r3": [ "PL-09" ], "general-nist-800-161-r1": [ "PL-9" ], "general-nist-800-161-r1-level-1": [ "PL-9" ], "general-nist-800-161-r1-level-2": [ "PL-9" ], "general-nist-csf-2-0": [ "PR.IR" ], "general-owasp-top-10-2025": [ "A01:2025", "A05:2025" ], "general-pci-dss-4-0-1": [ "1.1", "10.7", "10.7.1", "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.7.1", "10.7.2", "10.7.3" ], "general-scf-dpmp-2025": [ "7.0" ], "general-tisax-6-0-3": [ "5.3.1" ], "usa-federal-fbi-cjis-6-0": [ "PL-9" ], "usa-federal-doe-c2m2-2-1": [ "RISK-2l", "ARCHITECTURE-1f" ], "usa-federal-gsa-fedramp-5-low": [ "PL-09" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-09" ], "usa-federal-gsa-fedramp-5-high": [ "PL-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-09" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)" ], "emea-zaf-popia-2013": [ "8" ], "apac-aus-ps-cps-234-2019": [ "18" ], "apac-nzl-ism-3-9": [ "4.3.19.C.01" ], "apac-sgp-mas-trm-2021": [ "4.5.1" ], "americas-arg-ppd-2018": [ "9.1" ], "americas-can-osfi-b13-2022": [ "1.3.1" ] } }, { "control_id": "SEA-01.2", "title": "Achieving Resilience Requirements", "family": "SEA", "description": "Mechanisms exist to achieve resilience requirements in normal and adverse situations.", "scf_question": "Does the organization achieve resilience requirements in normal and adverse situations?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-01", "E-GOV-10", "E-GOV-12" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to achieve resilience requirements in normal and adverse situations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)", "small": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)", "medium": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)", "large": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)", "enterprise": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-5", "R-IR-4" ], "threats": [ "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2-POF11", "CC8.1-POF15" ], "general-csa-cmm-4-1-0": [ "DCS-18" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.5", "3.8" ], "general-nist-100-1-ai-rmf": [ "MEASURE 2.7" ], "general-nist-csf-2-0": [ "PR.IR", "PR.IR-02", "PR.IR-03" ], "usa-federal-dow-cert-rmm-1-2": [ "RRD:GG1.GP1", "RRM:GG1.GP1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.RESIL" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-1j" ], "emea-eu-ai-act-2024": [ "Article 15.4" ], "emea-eu-nis2-annex-2024": [ "4.2.4" ], "emea-gbr-def-stan-05-138-2024": [ "2500", "2501" ], "emea-gbr-def-stan-05-138-l0-2024": [ "2500" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2500", "2501" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2500", "2501" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2500", "2501" ], "americas-can-osfi-b13-2022": [ "2", "2.1.2", "3.2.1" ] } }, { "control_id": "SEA-01.3", "title": "Resilience Capabilities", "family": "SEA", "description": "Mechanisms exist to ensure security, compliance and resilience are designed and implemented to provide resistance to:\n(1) Unintentional errors (by users or software); and \n(2) Intentional attack or circumvention.", "scf_question": "Does the organization ensure security, compliance and resilience are designed and implemented to provide resistance to:\n(1) Unintentional errors (by users or software); and \n(2) Intentional attack or circumvention?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to ensure security, compliance and resilience are designed and implemented to provide resistance to:\n(1) Unintentional errors (by users or software); and \n(2) Intentional attack or circumvention.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "SCRMS" ], "possible_solutions": { "micro_small": "∙ Document security requirements for any new systems built or purchased", "small": "∙ Security requirements checklist for systems engineering", "medium": "∙ Formal security requirements engineering process\n∙ Security integrated into system design", "large": "∙ Enterprise systems security engineering program\n∙ Security architecture reviews", "enterprise": "∙ Enterprise systems security engineering program (NIST SP 800-160)\n∙ Architecture review board\n∙ Threat modeling integration" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-5", "R-IR-4" ], "threats": [ "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-csa-cmm-4-1-0": [ "DCS-18" ], "general-cr-cmm-2026": [ "CR4.3.1" ], "usa-federal-dow-cert-rmm-1-2": [ "EC:SG2.SP1", "KIM:SG2.SP1", "RRD:SG1", "RRD:SG1.SP1", "RRD:SG2", "RRD:SG2.SP1", "RRD:SG2.SP2", "RRD:SG3", "RRD:SG3.SP1", "RRD:SG3.SP2", "RRD:SG3.SP3", "RRD:GG2", "RRD:GG2.GP2", "RRM:SG1", "RRM:SG1.SP1", "RRM:SG1.SP2", "RRM:SG1.SP3", "RRM:SG1.SP4", "RRM:SG1.SP5", "RRM:GG2", "RRM:GG2.GP2", "RTSE:SG3.SP1", "RTSE:SG3.SP2", "TM:SG2.SP1" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-1j" ], "emea-gbr-caf-4-0": [ "B5", "B5.b" ] } }, { "control_id": "SEA-02", "title": "Alignment With Enterprise Architecture", "family": "SEA", "description": "Mechanisms exist to develop an enterprise architecture, aligned with industry-recognized leading practices, with consideration for security, compliance and resilience principles that addresses risk to organizational operations, assets, individuals and other organizations.", "scf_question": "Does the organization develop an enterprise architecture, aligned with industry-recognized leading practices, with consideration for security, compliance and resilience principles that addresses risk to organizational operations, assets, individuals and other organizations?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-04", "E-TDA-09" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to develop an enterprise architecture, aligned with industry-recognized leading practices, with consideration for security, compliance and resilience principles that addresses risk to organizational operations, assets, individuals and other organizations.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Follow secure coding basics\n∙ Document security decisions", "small": "∙ Secure design checklist\n∙ Basic threat modeling", "medium": "∙ Enterprise architecture committee", "large": "∙ Enterprise architecture committee", "enterprise": "∙ Enterprise architecture committee" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.1", "CC4.1", "CC5.1", "CC6.1-POF2" ], "general-cis-csc-8-1": [ "12.2", "16.1" ], "general-cis-csc-8-1-ig2": [ "12.2", "16.1" ], "general-cis-csc-8-1-ig3": [ "12.2", "16.1" ], "general-cobit-2019": [ "APO02.01", "APO03.01", "APO03.02", "APO03.03", "APO03.04", "APO03.05", "APO04.02", "APO04.03", "APO04.04", "APO04.05", "APO04.06" ], "general-coso-2013": [ "10" ], "general-csa-cmm-4-1-0": [ "I&S-08" ], "general-csa-iot-2": [ "GVN-02", "OPA-06", "OPA-07", "SWS-04" ], "general-govramp": [ "PL-08" ], "general-govramp-low-plus": [ "PL-08" ], "general-govramp-mod": [ "PL-08" ], "general-govramp-high": [ "PL-08" ], "general-iso-27002-2022": [ "5.8", "8.26" ], "general-iso-27017-2015": [ "6.1.5", "14.1.1" ], "general-iso-27018-2025": [ "5.8", "8.26" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P2" ], "general-nist-800-53-r4": [ "PL-8", "PM-7" ], "general-nist-800-53-r5-2": [ "PL-08", "PM-07" ], "general-nist-800-53-r5-2-privacy": [ "PL-08", "PM-07" ], "general-nist-800-53-r5-2-mod": [ "PL-08" ], "general-nist-800-82-r3": [ "PL-08", "PM-07" ], "general-nist-800-82-r3-low": [ "PM-07" ], "general-nist-800-82-r3-mod": [ "PL-08", "PM-07" ], "general-nist-800-82-r3-high": [ "PL-08", "PM-07" ], "general-nist-800-161-r1": [ "PL-8", "PM-7" ], "general-nist-800-161-r1-level-1": [ "PM-7" ], "general-nist-800-161-r1-level-2": [ "PL-8", "PM-7" ], "general-nist-800-161-r1-level-3": [ "PL-8" ], "general-nist-800-171-r2": [ "NFO - PL-8" ], "general-nist-800-171-r3": [ "03.01.12.a", "03.01.16.a", "03.01.18.a", "03.13.01.c", "03.16.01" ], "general-nist-csf-2-0": [ "PR.IR", "PR.IR-01", "PR.IR-03" ], "general-pci-dss-4-0-1": [ "1.2" ], "general-scf-dpmp-2025": [ "7.1" ], "general-swift-cscf-2025": [ "1.3" ], "general-tisax-6-0-3": [ "5.3.1" ], "usa-federal-fbi-cjis-6-0": [ "PL-8" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-1b", "ARCHITECTURE-1c", "ARCHITECTURE-1d", "ARCHITECTURE-1h", "ARCHITECTURE-1j", "ARCHITECTURE-1k" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "3.0" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-gsa-fedramp-5-low": [ "PL-08" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-08" ], "usa-federal-gsa-fedramp-5-high": [ "PL-08" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-08" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(1)", "164.306(b)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(1)", "164.306(b)(2)(ii)" ], "usa-federal-irs-1075-2021": [ "PL-8", "PM-7", "PM-7(IRS-Defined)" ], "usa-federal-cms-marse-2-0": [ "PL-8", "PL-8.a", "PL-8.a.1", "PL-8.a.2", "PL-8.a.3", "PL-8.b", "PL-8.c", "PM-7" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(B)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(b)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-07" ], "usa-state-tx-txramp-2-0-level-2": [ "PL-08" ], "emea-eu-eba-ict-srm-2025": [ "3.7.1(79)" ], "emea-eu-dora-2023": [ "Article 9.3(a)", "Article 9.3(b)", "Article 9.3(c)", "Article 9.3(d)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-fdpa-2017": [ "Sec 4b", "Sec 9", "Sec 9a", "Sec 16", "Annex" ], "emea-deu-bsrit-2017": [ "12.1" ], "emea-deu-c5-2020": [ "COS-01" ], "emea-grc-pirppd-1997": [ "9" ], "emea-hun-isdfi-2011": [ "7", "8" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-cmo-1-0": [ "2.1", "15.6", "17.7" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "31", "33", "34", "35", "42" ], "emea-nor-pda-2018": [ "13", "14", "29" ], "emea-pol-act-29-1997": [ "1", "36", "47" ], "emea-rus-federal-law-27-2006": [ "7", "12", "19" ], "emea-sau-ecc-1-2018": [ "1-6-3-4", "2-4-3", "2-15-3-3" ], "emea-sau-otcc-1-2022": [ "1-1-2" ], "emea-sau-sacs-002-2022": [ "TPC-43" ], "emea-sau-sama-csf-1-2017": [ "3.3.4", "3.3.8", "3.3.13" ], "emea-zaf-popia-2013": [ "19", "21" ], "emea-esp-boe-a-2022-7191": [ "Article 29" ], "emea-esp-decree-311-2022": [ "29" ], "emea-esp-ccn-stic-825-2023": [ "7.1.2 [OP.PL.2]" ], "emea-che-fadp-2025": [ "6", "7" ], "emea-tur-lppd-2016": [ "8", "12" ], "emea-gbr-cap-1850-2020": [ "B4", "B5" ], "apac-aus-privacy-act-1998": [ "APP Part 8", "APP Part 11" ], "apac-aus-ism-2024-june": [ "ISM-1739", "ISM-1743" ], "apac-aus-cop-sitc-2020": [ "Principle 4", "Principle 5", "Principle 6", "Principle 7" ], "apac-aus-ps-cps-234-2019": [ "15", "18" ], "apac-chn-csnip-2012": [ "4" ], "apac-hkg-pdo-2022": [ "Principle 4", "Sec 33" ], "apac-ind-privacy-rules-2011": [ "7", "8" ], "apac-jpn-ppi-2020": [ "20" ], "apac-mys-pdpa-2010": [ "9" ], "apac-nzl-ism-3-9": [ "1.2.13.C.01", "1.2.13.C.02" ], "apac-phl-dpa-2012": [ "25", "29" ], "apac-sgp-pdpa-2012": [ "24", "26" ], "apac-sgp-mas-trm-2021": [ "5.6.1", "5.6.2", "5.6.3", "11.2.8" ], "apac-kor-pipa-2011": [ "3", "29" ], "apac-twn-pdpa-2025": [ "21" ], "americas-bhs-dpa-2003": [ "6", "12" ], "americas-bmu-mba-coc-2020": [ "4" ], "americas-bra-lgpd-2018": [ "6.7", "46", "37", "49" ], "americas-can-osfi-b13-2022": [ "2", "2.1", "2.1.2" ], "americas-can-itsp-10-171-2025": [ "03.01.12.A", "03.01.16.A", "03.01.18.A", "03.13.01.C", "03.16.01" ], "americas-can-pipeda-2000": [ "Principle 7" ], "americas-chl-act-19628-1999": [ "7" ], "americas-col-law-1581-2012": [ "4", "26" ], "americas-mex-fdpa-2010": [ "19", "36", "37" ] } }, { "control_id": "SEA-02.1", "title": "Standardized Terminology", "family": "SEA", "description": "Mechanisms exist to standardize technology and process terminology to reduce confusion amongst groups and departments.", "scf_question": "Does the organization standardize technology and process terminology to reduce confusion amongst groups and departments?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to standardize technology and process terminology to reduce confusion amongst groups and departments.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Follow secure coding basics when developing software", "small": "∙ Secure coding guidelines for developers\n∙ Basic security review before release", "medium": "∙ Formal security engineering principles\n∙ Secure design patterns\n∙ Threat modeling", "large": "∙ Enterprise security engineering program\n∙ Formal threat modeling\n∙ Security architecture standards", "enterprise": "∙ Enterprise security architecture framework (SABSA)\n∙ Formal threat modeling program\n∙ Security design patterns library" }, "risks": [ "R-BC-3", "R-EX-4", "R-GV-1", "R-GV-4", "R-GV-5", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2" ], "general-cobit-2019": [ "APO14.02" ], "general-coso-2013": [ "14" ], "general-iec-tr-60601-4-5-2021": [ "3.0" ], "general-iso-22301-2019": [ "3" ], "general-iso-27001-2022": [ "3.0" ], "general-iso-27002-2022": [ "3.0", "3.1", "3.2" ], "general-iso-27701-2025": [ "3" ], "general-iso-42001-2023": [ "3.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "3" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P2" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG1.SP2" ], "usa-federal-far-52-204-21": [ "52.204-21(a)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.2" ], "usa-federal-law-hipaa-simplification-2013": [ "164.103", "164.304", "164.402", "164.501", "164.504(a)" ], "usa-state-ca-ccpa-cpra-2026": [ "7001" ], "usa-state-nv-regulation-5-2024": [ "5.260.2" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.1" ], "usa-state-tn-tipa-2025": [ "47-18-3201" ], "usa-state-tx-cdpa-2025": [ "541.001" ], "usa-state-tx-sb2610-2025": [ "542.001(1)", "542.001(2)", "542.001(3)" ], "usa-state-va-cdpa-2023": [ "59.1-575" ], "emea-eu-ai-act-2024": [ "Article 3" ], "emea-eu-cyber-resilience-act-2022": [ "Article 3" ], "emea-eu-gdpr-2016": [ "Article 4" ], "emea-ken-pda-2019": [ "2" ], "emea-nga-dpr-2019": [ "1.3" ], "emea-qat-pdppl-2020": [ "1" ], "emea-esp-boe-a-2022-7191": [ "Article 4" ], "emea-esp-decree-311-2022": [ "4" ], "amaericas-can-osfi-self-assessment": [ "6.4" ], "americas-can-osfi-b13-2022": [ "A.1" ] } }, { "control_id": "SEA-02.2", "title": "Outsourcing Non-Essential Functions or Services", "family": "SEA", "description": "Mechanisms exist to identify non-essential functions or services that are capable of being outsourced to external service providers and align with the organization's enterprise architecture and security standards.", "scf_question": "Does the organization identify non-essential functions or services that are capable of being outsourced to external service providers and align with its enterprise architecture and security standards?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to identify non-essential functions or services that are capable of being outsourced to external service providers and align with the organization's enterprise architecture and security standards.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Apply security-by-design when building/procuring systems", "small": "∙ Security-by-design policy for new developments and acquisitions", "medium": "∙ Formal security-by-design principles integrated into development lifecycle", "large": "∙ Enterprise security-by-design program\n∙ Security architecture reviews at design phase", "enterprise": "∙ Enterprise security-by-design framework\n∙ Architecture review board\n∙ Automated security architecture analysis" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-nist-800-53-r5-2": [ "PM-07(01)" ], "general-nist-800-82-r3": [ "PM-07(01)" ], "general-nist-800-160-vol-2-r1": [ "PM-07(01)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(d)" ], "apac-jpn-ismap": [ "4.5.4.5" ] } }, { "control_id": "SEA-02.3", "title": "Technical Debt Reviews", "family": "SEA", "description": "Mechanisms exist to conduct ongoing “technical debt” reviews of hardware and software technologies to remediate outdated and/or unsupported technologies.", "scf_question": "Does the organization conduct ongoing “technical debt” reviews of hardware and software technologies to remediate outdated and/or unsupported technologies?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to conduct ongoing “technical debt” reviews of hardware and software technologies to remediate outdated and/or unsupported technologies.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Risk Management Program (RMP)", "small": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Risk Management Program (RMP)", "medium": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Risk Management Program (RMP)", "large": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Risk Management Program (RMP)", "enterprise": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Risk Management Program (RMP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-nist-100-1-ai-rmf": [ "GOVERN 1.7" ], "general-pci-dss-4-0-1": [ "12.3.4", "A3.3.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.3.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.3.4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.K" ], "emea-eu-dora-2023": [ "Article 8.7" ] } }, { "control_id": "SEA-03", "title": "Defense-In-Depth (DiD) Architecture", "family": "SEA", "description": "Mechanisms exist to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.", "scf_question": "Does the organization implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-04", "E-TDA-09" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).\n▪ IT and/or cybersecurity personnel manage separate development, testing and operational environments to reduce the risks of unauthorized access or changes to the operational environment and to ensure no impact to production TAASD.", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defense-in-depth (DiD) architecture", "small": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defense-in-depth (DiD) architecture", "medium": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defense-in-depth (DiD) architecture\n∙ Enterprise architecture committee", "large": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defense-in-depth (DiD) architecture\n∙ Enterprise architecture committee", "enterprise": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defense-in-depth (DiD) architecture\n∙ Enterprise architecture committee" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-cobit-2019": [ "APO03.01", "APO04.05" ], "general-csa-cmm-4-1-0": [ "I&S-09" ], "general-cr-cmm-2026": [ "CR4.3.6" ], "general-iec-62443-4-1-2018": [ "SD-2" ], "general-nist-800-53-r4": [ "PL-8(1)", "SC-3(5)" ], "general-nist-800-53-r5-2": [ "PL-08(01)", "SC-03(05)" ], "general-nist-800-82-r3": [ "PL-08(01)", "SC-03(05)" ], "general-nist-800-160-vol-2-r1": [ "PL-08(01)", "SC-03(05)" ], "general-nist-800-171-r2": [ "3.13.2" ], "general-owasp-top-10-2025": [ "A01:2025", "A05:2025" ], "general-pci-dss-4-0-1": [ "1.2.1", "1.4.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.1", "1.4.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.1", "1.4.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.1", "1.4.1" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.E" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-1b" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.2" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "3.0" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(1)" ], "usa-federal-irs-1075-2021": [ "PL-8(CE-1)", "PL-8(CE-1).a", "PL-8(CE-1).b" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(b)(2)" ], "emea-eu-eba-ict-srm-2025": [ "3.7.1(79)" ], "emea-eu-dora-2023": [ "Article 9.3(a)", "Article 9.3(b)", "Article 9.3(c)", "Article 9.3(d)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-fdpa-2017": [ "Sec 4b", "Sec 9", "Sec 9a", "Sec 16", "Annex" ], "emea-deu-bsrit-2017": [ "12.1" ], "emea-deu-c5-2020": [ "COS-01" ], "emea-grc-pirppd-1997": [ "9" ], "emea-hun-isdfi-2011": [ "7", "8" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-cmo-1-0": [ "2.1", "15.6", "17.7" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "31", "33", "34", "35", "42" ], "emea-nor-pda-2018": [ "13", "14", "29" ], "emea-pol-act-29-1997": [ "1", "36", "47" ], "emea-rus-federal-law-27-2006": [ "7", "12", "19" ], "emea-sau-ecc-1-2018": [ "1-6-3-4", "2-4-3", "2-15-3-3" ], "emea-sau-otcc-1-2022": [ "1-1-2" ], "emea-sau-sacs-002-2022": [ "TPC-43" ], "emea-sau-sama-csf-1-2017": [ "3.3.4", "3.3.8", "3.3.13" ], "emea-zaf-popia-2013": [ "19", "21" ], "emea-esp-boe-a-2022-7191": [ "Article 9.1", "Article 9.1(a)", "Article 9.1(b)", "Article 9.2" ], "emea-esp-decree-311-2022": [ "29" ], "emea-esp-ccn-stic-825-2023": [ "7.1.2 [OP.PL.2]" ], "emea-che-fadp-2025": [ "6", "7" ], "emea-tur-lppd-2016": [ "8", "12" ], "emea-gbr-cap-1850-2020": [ "B4", "B5" ], "apac-aus-privacy-act-1998": [ "APP Part 8", "APP Part 11" ], "apac-aus-ism-2024-june": [ "ISM-1739", "ISM-1743" ], "apac-aus-cop-sitc-2020": [ "Principle 4", "Principle 5", "Principle 6", "Principle 7" ], "apac-aus-ps-cps-234-2019": [ "15", "18" ], "apac-chn-csnip-2012": [ "4" ], "apac-hkg-pdo-2022": [ "Principle 4", "Sec 33" ], "apac-ind-privacy-rules-2011": [ "7", "8" ], "apac-jpn-ppi-2020": [ "20" ], "apac-mys-pdpa-2010": [ "9" ], "apac-nzl-ism-3-9": [ "1.2.13.C.01", "1.2.13.C.02" ], "apac-phl-dpa-2012": [ "25", "29" ], "apac-sgp-pdpa-2012": [ "24", "26" ], "apac-sgp-mas-trm-2021": [ "5.6.1", "5.6.2", "5.6.3", "11.2.8" ], "apac-kor-pipa-2011": [ "3", "29" ], "apac-twn-pdpa-2025": [ "21" ], "americas-bhs-dpa-2003": [ "6", "12" ], "americas-bmu-mba-coc-2020": [ "4" ], "americas-bra-lgpd-2018": [ "6.7", "46", "37", "49" ], "americas-can-osfi-b13-2022": [ "3.2", "3.2.4" ], "americas-can-pipeda-2000": [ "Principle 7" ], "americas-chl-act-19628-1999": [ "7" ], "americas-col-law-1581-2012": [ "4", "26" ], "americas-mex-fdpa-2010": [ "19", "36", "37" ] } }, { "control_id": "SEA-03.1", "title": "System Partitioning", "family": "SEA", "description": "Mechanisms exist to partition systems so that partitions reside in separate physical domains or environments.", "scf_question": "Does the organization partition systems so that partitions reside in separate physical domains or environments?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to partition systems so that partitions reside in separate physical domains or environments.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-cis-csc-8-1": [ "3.12" ], "general-cis-csc-8-1-ig2": [ "3.12" ], "general-cis-csc-8-1-ig3": [ "3.12" ], "general-mitre-att&ck-16-1": [ "T1590.002" ], "general-nist-800-53-r4": [ "SC-32" ], "general-nist-800-53-r5-2": [ "SC-32" ], "general-nist-800-82-r3": [ "SC-32" ], "general-nist-800-160-vol-2-r1": [ "SC-32" ], "usa-federal-cms-marse-2-0": [ "SC-32", "SC-32-iS" ] } }, { "control_id": "SEA-03.2", "title": "Application Partitioning", "family": "SEA", "description": "Mechanisms exist to separate user functionality from system management functionality.", "scf_question": "Does the organization separate user functionality from system management functionality?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to separate user functionality from system management functionality.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-govramp": [ "SC-02" ], "general-govramp-core": [ "SC-02" ], "general-govramp-low-plus": [ "SC-02" ], "general-govramp-mod": [ "SC-02" ], "general-govramp-high": [ "SC-02" ], "general-iec-62443-3-3-2013": [ "SR 5.4" ], "general-mitre-att&ck-16-1": [ "T1068", "T1189", "T1190", "T1203", "T1210", "T1211", "T1212", "T1611" ], "general-nist-800-53-r4": [ "SC-2", "SC-2(1)" ], "general-nist-800-53-r5-2": [ "SC-02", "SC-02(01)" ], "general-nist-800-53-r5-2-mod": [ "SC-02" ], "general-nist-800-82-r3": [ "SC-02", "SC-02(01)" ], "general-nist-800-82-r3-mod": [ "SC-02" ], "general-nist-800-82-r3-high": [ "SC-02" ], "general-nist-800-160-vol-2-r1": [ "SC-02", "SC-02(01)" ], "general-nist-800-171-r2": [ "3.13.3" ], "general-nist-800-171a": [ "3.13.3[a]", "3.13.3[b]", "3.13.3[c]" ], "general-owasp-top-10-2025": [ "A01:2025", "A05:2025" ], "usa-federal-fbi-cjis-6-0": [ "SC-2" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.3" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-02" ], "usa-federal-gsa-fedramp-5-high": [ "SC-02" ], "usa-federal-irs-1075-2021": [ "SC-2", "SC-2(CE-1)" ], "usa-federal-cms-marse-2-0": [ "SC-2" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-02" ] } }, { "control_id": "SEA-04", "title": "Process Isolation", "family": "SEA", "description": "Mechanisms exist to implement a separate execution domain for each executing process.", "scf_question": "Does the organization implement a separate execution domain for each executing process?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to implement a separate execution domain for each executing process.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-govramp": [ "SC-39" ], "general-govramp-low": [ "SC-39" ], "general-govramp-low-plus": [ "SC-39" ], "general-govramp-mod": [ "SC-39" ], "general-govramp-high": [ "SC-39" ], "general-iec-tr-60601-4-5-2021": [ "5.2 - CR 2.1" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1068", "T1189", "T1190", "T1203", "T1210", "T1211", "T1212", "T1547.002", "T1547.005", "T1547.008", "T1556", "T1556.001", "T1611" ], "general-nist-800-53-r4": [ "SC-39" ], "general-nist-800-53-r5-2": [ "SC-39" ], "general-nist-800-53-r5-2-low": [ "SC-39" ], "general-nist-800-82-r3": [ "SC-39" ], "general-nist-800-82-r3-low": [ "SC-39" ], "general-nist-800-82-r3-mod": [ "SC-39" ], "general-nist-800-82-r3-high": [ "SC-39" ], "general-nist-800-160-vol-2-r1": [ "SC-39" ], "general-nist-800-171-r2": [ "NFO - SC-39" ], "general-owasp-top-10-2025": [ "A01:2025", "A05:2025" ], "usa-federal-gsa-fedramp-5-low": [ "SC-39" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-39" ], "usa-federal-gsa-fedramp-5-high": [ "SC-39" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-39" ], "usa-federal-irs-1075-2021": [ "SC-39" ], "usa-federal-cms-marse-2-0": [ "SC-39" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SC-39" ], "usa-state-tx-txramp-2-0-level-1": [ "SC-39" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-39" ], "emea-eu-nis2-annex-2024": [ "11.4.2(b)" ] } }, { "control_id": "SEA-04.1", "title": "Security Function Isolation", "family": "SEA", "description": "Mechanisms exist to isolate security functions from non-security functions.", "scf_question": "Does the organization isolate security functions from non-security functions?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to isolate security functions from non-security functions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-govramp": [ "SC-03" ], "general-govramp-high": [ "SC-03" ], "general-mitre-att&ck-16-1": [ "T1003.001", "T1021.003", "T1047", "T1068", "T1134.005", "T1189", "T1190", "T1203", "T1210", "T1211", "T1212", "T1559", "T1559.001", "T1559.002", "T1602", "T1602.001", "T1602.002", "T1611" ], "general-nist-800-53-r4": [ "SC-3" ], "general-nist-800-53-r5-2": [ "SC-03" ], "general-nist-800-53-r5-2-privacy": [ "SC-03" ], "general-nist-800-53-r5-2-high": [ "SC-03" ], "general-nist-800-82-r3": [ "SC-03" ], "general-nist-800-82-r3-high": [ "SC-03" ], "general-nist-800-160-vol-2-r1": [ "SC-03" ], "general-owasp-top-10-2025": [ "A01:2025", "A05:2025" ], "general-pci-dss-4-0-1": [ "2.2.3", "10.7.1", "11.4.5", "11.4.6" ], "general-pci-dss-4-0-1-saq-a-ep": [ "2.2.3", "11.4.5" ], "general-pci-dss-4-0-1-saq-b-ip": [ "11.4.5" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.3", "11.4.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "2.2.3", "11.4.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "2.2.3", "10.7.1", "11.4.5", "11.4.6" ], "usa-federal-gsa-fedramp-5-low": [ "SC-03" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-03" ], "usa-federal-gsa-fedramp-5-high": [ "SC-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-03" ] } }, { "control_id": "SEA-04.2", "title": "Hardware Separation", "family": "SEA", "description": "Mechanisms exist to implement underlying hardware separation mechanisms to facilitate process separation.", "scf_question": "Does the organization implement underlying hardware separation mechanisms to facilitate process separation?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to implement underlying hardware separation mechanisms to facilitate process separation.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Formal security architecture for high-risk systems", "large": "∙ Enterprise security architecture program\n∙ Technology-specific security architectures", "enterprise": "∙ Enterprise security architecture center of excellence\n∙ Reference architectures\n∙ Architecture governance board" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-nist-800-53-r4": [ "SC-39(1)" ], "general-nist-800-53-r5-2": [ "SC-39(01)" ], "general-nist-800-82-r3": [ "SC-39(01)" ], "general-nist-800-160-vol-2-r1": [ "SC-39(01)" ], "general-owasp-top-10-2025": [ "A01:2025", "A05:2025" ] } }, { "control_id": "SEA-04.3", "title": "Thread Separation", "family": "SEA", "description": "Mechanisms exist to maintain a separate execution domain for each thread in multi-threaded processing.", "scf_question": "Does the organization maintain a separate execution domain for each thread in multi-threaded processing?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to maintain a separate execution domain for each thread in multi-threaded processing.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "large": "∙ Security architecture review for enterprise-class systems", "enterprise": "∙ Enterprise security architecture review board\n∙ Architecture patterns library\n∙ Continuous architecture governance" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-nist-800-53-r4": [ "SC-39(2)" ], "general-nist-800-53-r5-2": [ "SC-39(02)" ], "general-nist-800-82-r3": [ "SC-39(02)" ], "general-nist-800-160-vol-2-r1": [ "SC-39(02)" ], "general-owasp-top-10-2025": [ "A01:2025", "A05:2025" ] } }, { "control_id": "SEA-04.4", "title": "System Privileges Isolation", "family": "SEA", "description": "Mechanisms exist to isolate, or logically separate, any application, service and/or process running with system privileges.", "scf_question": "Does the organization isolate, or logically separate, any application, service and/or process running with system privileges?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to isolate, or logically separate, any application, service and/or process running with system privileges.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "enterprise": "∙ Enterprise security architecture for highest classification systems\n∙ Formal architecture assurance program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-iec-tr-60601-4-5-2021": [ "5.2 - CR 2.1" ] } }, { "control_id": "SEA-05", "title": "Information In Shared Resources", "family": "SEA", "description": "Mechanisms exist to prevent unauthorized and unintended information transfer via shared system resources.", "scf_question": "Does the organization prevent unauthorized and unintended information transfer via shared system resources?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to prevent unauthorized and unintended information transfer via shared system resources.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Logical Access Control (LAC)", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Logical Access Control (LAC)", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Logical Access Control (LAC)", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Logical Access Control (LAC)", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Logical Access Control (LAC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-govramp": [ "SC-04" ], "general-govramp-core": [ "SC-04" ], "general-govramp-low-plus": [ "SC-04" ], "general-govramp-mod": [ "SC-04" ], "general-govramp-high": [ "SC-04" ], "general-mitre-att&ck-16-1": [ "T1020.001", "T1040", "T1070", "T1070.001", "T1070.002", "T1070.008", "T1080", "T1119", "T1530", "T1552", "T1552.001", "T1552.002", "T1552.004", "T1557", "T1557.002", "T1558", "T1558.002", "T1558.003", "T1558.004", "T1558.005", "T1564.009", "T1565", "T1565.001", "T1565.002", "T1565.003", "T1595.003", "T1602", "T1602.001", "T1602.002" ], "general-nist-800-53-r4": [ "SC-4" ], "general-nist-800-53-r5-2": [ "SC-04" ], "general-nist-800-53-r5-2-mod": [ "SC-04" ], "general-nist-800-82-r3": [ "SC-04" ], "general-nist-800-82-r3-mod": [ "SC-04" ], "general-nist-800-82-r3-high": [ "SC-04" ], "general-nist-800-161-r1": [ "SC-4" ], "general-nist-800-161-r1-level-2": [ "SC-4" ], "general-nist-800-161-r1-level-3": [ "SC-4" ], "general-nist-800-171-r2": [ "3.13.4" ], "general-nist-800-171-r3": [ "03.13.04" ], "general-nist-800-171a": [ "3.13.4" ], "general-nist-800-171a-r3": [ "A.03.13.04[01]", "A.03.13.04[02]" ], "general-owasp-top-10-2025": [ "A01:2025", "A05:2025" ], "general-sparta": [ "CM0040" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.EUSSE" ], "usa-federal-fbi-cjis-6-0": [ "SC-4" ], "usa-federal-dow-cmmc-2-level-2": [ "SCL2.-3.13.4" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-04" ], "usa-federal-gsa-fedramp-5-high": [ "SC-04" ], "usa-federal-irs-1075-2021": [ "SC-4" ], "usa-federal-cms-marse-2-0": [ "SC-4", "SC-4-IS.1", "SC-4-IS.2" ], "usa-state-tx-txramp-2-0-level-2": [ "SC-04" ], "emea-deu-c5-2020": [ "OPS-24", "COS-06" ], "emea-isr-cmo-1-0": [ "10.5", "10.8" ], "emea-sau-ecc-1-2018": [ "4-2-3-1" ], "emea-gbr-def-stan-05-138-2024": [ "2416" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2416" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2416" ], "apac-jpn-ismap": [ "9.5.P" ], "americas-can-itsp-10-171-2025": [ "03.13.04" ] } }, { "control_id": "SEA-06", "title": "Prevent Program Execution", "family": "SEA", "description": "Automated mechanisms exist to prevent the execution of unauthorized software programs.", "scf_question": "Does the organization use automated mechanisms to prevent the execution of unauthorized software programs?", "relative_weight": 8, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to automatically prevent the execution of unauthorized software programs.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-govramp": [ "CM-07(02)" ], "general-govramp-mod": [ "CM-07(02)" ], "general-govramp-high": [ "CM-07(02)" ], "general-nist-800-53-r4": [ "CM-7(2)" ], "general-nist-800-53-r5-2": [ "CM-07(02)" ], "general-nist-800-53-r5-2-privacy": [ "CM-07(02)" ], "general-nist-800-53-r5-2-mod": [ "CM-07(02)" ], "general-nist-800-82-r3": [ "CM-07(02)" ], "general-nist-800-82-r3-mod": [ "CM-07(02)" ], "general-nist-800-82-r3-high": [ "CM-07(02)" ], "general-nist-800-160-vol-2-r1": [ "CM-07(02)" ], "general-owasp-top-10-2025": [ "A01:2025", "A05:2025" ], "usa-federal-fbi-cjis-6-0": [ "CM-7(2)" ], "usa-federal-gsa-fedramp-5-low": [ "CM-07(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "CM-07(02)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-07(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CM-07(02)" ], "usa-federal-cms-marse-2-0": [ "CM-7(2)" ], "usa-state-tx-txramp-2-0-level-2": [ "CM-07 (02)" ] } }, { "control_id": "SEA-07", "title": "Predictable Failure Analysis", "family": "SEA", "description": "Mechanisms exist to determine the Mean Time to Failure (MTTF) for system components in specific environments of operation.", "scf_question": "Does the organization determine the Mean Time to Failure (MTTF) for system components in specific environments of operation?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-09" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to determine the Mean Time to Failure (MTTF) for system components in specific environments of operation.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Defined Mean Time to Failure (MTTF) for critical assets", "small": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Defined Mean Time to Failure (MTTF) for critical assets", "medium": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Defined Mean Time to Failure (MTTF) for critical assets", "large": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Defined Mean Time to Failure (MTTF) for critical assets", "enterprise": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Defined Mean Time to Failure (MTTF) for critical assets" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-nist-800-53-r4": [ "SI-13" ], "general-nist-800-53-r5-2": [ "SI-13" ], "general-nist-800-53-r5-2-privacy": [ "SI-13" ], "general-nist-800-82-r3": [ "SI-13" ], "general-nist-800-82-r3-high": [ "SI-13" ], "general-nist-800-161-r1": [ "MA-8" ], "general-nist-800-161-r1-level-3": [ "MA-8" ], "general-nist-800-171-r2": [ "NFO - SA-3" ], "general-nist-800-171-r3": [ "03.16.02.b" ], "general-nist-csf-2-0": [ "ID.AM-08" ], "usa-federal-gsa-fedramp-5-low": [ "SI-13" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-13" ], "usa-federal-gsa-fedramp-5-high": [ "SI-13" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-13" ], "americas-can-itsp-10-171-2025": [ "03.16.02.B" ] } }, { "control_id": "SEA-07.1", "title": "Technology Lifecycle Management", "family": "SEA", "description": "Mechanisms exist to manage the usable lifecycles of Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization manage the usable lifecycles of Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-09" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to manage the usable lifecycles of TAAS.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Defined Mean Time to Failure (MTTF) for critical assets", "small": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Defined Mean Time to Failure (MTTF) for critical assets", "medium": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Defined Mean Time to Failure (MTTF) for critical assets", "large": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Defined Mean Time to Failure (MTTF) for critical assets", "enterprise": "∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Defined Mean Time to Failure (MTTF) for critical assets" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-8", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-cobit-2019": [ "BAI09.03", "BAI09.04" ], "general-csa-iot-2": [ "CCM-01", "CCM-05", "POL-04", "SET-05" ], "general-govramp": [ "SA-03" ], "general-govramp-low": [ "SA-03" ], "general-govramp-low-plus": [ "SA-03" ], "general-govramp-mod": [ "SA-03" ], "general-govramp-high": [ "SA-03" ], "general-nist-800-53-r4": [ "SA-3" ], "general-nist-800-53-r5-2": [ "SA-03", "SA-03(01)", "SA-03(03)", "SA-08(30)" ], "general-nist-800-53-r5-2-privacy": [ "SA-03", "SA-03(01)", "SA-03(03)", "SA-08(30)" ], "general-nist-800-53-r5-2-low": [ "SA-03" ], "general-nist-800-82-r3": [ "SA-03", "SA-03(01)", "SA-03(03)", "SA-08(30)" ], "general-nist-800-82-r3-low": [ "SA-03" ], "general-nist-800-82-r3-mod": [ "SA-03" ], "general-nist-800-82-r3-high": [ "SA-03" ], "general-nist-800-161-r1": [ "SA-3" ], "general-nist-800-161-r1-cscrm": [ "SA-3" ], "general-nist-800-161-r1-level-1": [ "SA-3" ], "general-nist-800-161-r1-level-2": [ "SA-3" ], "general-nist-800-161-r1-level-3": [ "SA-3" ], "general-nist-800-171-r2": [ "NFO - SA-3" ], "general-nist-800-171-r3": [ "03.16.02.a", "03.16.02.b" ], "general-nist-csf-2-0": [ "GV.SC-09", "ID.AM-08", "PR.PS-02", "PR.PS-03" ], "general-pci-dss-4-0-1": [ "12.3.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.3.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.3.4" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNL.RLMAN" ], "usa-federal-fbi-cjis-6-0": [ "SA-3" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-1h" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.3.7" ], "usa-federal-gsa-fedramp-5-low": [ "SA-03", "SA-03(01)", "SA-03(03)", "SA-08(30)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-03", "SA-03(01)", "SA-03(03)", "SA-08(30)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-03", "SA-03(01)", "SA-03(03)", "SA-08(30)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-03", "SA-03(01)", "SA-03(03)", "SA-08(30)" ], "usa-federal-irs-1075-2021": [ "SA-3" ], "usa-federal-cms-marse-2-0": [ "SA-3" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-03" ], "usa-state-tx-txramp-2-0-level-1": [ "SA-03" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-03" ], "emea-eu-eba-ict-srm-2025": [ "3.5(55)" ], "emea-eu-nis2-annex-2024": [ "6.7.2(j)", "6.7.2(k)", "6.7.3" ], "emea-deu-bsrit-2017": [ "8.3" ], "emea-sau-cgiot-2024": [ "2-15-3" ], "emea-esp-boe-a-2022-7191": [ "Article 36" ], "emea-esp-decree-311-2022": [ "36" ], "emea-gbr-caf-4-0": [ "A3.a (point 5)" ], "apac-aus-essential-8-2024": [ "ML3-P2" ], "apac-sgp-mas-trm-2021": [ "7.3.1", "7.3.2", "7.3.3" ], "americas-can-osfi-b13-2022": [ "1.3.1", "2.2", "2.2.5" ], "americas-can-itsp-10-171-2025": [ "03.16.02.A", "03.16.02.B" ] } }, { "control_id": "SEA-07.2", "title": "Fail Secure", "family": "SEA", "description": "Mechanisms exist to enable systems to fail to an organization-defined known-state for types of failures, preserving system state information in failure.", "scf_question": "Does the organization enable systems to fail to an organization-defined known-state for types of failures, preserving system state information in failure?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to enable systems to fail to an organization-defined known-state for types of failures, preserving system state information in failure.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-govramp": [ "SC-24" ], "general-govramp-high": [ "SC-24" ], "general-iec-62443-3-3-2013": [ "SR 5.2 RE 3" ], "general-iec-62443-4-2-2019": [ "NDR 5.2(3)" ], "general-nist-800-53-r4": [ "CP-12", "SC-24" ], "general-nist-800-53-r5-2": [ "CP-12", "SA-08(24)", "SC-24" ], "general-nist-800-53-r5-2-high": [ "SC-24" ], "general-nist-800-82-r3": [ "CP-12", "SA-08(24)", "SC-24" ], "general-nist-800-82-r3-low": [ "CP-12" ], "general-nist-800-82-r3-mod": [ "CP-12", "SC-24" ], "general-nist-800-82-r3-high": [ "CP-12", "SC-24" ], "general-nist-800-160-vol-2-r1": [ "CP-12" ], "general-owasp-top-10-2025": [ "A01:2025", "A05:2025" ], "general-sparta": [ "CM0044" ], "usa-federal-gsa-fedramp-5-high": [ "SC-24" ], "emea-isr-cmo-1-0": [ "9.17" ] } }, { "control_id": "SEA-07.3", "title": "Fail Safe", "family": "SEA", "description": "Mechanisms exist to implement fail-safe procedures when failure conditions occur.", "scf_question": "Does the organization implement fail-safe procedures when failure conditions occur?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to implement fail-safe procedures when failure conditions occur.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-iec-62443-2-1-2024": [ "NET 1.4" ], "general-iec-62443-4-2-2019": [ "CR 3.6" ], "general-nist-800-53-r4": [ "SI-17" ], "general-nist-800-53-r5-2": [ "SI-17" ], "general-nist-800-82-r3": [ "SI-17" ], "general-nist-800-82-r3-low": [ "SI-17" ], "general-nist-800-82-r3-mod": [ "SI-17" ], "general-nist-800-82-r3-high": [ "SI-17" ], "general-ul-2900-2-2-2016": [ "9.6" ] } }, { "control_id": "SEA-08", "title": "Non-Persistence", "family": "SEA", "description": "Mechanisms exist to implement non-persistent system components and services that are initiated in a known state and terminated upon the end of the session of use or periodically at an organization-defined frequency.", "scf_question": "Does the organization implement non-persistent system components and services that are initiated in a known state and terminated upon the end of the session of use or periodically at an organization-defined frequency?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to implement non-persistent system components and services that are initiated in a known state and terminated upon the end of the session of use or periodically at an organization-defined frequency.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-iec-62443-3-3-2013": [ "SR 4.2", "SR 4.2 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 4.2" ], "general-mitre-att&ck-16-1": [ "T1505", "T1505.001", "T1505.002", "T1505.004", "T1546.003", "T1547.004", "T1547.006" ], "general-nist-800-53-r4": [ "SI-14" ], "general-nist-800-53-r5-2": [ "SI-14" ], "general-nist-800-82-r3": [ "SI-14" ], "general-nist-800-160-vol-2-r1": [ "SI-14" ], "general-owasp-top-10-2025": [ "A01:2025", "A05:2025" ] } }, { "control_id": "SEA-08.1", "title": "Refresh from Trusted Sources", "family": "SEA", "description": "Mechanisms exist to ensure that software and data needed for system component and service refreshes are obtained from trusted sources.", "scf_question": "Does the organization ensure that software and data needed for system component and service refreshes are obtained from trusted sources?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to ensure that software and data needed for system component and service refreshes are obtained from trusted sources.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "medium": "∙ Review systems for covert channels as part of security assessment", "large": "∙ Covert channel analysis as part of security architecture review", "enterprise": "∙ Enterprise covert channel analysis program\n∙ Formal covert channel testing for high-assurance systems" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-csa-iot-2": [ "CLS-12", "DAT-03" ], "general-iec-62443-4-2-2019": [ "CR 3.12", "CR 3.13" ], "general-nist-800-53-r4": [ "SI-14(1)" ], "general-nist-800-53-r5-2": [ "SA-03(03)", "SI-14(01)" ], "general-nist-800-53-r5-2-privacy": [ "SA-03(03)" ], "general-nist-800-82-r3": [ "SA-03(03)", "SI-14(01)" ], "general-nist-800-160-vol-2-r1": [ "SI-14(01)" ], "general-nist-800-172": [ "3.14.4e" ], "general-shared-assessments-sig-2025": [ "T.3" ], "usa-federal-gsa-fedramp-5-low": [ "SA-03(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-03(03)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-03(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-03(03)" ], "emea-sau-ecc-1-2018": [ "1-6-3-2" ] } }, { "control_id": "SEA-09", "title": "Information Output Filtering", "family": "SEA", "description": "Mechanisms exist to validate information output from software programs and/or applications to ensure that the information is consistent with the expected content.", "scf_question": "Does the organization validate information output from software programs and/or applications to ensure that the information is consistent with the expected content?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to validate information output from software programs and/or applications to ensure that the information is consistent with the expected content.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "medium": "∙ Review systems for information leakage during security assessments", "large": "∙ Formal information leakage assessment in architecture reviews", "enterprise": "∙ Enterprise information leakage prevention program\n∙ Automated analysis for covert channels and leakage" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1021.002", "T1021.005", "T1048", "T1048.001", "T1048.002", "T1048.003", "T1071.004", "T1090", "T1090.003", "T1095", "T1187", "T1197", "T1205", "T1205.001", "T1218.012", "T1218.015", "T1219", "T1498", "T1498.001", "T1498.002", "T1499", "T1499.001", "T1499.002", "T1499.003", "T1499.004", "T1530", "T1537", "T1552", "T1552.005", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1564.009", "T1570", "T1572", "T1599", "T1599.001", "T1602", "T1602.001", "T1602.002", "T1622" ], "general-nist-600-1-gen-ai-profile": [ "MP-4.1-009" ], "general-nist-800-53-r4": [ "SI-15" ], "general-nist-800-53-r5-2": [ "SI-15" ], "general-nist-800-82-r3": [ "SI-15" ], "general-nist-800-160-vol-2-r1": [ "SI-15" ] } }, { "control_id": "SEA-09.1", "title": "Limit Personal Data (PD) Dissemination", "family": "SEA", "description": "Mechanisms exist to limit the dissemination of Personal Data (PD) to organization-defined elements identified in the Data Protection Impact Assessment (DPIA) and consistent with authorized purposes.", "scf_question": "Does the organization limit the dissemination of Personal Data (PD) to organization-defined elements identified in the Data Protection Impact Assessment (DPIA) and consistent with authorized purposes?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Data", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to limit the dissemination of Personal Data (PD) to organization-defined elements identified in the Data Protection Impact Assessment (DPIA) and consistent with authorized purposes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data Protection Impact Assessment (DPIA)", "small": "∙ Data Protection Impact Assessment (DPIA)", "medium": "∙ Data Protection Impact Assessment (DPIA)", "large": "∙ Data Protection Impact Assessment (DPIA)", "enterprise": "∙ Data Protection Impact Assessment (DPIA)" }, "risks": [ "R-AC-1", "R-AC-4", "R-AM-3", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-shared-assessments-sig-2025": [ "P.5.1" ] } }, { "control_id": "SEA-10", "title": "Memory Protection", "family": "SEA", "description": "Mechanisms exist to implement security safeguards to protect system memory from unauthorized code execution.", "scf_question": "Does the organization implement security safeguards to protect system memory from unauthorized code execution?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to implement security safeguards to protect system memory from unauthorized code execution.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-govramp": [ "SI-16" ], "general-govramp-low": [ "SI-16" ], "general-govramp-low-plus": [ "SI-16" ], "general-govramp-mod": [ "SI-16" ], "general-govramp-high": [ "SI-16" ], "general-mitre-att&ck-16-1": [ "T1003.001", "T1047", "T1055.009", "T1059", "T1059.001", "T1059.002", "T1059.003", "T1059.004", "T1059.005", "T1059.006", "T1059.007", "T1059.008", "T1059.011", "T1218", "T1218.001", "T1218.002", "T1218.003", "T1218.004", "T1218.005", "T1218.008", "T1218.009", "T1218.012", "T1218.013", "T1218.014", "T1218.015", "T1505.004", "T1543", "T1543.002", "T1547.004", "T1547.006", "T1548", "T1548.004", "T1565", "T1565.001", "T1565.003", "T1611" ], "general-nist-800-53-r4": [ "SI-16" ], "general-nist-800-53-r5-2": [ "SI-16" ], "general-nist-800-53-r5-2-mod": [ "SI-16" ], "general-nist-800-82-r3": [ "SI-16" ], "general-nist-800-82-r3-mod": [ "SI-16" ], "general-nist-800-82-r3-high": [ "SI-16" ], "general-nist-800-160-vol-2-r1": [ "SI-16" ], "general-nist-800-171-r2": [ "NFO - SI-16" ], "usa-federal-fbi-cjis-6-0": [ "SI-16" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-16" ], "usa-federal-gsa-fedramp-5-high": [ "SI-16" ], "usa-federal-irs-1075-2021": [ "SI-16" ], "usa-federal-cms-marse-2-0": [ "SI-16" ], "usa-state-tx-txramp-2-0-level-2": [ "SI-16" ] } }, { "control_id": "SEA-11", "title": "Honeypots", "family": "SEA", "description": "Mechanisms exist to utilize honeypots that are specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting and analyzing such attacks.", "scf_question": "Does the organization utilize honeypots that are specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting and analyzing such attacks?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to utilize honeypots that are specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting and analyzing such attacks.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "medium": "∙ Honeypots/deception for early threat detection in high-risk environments", "large": "∙ Enterprise honeypot/deception technology deployment (e.g., Attivo, Illusive Networks)", "enterprise": "∙ Enterprise deception technology platform (e.g., Attivo, Illusive Networks, Thinkst Canary)\n∙ Integrated with SIEM/SOAR" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1210", "T1211", "T1212" ], "general-nist-800-53-r4": [ "SC-26" ], "general-nist-800-53-r5-2": [ "IR-04(13)", "SC-26" ], "general-nist-800-53-r5-2-privacy": [ "IR-04(13)" ], "general-nist-800-82-r3": [ "IR-04(13)", "SC-26" ], "general-nist-800-160-vol-2-r1": [ "IR-04(13)", "SC-26" ], "general-shared-assessments-sig-2025": [ "P.8" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.IN.DPLAT" ], "usa-federal-gsa-fedramp-5-low": [ "IR-04(13)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-04(13)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-04(13)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-04(13)" ], "emea-isr-cmo-1-0": [ "23.5" ] } }, { "control_id": "SEA-12", "title": "Honeyclients", "family": "SEA", "description": "Mechanisms exist to utilize honeyclients that proactively seek to identify malicious websites and/or web-based malicious code.", "scf_question": "Does the organization utilize honeyclients that proactively seek to identify malicious websites and/or web-based malicious code?", "relative_weight": 3, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to utilize honeyclients that proactively seek to identify malicious websites and/or web-based malicious code.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ System isolation and domain separation for sensitive systems", "large": "∙ Domain separation design for enterprise systems\n∙ Physical or logical isolation", "enterprise": "∙ Enterprise domain separation architecture\n∙ Formal isolation standards\n∙ Cross-domain solution governance" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1210", "T1211", "T1212" ], "general-nist-800-53-r4": [ "SC-35" ], "general-nist-800-53-r5-2": [ "IR-04(13)", "SC-35" ], "general-nist-800-53-r5-2-privacy": [ "IR-04(13)" ], "general-nist-800-82-r3": [ "IR-04(13)", "SC-35" ], "general-nist-800-160-vol-2-r1": [ "IR-04(13)", "SC-35" ], "usa-federal-gsa-fedramp-5-low": [ "IR-04(13)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-04(13)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-04(13)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-04(13)" ], "usa-federal-irs-1075-2021": [ "SC-35" ], "emea-isr-cmo-1-0": [ "23.5" ] } }, { "control_id": "SEA-13", "title": "Heterogeneity", "family": "SEA", "description": "Mechanisms exist to utilize a diverse set of technologies for system components to reduce the impact of technical vulnerabilities from the same Original Equipment Manufacturer (OEM).", "scf_question": "Does the organization utilize a diverse set of technologies for system components to reduce the impact of technical vulnerabilities from the same Original Equipment Manufacturer (OEM)?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to utilize a diverse set of technologies for system components to reduce the impact of technical vulnerabilities from the same Original Equipment Manufacturer (OEM).", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "medium": "∙ Virtualization security controls for VM environments", "large": "∙ Enterprise virtualization security program (e.g., VMware security hardening)", "enterprise": "∙ Enterprise virtualization security platform (e.g., VMware Carbon Black, Prisma Cloud)\n∙ VM escape prevention\n∙ Hypervisor hardening" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1189", "T1190", "T1203", "T1210", "T1211" ], "general-nist-800-53-r4": [ "SC-29" ], "general-nist-800-53-r5-2": [ "SC-29" ], "general-nist-800-82-r3": [ "SC-29" ], "general-nist-800-160-vol-2-r1": [ "SC-29" ], "general-nist-800-161-r1": [ "SC-29" ], "general-nist-800-161-r1-level-2": [ "SC-29" ], "general-nist-800-161-r1-level-3": [ "SC-29" ], "general-nist-800-172": [ "3.13.1e" ], "apac-ind-sebi-2024": [ "EV.ST.S2" ] } }, { "control_id": "SEA-13.1", "title": "Virtualization Techniques", "family": "SEA", "description": "Mechanisms exist to utilize virtualization techniques to support the employment of a diversity of operating systems and applications.", "scf_question": "Does the organization utilize virtualization techniques to support the employment of a diversity of operating systems and applications?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to utilize virtualization techniques to support the employment of a diversity of operating systems and applications.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Hypervisor hardening and VM isolation controls", "large": "∙ Enterprise hypervisor hardening program\n∙ VM isolation and security policies", "enterprise": "∙ Enterprise hypervisor security program\n∙ Formal VM isolation standards\n∙ Automated hypervisor compliance checking" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-csa-cmm-4-1-0": [ "I&S-01" ], "general-nist-800-53-r4": [ "SC-29(1)" ], "general-nist-800-53-r5-2": [ "SC-29(01)" ], "general-nist-800-82-r3": [ "SC-29(01)" ], "general-nist-800-160-vol-2-r1": [ "SC-29(01)" ], "general-swift-cscf-2025": [ "1.3" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.4.3" ], "usa-federal-irs-1075-2021": [ "3.3.7" ], "emea-deu-c5-2020": [ "PSS-11" ], "apac-aus-ism-2024-june": [ "ISM-1460", "ISM-1461", "ISM-1604", "ISM-1605", "ISM-1606", "ISM-1607" ], "apac-nzl-ism-3-9": [ "22.2.12.C.01", "22.2.12.C.02", "22.2.12.C.03", "22.2.12.C.04", "22.2.13.C.01", "22.2.13.C.02", "22.2.14.C.01", "22.2.14.C.02", "22.2.14.C.03", "22.2.14.C.04", "22.2.14.C.05", "22.2.14.C.06", "22.2.14.C.07", "22.2.15.C.01", "22.2.15.C.02", "22.2.15.C.03", "22.2.15.C.04", "22.2.15.C.05", "22.2.15.C.06", "22.2.15.C.07", "22.2.16.C.01", "22.2.16.C.02", "22.2.16.C.03" ] } }, { "control_id": "SEA-14", "title": "Concealment & Misdirection", "family": "SEA", "description": "Mechanisms exist to utilize concealment and misdirection techniques for Technology Assets, Applications and/or Services (TAAS) to confuse and mislead adversaries.", "scf_question": "Does the organization utilize concealment and misdirection techniques for Technology Assets, Applications and/or Services (TAAS) to confuse and mislead adversaries?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to utilize concealment and misdirection techniques for TAAS to confuse and mislead adversaries.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "medium": "∙ Container security controls for containerized workloads", "large": "∙ Enterprise container security program (e.g., Docker/Kubernetes security)\n∙ Container scanning", "enterprise": "∙ Enterprise container security platform (e.g., Aqua Security, Prisma Cloud, Sysdig)\n∙ Container image scanning\n∙ Runtime protection" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-cr-cmm-2026": [ "CR4.1.3" ], "general-mitre-att&ck-16-1": [ "T1068", "T1189", "T1190", "T1203", "T1210", "T1211", "T1212" ], "general-nist-800-53-r4": [ "SC-30" ], "general-nist-800-53-r5-2": [ "SC-30", "SC-30(04)", "SC-30(05)" ], "general-nist-800-82-r3": [ "SC-30", "SC-30(04)", "SC-30(05)" ], "general-nist-800-160-vol-2-r1": [ "SC-30", "SC-30(04)", "SC-30(05)" ], "general-nist-800-161-r1": [ "SC-30", "SC-30(4)", "SC-30(5)" ], "general-nist-800-161-r1-level-2": [ "SC-30", "SC-30(4)", "SC-30(5)" ], "general-nist-800-161-r1-level-3": [ "SC-30", "SC-30(4)", "SC-30(5)" ], "general-nist-800-172": [ "3.13.3e" ] } }, { "control_id": "SEA-14.1", "title": "Randomness", "family": "SEA", "description": "Automated mechanisms exist to introduce randomness into organizational operations and assets.", "scf_question": "Does the organization use automated mechanisms to introduce randomness into organizational operations and assets?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to automatically introduce randomness into organizational operations and assets.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Secure container image management\n∙ Use trusted base images", "large": "∙ Enterprise container image security (scanning, signing)\n∙ Trusted registry", "enterprise": "∙ Enterprise container image management (e.g., Aqua, Twistlock)\n∙ Image signing (Notary)\n∙ Automated vulnerability scanning" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-nist-800-53-r4": [ "SC-30(2)" ], "general-nist-800-53-r5-2": [ "SC-30(02)" ], "general-nist-800-82-r3": [ "SC-30(02)" ], "general-nist-800-160-vol-2-r1": [ "SC-30(02)" ], "general-nist-800-161-r1": [ "SC-30(2)" ], "general-nist-800-161-r1-level-2": [ "SC-30(2)" ], "general-nist-800-161-r1-level-3": [ "SC-30(2)" ] } }, { "control_id": "SEA-14.2", "title": "Change Processing & Storage Locations", "family": "SEA", "description": "Automated mechanisms exist to change the location of processing and/or storage at random time intervals.", "scf_question": "Does the organization use automated mechanisms to change the location of processing and/or storage at random time intervals?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to automatically change the location of processing and/or storage at random time intervals.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Kubernetes/container orchestration security hardening", "large": "∙ Enterprise Kubernetes security program (e.g., CIS Kubernetes Benchmark)", "enterprise": "∙ Enterprise Kubernetes security platform (e.g., Aqua, Prisma Cloud, NeuVector)\n∙ Network policies\n∙ RBAC enforcement\n∙ Runtime security" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF9" ], "general-nist-800-53-r4": [ "SC-30(3)" ], "general-nist-800-53-r5-2": [ "SC-30(03)" ], "general-nist-800-82-r3": [ "SC-30(03)" ], "general-nist-800-160-vol-2-r1": [ "SC-30(03)" ], "general-nist-800-161-r1": [ "SC-30(3)" ], "general-nist-800-161-r1-level-2": [ "SC-30(3)" ], "general-nist-800-161-r1-level-3": [ "SC-30(3)" ] } }, { "control_id": "SEA-15", "title": "Distributed Processing & Storage", "family": "SEA", "description": "Mechanisms exist to distribute processing and storage across multiple physical locations.", "scf_question": "Does the organization distribute processing and storage across multiple physical locations?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to distribute processing and storage across multiple physical locations.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "medium": "∙ Software composition analysis (SCA) for open source components", "large": "∙ Enterprise SCA program (e.g., Snyk, Black Duck)\n∙ Open source license and vulnerability tracking", "enterprise": "∙ Enterprise SCA platform (e.g., Snyk, Mend, Black Duck)\n∙ Automated open source vulnerability detection\n∙ License compliance management" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1070", "T1070.001", "T1070.002", "T1070.008", "T1119", "T1565", "T1565.001" ], "general-nist-800-53-r4": [ "SC-36" ], "general-nist-800-53-r5-2": [ "PE-23", "SC-36" ], "general-nist-800-53-r5-2-privacy": [ "PE-23" ], "general-nist-800-82-r3": [ "PE-23", "SC-36" ], "general-nist-800-160-vol-2-r1": [ "SC-36" ], "general-nist-800-161-r1": [ "PE-23", "SC-36" ], "general-nist-800-161-r1-flowdown": [ "PE-23", "SC-36" ], "general-nist-800-161-r1-level-2": [ "PE-23", "SC-36" ], "general-nist-800-161-r1-level-3": [ "PE-23", "SC-36" ], "general-nist-800-172": [ "3.13.5e" ], "general-scf-dpmp-2025": [ "5.6" ], "general-sparta": [ "CM0074" ], "usa-federal-gsa-fedramp-5-low": [ "PE-23" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-23" ], "usa-federal-gsa-fedramp-5-high": [ "PE-23" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-23" ], "emea-aut-fappd-2000": [ "Sec 10" ], "emea-bel-act-8-1992": [ "Chapter 4 - 16" ], "emea-hun-isdfi-2011": [ "7" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "31" ], "emea-nor-pda-2018": [ "13", "14" ], "emea-pol-act-29-1997": [ "1", "36" ], "emea-rus-federal-law-27-2006": [ "7" ], "emea-zaf-popia-2013": [ "19", "21" ], "apac-jpn-ppi-2020": [ "20" ], "apac-mys-pdpa-2010": [ "9" ], "apac-phl-dpa-2012": [ "25" ], "apac-sgp-pdpa-2012": [ "24", "26" ], "apac-kor-pipa-2011": [ "17", "27" ], "americas-can-pipeda-2000": [ "Sec 20" ], "americas-chl-act-19628-1999": [ "7" ], "americas-col-law-1581-2012": [ "26" ] } }, { "control_id": "SEA-16", "title": "Non-Modifiable Executable Programs", "family": "SEA", "description": "Mechanisms exist to utilize non-modifiable executable programs that load and execute the operating environment and applications from hardware-enforced, read-only media.", "scf_question": "Does the organization utilize non-modifiable executable programs that load and execute the operating environment and applications from hardware-enforced, read-only media?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to utilize non-modifiable executable programs that load and execute the operating environment and applications from hardware-enforced, read-only media.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Evaluate security controls for trusted systems interconnections", "large": "∙ Enterprise trusted system interconnection security program", "enterprise": "∙ Enterprise trusted systems integration security framework\n∙ Formal interconnection security agreements (ISA)" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-mitre-att&ck-16-1": [ "T1195.003", "T1218.015", "T1542", "T1542.001", "T1542.003", "T1542.004", "T1542.005", "T1548", "T1548.004", "T1553", "T1553.006", "T1601", "T1601.001", "T1601.002", "T1611" ], "general-nist-800-53-r4": [ "SC-34" ], "general-nist-800-53-r5-2": [ "SC-34" ], "general-nist-800-82-r3": [ "SC-34" ], "general-nist-800-160-vol-2-r1": [ "SC-34" ], "general-shared-assessments-sig-2025": [ "N.2" ] } }, { "control_id": "SEA-17", "title": "Secure Log-On Procedures", "family": "SEA", "description": "Mechanisms exist to utilize a trusted communications path between the user and the security functions of the system.", "scf_question": "Does the organization utilize a trusted communications path between the user and the security functions of the system?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to utilize a trusted communications path between the user and the security functions of the system.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-iso-27002-2022": [ "8.5" ], "general-iso-27017-2015": [ "9.4.2" ], "general-iso-27018-2025": [ "8.5" ], "emea-esp-ccn-stic-825-2023": [ "7.2.6 [OP.ACC.6]" ] } }, { "control_id": "SEA-18", "title": "System Use Notification (Logon Banner)", "family": "SEA", "description": "Mechanisms exist to utilize system use notification / logon banners that display an approved system use notification message or banner before granting access to Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization utilize system use notification / logon banners that display an approved system use notification message or banner before granting access to Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-SEA-01" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to utilize system use notification / logon banners that display an approved system use notification message or banner before granting access to Technology Assets, Applications and/or Services (TAAS).", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-govramp": [ "AC-08" ], "general-govramp-low": [ "AC-08" ], "general-govramp-low-plus": [ "AC-08" ], "general-govramp-mod": [ "AC-08" ], "general-govramp-high": [ "AC-08" ], "general-iec-62443-3-3-2013": [ "SR 1.12" ], "general-iec-62443-4-2-2019": [ "CR 1.12" ], "general-mitre-att&ck-16-1": [ "T1199" ], "general-nist-800-53-r4": [ "AC-8" ], "general-nist-800-53-r5-2": [ "AC-08" ], "general-nist-800-53-r5-2-low": [ "AC-08" ], "general-nist-800-82-r3": [ "AC-08" ], "general-nist-800-82-r3-low": [ "AC-08" ], "general-nist-800-82-r3-mod": [ "AC-08" ], "general-nist-800-82-r3-high": [ "AC-08" ], "general-nist-800-171-r2": [ "3.1.9" ], "general-nist-800-171-r3": [ "03.01.09" ], "general-nist-800-171a": [ "3.1.9[a]", "3.1.9[b]" ], "general-nist-800-171a-r3": [ "A.03.01.09" ], "usa-federal-fbi-cjis-6-0": [ "AC-8" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.9" ], "usa-federal-gsa-fedramp-5-low": [ "AC-08" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-08" ], "usa-federal-gsa-fedramp-5-high": [ "AC-08" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-08" ], "usa-federal-irs-1075-2021": [ "AC-8" ], "usa-federal-cms-marse-2-0": [ "AC-8", "AC-8.a", "AC-8.b", "AC-8.c", "AC-8.c.1", "AC-8.c.2", "AC-8.c.3" ], "usa-federal-nispom-2020": [ "§117.18(b)(7)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-08" ], "emea-gbr-def-stan-05-138-2024": [ "2406", "2407" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2407" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2406", "2407" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2406", "2407" ], "apac-aus-ism-2024-june": [ "ISM-0408" ], "apac-nzl-ism-3-9": [ "16.1.48.C.01", "16.1.48.C.02", "16.1.48.C.03" ], "americas-can-itsp-10-171-2025": [ "03.01.09" ] } }, { "control_id": "SEA-18.1", "title": "Standardized Microsoft Windows Banner", "family": "SEA", "description": "Mechanisms exist to configure Microsoft Windows-based systems to display an approved logon banner before granting access to the system.", "scf_question": "Does the organization configure Microsoft Windows-based systems to display an approved logon banner before granting access to the system?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-SEA-01" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to configure Microsoft Windows-based systems to display an approved logon banner before granting access to the system.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-iec-62443-3-3-2013": [ "SR 1.12" ], "general-iec-62443-4-2-2019": [ "CR 1.12" ], "general-nist-800-171-r2": [ "3.1.9" ], "general-nist-800-171-r3": [ "03.01.09" ], "general-nist-800-171a": [ "3.1.9[a]", "3.1.9[b]" ], "general-nist-800-171a-r3": [ "A.03.01.09" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.9" ], "apac-aus-ism-2024-june": [ "ISM-0408" ], "apac-nzl-ism-3-9": [ "16.1.48.C.01", "16.1.48.C.02", "16.1.48.C.03" ], "americas-can-itsp-10-171-2025": [ "03.01.09" ] } }, { "control_id": "SEA-18.2", "title": "Truncated Banner", "family": "SEA", "description": "Mechanisms exist to utilize a truncated system use notification / logon banner on systems not capable of displaying a logon banner from a centralized directory services technology (e.g., Active Directory, Entra ID, etc.).", "scf_question": "Does the organization utilize a truncated system use notification / logon banner on systems not capable of displaying a logon banner from a centralized directory services technology (e.g., Active Directory, Entra ID, etc.)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-SEA-01" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to utilize a truncated system use notification / logon banner on systems not capable of displaying a logon banner from a centralized directory services technology (e.g., Active Directory, Entra ID, etc.).", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-iec-62443-3-3-2013": [ "SR 1.12" ], "general-iec-62443-4-2-2019": [ "CR 1.12" ], "general-nist-800-171-r2": [ "3.1.9" ], "general-nist-800-171-r3": [ "03.01.09" ], "general-nist-800-171a": [ "3.1.9[a]", "3.1.9[b]" ], "general-nist-800-171a-r3": [ "A.03.01.09" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.9" ], "apac-aus-ism-2024-june": [ "ISM-0408" ], "apac-nzl-ism-3-9": [ "16.1.48.C.01", "16.1.48.C.02", "16.1.48.C.03" ], "americas-can-itsp-10-171-2025": [ "03.01.09" ] } }, { "control_id": "SEA-19", "title": "Previous Logon Notification", "family": "SEA", "description": "Mechanisms exist to configure systems that process, store or transmit sensitive/regulated data to notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.", "scf_question": "Does the organization configure systems that process, store or transmit sensitive/regulated data to notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to configure systems that process, store or transmit sensitive/regulated data to notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AM-3", "R-IR-1", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-iec-62443-2-1-2024": [ "USER 1.13" ], "general-nist-800-53-r4": [ "AC-9" ], "general-nist-800-53-r5-2": [ "AC-09" ], "general-nist-800-82-r3": [ "AC-09" ], "apac-nzl-ism-3-9": [ "16.1.49.C.01", "16.1.50.C.01", "16.1.50.C.02" ] } }, { "control_id": "SEA-20", "title": "Clock Synchronization", "family": "SEA", "description": "Mechanisms exist to utilize time-synchronization technology to synchronize all critical system clocks.", "scf_question": "Does the organization utilize time-synchronization technology to synchronize all critical system clocks?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to utilize time-synchronization technology to synchronize all critical system clocks.", "4": "Secure Engineering & Architecture (SEA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "general-csa-cmm-4-1-0": [ "LOG-06" ], "general-govramp": [ "AU-08" ], "general-govramp-low": [ "AU-08" ], "general-govramp-low-plus": [ "AU-08" ], "general-govramp-mod": [ "AU-08" ], "general-govramp-high": [ "AU-08" ], "general-iec-62443-2-1-2024": [ "NET 1.9" ], "general-iec-62443-3-3-2013": [ "SR 2.11 RE 1" ], "general-iec-62443-4-2-2019": [ "CR 2.11(2)" ], "general-iso-27002-2022": [ "8.17" ], "general-iso-27017-2015": [ "12.4.4" ], "general-iso-27018-2025": [ "8.17" ], "general-mpa-csbp-5-3-1": [ "TS-1.5" ], "general-nist-800-53-r4": [ "AU-8" ], "general-nist-800-53-r5-2": [ "AU-08" ], "general-nist-800-53-r5-2-privacy": [ "AU-08" ], "general-nist-800-53-r5-2-low": [ "AU-08" ], "general-nist-800-82-r3": [ "AU-08" ], "general-nist-800-82-r3-low": [ "AU-08" ], "general-nist-800-82-r3-mod": [ "AU-08" ], "general-nist-800-82-r3-high": [ "AU-08" ], "general-nist-800-171-r2": [ "3.3.7" ], "general-pci-dss-4-0-1": [ "10.6", "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-c": [ "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.6.1", "10.6.2", "10.6.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.6.1", "10.6.2", "10.6.3" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.TSYNC" ], "usa-federal-fbi-cjis-6-0": [ "AU-8" ], "usa-federal-dow-cmmc-2-level-2": [ "AUL2.-3.3.7" ], "usa-federal-gsa-fedramp-5-low": [ "AU-08" ], "usa-federal-gsa-fedramp-5-mod": [ "AU-08" ], "usa-federal-gsa-fedramp-5-high": [ "AU-08" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AU-08" ], "usa-federal-irs-1075-2021": [ "AU-8" ], "usa-federal-cms-marse-2-0": [ "AU-8", "AU-8.a", "AU-8(1)", "AU-8(1)-IS.1" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AU-08" ], "usa-state-tx-txramp-2-0-level-1": [ "AU-08" ], "usa-state-tx-txramp-2-0-level-2": [ "AU-08" ], "emea-gbr-def-stan-05-138-2024": [ "2421" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2421" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2421" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2421" ], "apac-aus-ism-2024-june": [ "ISM-0988" ], "apac-jpn-ismap": [ "12.4.4", "12.4.4.1", "12.4.4.2", "12.4.4.3", "12.4.4.4.PB" ] } }, { "control_id": "SEA-21", "title": "Application Container", "family": "SEA", "description": "Mechanisms exist to utilize an application container (virtualization approach) to isolate to a known set of dependencies, access methods and interfaces.", "scf_question": "Does the organization utilize an application container (virtualization approach) to isolate to a known set of dependencies, access methods and interfaces?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to utilize an application container (virtualization approach) to isolate to a known set of dependencies, access methods and interfaces.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "large": "∙ Secure software supply chain controls\n∙ SBOM generation for critical applications", "enterprise": "∙ Enterprise software supply chain security program\n∙ SBOM generation and management\n∙ Supply chain risk assessment" }, "risks": [ "R-GV-1" ], "threats": [ "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EN.ACONT" ] } }, { "control_id": "SEA-22", "title": "Privileged Environments", "family": "SEA", "description": "Mechanisms exist to prevent privileged operating environments from existing within unprivileged operating environments, including physical or virtual deployments of Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization prevent privileged operating environments from existing within unprivileged operating environments, including physical or virtual deployments of Technology Assets, Applications and/or Services (TAAS).", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Secure Engineering & Architecture (SEA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SEA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security engineering-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel use an informal process to design, build and maintain secure, compliant and resilient solutions.", "2": "Secure Engineering & Architecture (SEA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Secure engineering and architecture-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Secure engineering and architecture management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define entity-specific secure engineering practices to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the entity's TAASD.\n▪ IT and/or cybersecurity personnel align secure engineering practices with the entity's broader IT architecture practices.\n▪ IT and/or cybersecurity personnel use secure engineering practices to influence Secure Baseline Configurations (SBC).", "3": "Secure Engineering & Architecture (SEA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SEA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SEA domain capabilities are well-documented and kept current by process owners.\n▪ A cybersecurity engineering / architecture team, or similar function, is appropriately staffed and supported to implement and maintain RSK domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of secure engineering management operations (e.g., project management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SEA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Secure Baseline Configurations (SBC) enforce the secure engineering principles on all applicable Technology Assets, Applications and/or Services (TAAS).\n▪ An implemented and operational capability exists to prevent privileged operating environments from existing within unprivileged operating environments, including physical or virtual deployments of TAAS.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "large": "∙ Code signing for software releases\n∙ Binary analysis for integrity", "enterprise": "∙ Enterprise code signing program\n∙ HSM-protected signing keys\n∙ Binary analysis and integrity verification" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Secure Engineering & Architecture", "crosswalks": { "apac-aus-essential-8-2024": [ "ML2-P4", "ML3-P4" ], "apac-aus-ism-2024-june": [ "ISM-1687" ] } }, { "control_id": "OPS-01", "title": "Operations Security", "family": "OPS", "description": "Mechanisms exist to facilitate the implementation of operational security controls.", "scf_question": "Does the organization facilitate the implementation of operational security controls?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-01", "E-HRS-03", "E-HRS-04", "E-HRS-13", "E-HRS-15", "E-HRS-27" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Operations (OPS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with OPS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cybersecurity operations-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Cybersecurity operations are primarily viewed as additional duties for IT staff.\n▪ There is no Security Operations Center (SOC) with 24x7x365 operations coverage.", "2": "Security Operations (OPS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security operations management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security operations management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Security Operations (OPS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are well-documented and kept current by process owners.\n▪ A Security Operations Center (SOC), or similar function, is appropriately staffed and supported to implement and maintain OPS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security operations management (e.g., SIEM solution, EDR/XDR tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Cybersecurity personnel create “run books,” or SOPs, to capture operational knowledge in documentation form for critical business functions and/or for sensitive/regulated obligations.\n▪ An implemented and operational capability exists to facilitate the implementation of operational security controls.", "4": "Security Operations (OPS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Documented Standardized Operating Procedures (SOP)", "small": "∙ Documented Standardized Operating Procedures (SOP)", "medium": "∙ Documented Standardized Operating Procedures (SOP)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "large": "∙ Documented Standardized Operating Procedures (SOP)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)\n∙ COBIT 2019 Framework (https://isaca.org)", "enterprise": "∙ Documented Standardized Operating Procedures (SOP)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)\n∙ COBIT 2019 Framework (https://isaca.org)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Operations", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2" ], "general-coso-2013": [ "14" ], "general-iso-27001-2022": [ "8.1" ], "general-iso-27002-2022": [ "5.37" ], "general-iso-27017-2015": [ "12.1.1" ], "general-iso-27018-2025": [ "5.37" ], "general-iso-42001-2023": [ "7.5.3", "7.5.3(a)", "7.5.3(b)" ], "general-mitre-att&ck-16-1": [ "T1005", "T1025" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.2", "GOVERN 1.3", "GOVERN 1.4", "GOVERN 3.2", "GOVERN 4.1", "GOVERN 5.1", "GOVERN 6.0", "GOVERN 6.1", "MAP 3.5" ], "general-nist-800-53-r4": [ "SC-38" ], "general-nist-800-53-r5-2": [ "SC-38", "SR-07" ], "general-nist-800-53-r5-2-privacy": [ "SC-38", "SR-07" ], "general-nist-800-82-r3": [ "SC-38", "SR-07" ], "general-nist-800-160-vol-2-r1": [ "SR-07" ], "general-nist-800-161-r1": [ "SC-38", "SR-7" ], "general-nist-800-161-r1-level-2": [ "SC-38", "SR-7" ], "general-nist-800-161-r1-level-3": [ "SC-38", "SR-7" ], "general-nist-800-171-r3": [ "03.15.01.a", "03.15.01.b" ], "general-nist-csf-2-0": [ "ID.IM" ], "general-pci-dss-4-0-1": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "8.3.8", "9.1.1", "9.3.2", "10.1.1", "11.1.1" ], "general-pci-dss-4-0-1-saq-a": [ "3.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "8.1.1", "8.3.8" ], "general-pci-dss-4-0-1-saq-b": [ "3.1.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "3.1.1", "8.1.1", "9.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "2.1.1", "3.1.1", "5.1.1", "8.1.1", "8.3.8", "9.1.1", "10.1.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.1.1", "3.1.1", "8.1.1", "9.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "8.3.8", "9.1.1", "9.3.2", "10.1.1", "11.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "8.3.8", "9.1.1", "9.3.2", "10.1.1", "11.1.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "3.1.1", "9.1.1" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-gsa-fedramp-5-low": [ "SC-38", "SR-07" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-38", "SR-07" ], "usa-federal-gsa-fedramp-5-high": [ "SC-38", "SR-07" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-38", "SR-07" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(7)" ], "emea-eu-dora-2023": [ "Article 9.1", "Article 9.2" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-c5-2020": [ "SP-01" ], "emea-zaf-popia-2013": [ "19" ], "emea-esp-boe-a-2022-7191": [ "Article 8.1", "Article 8.2", "Article 8.3", "Article 8.4", "Article 8.5" ], "emea-esp-decree-311-2022": [ "8.1", "8.2", "8.3", "8.4", "8.5" ], "apac-chn-pipl-2021": [ "51", "51(1)", "51(2)", "51(3)", "51(4)", "51(5)", "51(6)" ], "apac-jpn-ismap": [ "12", "12.1", "12.1.3.9.PB" ], "apac-sgp-mas-trm-2021": [ "7.1.1" ], "amaericas-can-osfi-self-assessment": [ "1.3", "1.5" ], "americas-can-osfi-b13-2022": [ "3" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A", "03.15.01.B" ] } }, { "control_id": "OPS-01.1", "title": "Standardized Operating Procedures (SOP)", "family": "OPS", "description": "Mechanisms exist to identify and document Standardized Operating Procedures (SOP), or similar documentation, to enable the proper execution of day-to-day / assigned tasks.", "scf_question": "Does the organization identify and document Standardized Operating Procedures (SOP), or similar documentation, to enable the proper execution of day-to-day / assigned tasks?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-11" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Security Operations (OPS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security operations management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security operations management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel create “run books,” or SOPs, to capture operational knowledge in documentation form for critical business functions and/or for sensitive/regulated obligations to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.", "3": "Security Operations (OPS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are well-documented and kept current by process owners.\n▪ A Security Operations Center (SOC), or similar function, is appropriately staffed and supported to implement and maintain OPS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security operations management (e.g., SIEM solution, EDR/XDR tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Cybersecurity personnel create “run books,” or SOPs, to capture operational knowledge in documentation form for critical business functions and/or for sensitive/regulated obligations.\n▪ An implemented and operational capability exists to identify and document Standardized Operating Procedures (SOP), or similar documentation, to enable the proper execution of day-to-day / assigned tasks.", "4": "Security Operations (OPS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Documented Standardized Operating Procedures (SOP)\n∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)", "small": "∙ Documented Standardized Operating Procedures (SOP)\n∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)", "medium": "∙ Documented Standardized Operating Procedures (SOP)\n∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)", "large": "∙ Documented Standardized Operating Procedures (SOP)\n∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)", "enterprise": "∙ Documented Standardized Operating Procedures (SOP)\n∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-4" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Operations", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2", "CC5.1", "CC5.3", "CC5.3-POF3", "CC7.2-POF1" ], "general-cobit-2019": [ "APO01.09", "DSS01.01" ], "general-coso-2013": [ "10", "12", "14" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.6" ], "general-iso-27001-2022": [ "8.1" ], "general-iso-27002-2022": [ "5.37" ], "general-iso-27017-2015": [ "12.1.1" ], "general-iso-27018-2025": [ "5.37" ], "general-iso-27701-2025": [ "8.1" ], "general-iso-42001-2023": [ "7.5.1", "7.5.1(a)", "7.5.1(b)", "7.5.2", "7.5.3", "7.5.3(a)", "7.5.3(b)", "A.6.2.7", "A.6.2.8" ], "general-mpa-csbp-5-3-1": [ "OR-1.0" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.0", "GOVERN 1.2", "GOVERN 1.3", "GOVERN 1.4", "GOVERN 3.2", "GOVERN 4.1", "GOVERN 5.1", "GOVERN 6.0", "GOVERN 6.1", "MAP 3.5" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 1.2", "GOVERN 1.3", "GV-1.5-002" ], "general-nist-800-53-r5-2": [ "SA-08(32)" ], "general-nist-800-66-r2": [ "164.310(b)", "164.316(b)" ], "general-nist-800-82-r3": [ "SA-08(32)" ], "general-nist-800-171-r3": [ "03.15.01.a" ], "general-nist-800-171a-r3": [ "A.03.15.01.a[03]", "A.03.15.01.a[04]", "A.03.15.01.b[01]", "A.03.15.01.b[02]" ], "general-nist-800-218": [ "PO.3.2", "PO.4.2" ], "general-nist-csf-2-0": [ "ID.IM" ], "general-pci-dss-4-0-1": [ "1.1.1", "2.1.1", "3.1.1", "3.7", "3.7.1", "3.7.2", "3.7.3", "3.7.5", "3.7.6", "3.7.7", "3.7.8", "4.1.1", "5.1.1", "6.1.1", "6.5.1", "7.1.1", "8.1.1", "8.3.8", "9.1.1", "9.3.2", "10.1.1", "11.1.1" ], "general-pci-dss-4-0-1-saq-a": [ "3.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "6.5.1", "8.1.1", "8.3.8" ], "general-pci-dss-4-0-1-saq-b": [ "3.1.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "3.1.1", "8.1.1", "9.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "2.1.1", "3.1.1", "5.1.1", "6.5.1", "8.1.1", "8.3.8", "9.1.1", "10.1.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.1.1", "3.1.1", "8.1.1", "9.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.1.1", "2.1.1", "3.1.1", "3.7.1", "3.7.2", "3.7.3", "3.7.5", "3.7.6", "3.7.7", "3.7.8", "4.1.1", "5.1.1", "6.1.1", "6.5.1", "7.1.1", "8.1.1", "8.3.8", "9.1.1", "9.3.2", "10.1.1", "11.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.1.1", "2.1.1", "3.1.1", "3.7.1", "3.7.2", "3.7.3", "3.7.5", "3.7.6", "3.7.7", "3.7.8", "4.1.1", "5.1.1", "6.1.1", "6.5.1", "7.1.1", "8.1.1", "8.3.8", "9.1.1", "9.3.2", "10.1.1", "11.1.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "3.1.1", "9.1.1" ], "general-tisax-6-0-3": [ "9.8.1" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:GG1.GP1", "ADM:GG3.GP1", "AM:GG1.GP1", "AM:GG3.GP1", "COMM:GG1.GP1", "COMM:GG3.GP1", "COMP:GG1.GP1", "COMP:GG3.GP1", "CTRL:GG1.GP1", "CTRL:GG3.GP1", "EC:GG1.GP1", "EC:GG3.GP1", "EF:GG1.GP1", "EF:GG3.GP1", "EXD:GG1.GP1", "EXD:GG3.GP1", "FRM:GG1.GP1", "FRM:GG3.GP1", "HRM:GG1.GP1", "HRM:GG3.GP1", "ID:GG1.GP1", "ID:GG3.GP1", "IMC:GG1.GP1", "IMC:GG3.GP1", "KIM:GG1.GP1", "KIM:GG3.GP1", "MA:GG1.GP1", "MA:GG3.GP1", "MON:GG1.GP1", "MON:GG3.GP1", "OPD:SG1", "OPD:SG1.SP1", "OPD:GG1.GP1", "OPD:GG3.GP1", "OPF:GG1.GP1", "OPF:GG3.GP1", "OTA:GG1.GP1", "OTA:GG3.GP1", "PM:GG1.GP1", "PM:GG3.GP1", "RISK:GG1.GP1", "RISK:GG3.GP1", "RRD:GG1.GP1", "RRD:GG3.GP1", "RRM:GG1.GP1", "RRM:GG3.GP1", "RTSE:GG1.GP1", "RTSE:GG3.GP1", "SC:GG1.GP1", "SC:GG3.GP1", "TM:GG1.GP1", "TM:GG3.GP1", "VAR:GG1.GP1", "VAR:GG3.GP1", "GG1.GP1" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-5a", "THREAT-3a", "RISK-5a", "ACCESS-4a", "SITUATION-4a", "RESPONSE-5a", "THIRD-PARTIES-3a", "WORKFORCE-5a", "ARCHITECTURE-6a", "PROGRAM-3a" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.7.a.ii" ], "usa-federal-dow-zt-roadmap-1-1": [ "6.7.1" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10", "11.10(f)", "11.10(k)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(7)", "314.4(c)(8)", "314.4(e)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(b)", "164.316(b)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(b)", "164.316(b)(2)(ii)" ], "usa-federal-cms-marse-2-0": [ "AC-1.b", "AT-1.b", "AU-1.b", "CA-1.b", "CA-1.d", "CM-1.b", "CP-1.b", "IA-1.b", "IR-1.b", "MA-1.b", "MP-1.b", "MP-1-IS.2", "PE-1.b", "PL-1.b", "PS-1.b", "SA-1.b", "SC-1.b", "SI-1.b" ], "usa-federal-nerc-cip-2024": [ "CIP-006-6 1.1" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.2" ], "usa-state-nv-regulation-5-2024": [ "5.260.6" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(b)(2)", "500.3", "500.8(a)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.2.(31)", "3.4.2(31)(a)", "3.4.2(31)(b)", "3.4.2(31)(c)", "3.4.2(31)(d)", "3.4.2(31)(e)", "3.4.2(31)(f)", "3.4.2(31)(g)", "3.4.5(38)", "3.5(50)" ], "emea-eu-dora-2023": [ "Article 6.2", "Article 9.2", "Article 9.4(e)" ], "emea-eu-nis2-annex-2024": [ "7.1", "9.1" ], "emea-deu-c5-2020": [ "SP-01", "IDM-02" ], "emea-isr-cmo-1-0": [ "12.2", "12.3", "18.2", "22.2" ], "emea-sau-cgiot-2024": [ "1-2-1" ], "emea-esp-boe-a-2022-7191": [ "Article 13.2(d)", "Article 13.4", "Article 22.2" ], "emea-esp-decree-311-2022": [ "13.2(d)", "13.4", "22.2" ], "emea-esp-ccn-stic-825-2023": [ "6.3 [ORG.3]" ], "emea-gbr-def-stan-05-138-2024": [ "1100", "2100", "2101" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1100", "2100" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1100", "2100", "2101" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1100", "2100", "2101" ], "apac-chn-pipl-2021": [ "51", "51(1)", "51(2)", "51(3)", "51(4)", "51(5)", "51(6)" ], "apac-ind-sebi-2024": [ "PR.AA.S14", "PR.IP.S7", "RC.RP.S4" ], "apac-jpn-ismap": [ "8.3.1.11", "12.1.1", "12.1.1.1", "12.1.1.2", "12.1.1.3", "12.1.1.4", "12.1.1.5", "12.1.1.6", "12.1.1.7", "12.1.1.8", "12.1.1.9", "12.1.1.10", "12.1.1.11", "12.1.1.12", "12.1.1.13", "12.1.5.P", "12.1.5.1.PB" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP01" ], "apac-nzl-ism-3-9": [ "3.4.12.C.01", "3.4.12.C.02", "5.1.11.C.01", "5.1.13.C.01", "5.5.3.C.01", "5.5.4.C.01", "5.5.5.C.01", "5.5.6.C.01" ], "americas-can-osfi-b13-2022": [ "2.2.1", "2.8", "3" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A" ] } }, { "control_id": "OPS-02", "title": "Security Concept Of Operations (CONOPS)", "family": "OPS", "description": "Mechanisms exist to develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders.", "scf_question": "Does the organization develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Operations (OPS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with OPS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cybersecurity operations-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Cybersecurity operations are primarily viewed as additional duties for IT staff.\n▪ There is no Security Operations Center (SOC) with 24x7x365 operations coverage.", "2": "Security Operations (OPS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security operations management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security operations management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel create “run books,” or SOPs, to capture operational knowledge in documentation form for critical business functions and/or for sensitive/regulated obligations to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.", "3": "Security Operations (OPS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are well-documented and kept current by process owners.\n▪ A Security Operations Center (SOC), or similar function, is appropriately staffed and supported to implement and maintain OPS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security operations management (e.g., SIEM solution, EDR/XDR tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Cybersecurity personnel create “run books,” or SOPs, to capture operational knowledge in documentation form for critical business functions and/or for sensitive/regulated obligations.\n▪ An implemented and operational capability exists to develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Document relevant policy and procedures", "small": "∙ Written policy and procedures\n∙ Designated responsible owner\n∙ Annual review", "medium": "∙ Cybersecurity-focused Concept of Operations (CONOPS)", "large": "∙ Cybersecurity-focused Concept of Operations (CONOPS)", "enterprise": "∙ Cybersecurity-focused Concept of Operations (CONOPS)" }, "risks": [ "R-AM-3", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Operations", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.1", "CC7.2" ], "general-coso-2013": [ "10" ], "general-iso-21434-2021": [ "RQ-05-13" ], "general-nist-privacy-framework-1-0": [ "ID.BE-P3" ], "general-nist-800-53-r4": [ "PL-7" ], "general-nist-800-53-r5-2": [ "PL-07" ], "general-nist-800-82-r3": [ "PL-07" ], "general-nist-800-161-r1": [ "PL-7" ], "general-nist-800-161-r1-level-3": [ "PL-7" ], "general-tisax-6-0-3": [ "8.1.1" ], "emea-eu-eba-ict-srm-2025": [ "3.2.1(6)" ], "emea-eu-dora-2023": [ "Article 9.1", "Article 9.2" ], "apac-nzl-ism-3-9": [ "5.1.15.C.01" ], "amaericas-can-osfi-self-assessment": [ "4.30" ], "americas-can-osfi-b13-2022": [ "1.3.2" ] } }, { "control_id": "OPS-03", "title": "Service Delivery\n(Business Process Support)", "family": "OPS", "description": "Mechanisms exist to define supporting business processes and implement appropriate governance and service management to ensure appropriate planning, delivery and support of the organization's technology capabilities supporting business functions, workforce, and/or customers based on industry-recognized standards to achieve the specific goals of the process area.", "scf_question": "Does the organization define supporting business processes and implement appropriate governance and service management to ensure appropriate planning, delivery and support of its technology capabilities supporting business functions, workforce, and/or customers based on industry-recognized standards to achieve the specific goals of the process area?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-04" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Security Operations (OPS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security operations management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security operations management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel create “run books,” or SOPs, to capture operational knowledge in documentation form for critical business functions and/or for sensitive/regulated obligations to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.", "3": "Security Operations (OPS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are well-documented and kept current by process owners.\n▪ A Security Operations Center (SOC), or similar function, is appropriately staffed and supported to implement and maintain OPS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security operations management (e.g., SIEM solution, EDR/XDR tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Cybersecurity personnel create “run books,” or SOPs, to capture operational knowledge in documentation form for critical business functions and/or for sensitive/regulated obligations.\n▪ An implemented and operational capability exists to define supporting business processes and implement appropriate governance and service management to ensure appropriate planning, delivery and support of the organization's technology capabilities supporting business functions, workforce, and/or customers based on industry-recognized standards to achieve the specific goals of the process area.", "4": "Security Operations (OPS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Documented Standardized Operating Procedures (SOP)", "small": "∙ Documented Standardized Operating Procedures (SOP)", "medium": "∙ Documented Standardized Operating Procedures (SOP)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)", "large": "∙ Documented Standardized Operating Procedures (SOP)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)\n∙ COBIT 2019 Framework (https://isaca.org)", "enterprise": "∙ Documented Standardized Operating Procedures (SOP)\n∙ VisibleOps (https://itpi.org) \n∙ ITIL 4 (https://axelos.com)\n∙ COBIT 2019 Framework (https://isaca.org)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Operations", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1", "CC2.1-POF1", "CC2.1-POF2", "CC2.1-POF3", "CC2.1-POF4", "CC2.2-POF1", "CC2.3-POF2", "CC2.3-POF6", "CC3.1-POF7", "CC3.1-POF8", "CC3.1-POF9", "CC3.1-POF10", "CC3.1-POF11", "CC3.1-POF12", "CC3.1-POF13", "CC3.1-POF14", "CC3.1-POF15", "CC3.1-POF16", "CC5.3-POF3", "PI1.1", "PI1.3-POF1", "PI1.3-POF2", "PI1.3-POF3", "PI1.3-POF4", "PI1.3-POF5", "PI1.4-POF1", "PI1.4-POF2", "PI1.4-POF3", "PI1.4-POF4", "PI1.5-POF1", "PI1.5-POF2", "PI1.5-POF3", "PI1.5-POF4" ], "general-cobit-2019": [ "APO01.11", "APO08.05", "APO09.02", "APO09.03", "APO09.04", "APO09.05", "APO11.01", "APO11.02", "APO11.03", "APO11.04", "APO11.05" ], "general-coso-2013": [ "13" ], "general-csa-iot-2": [ "IAM-16" ], "general-iso-21434-2021": [ "RQ-05-13" ], "general-iso-27001-2022": [ "8.1" ], "general-iso-27002-2022": [ "5.37" ], "general-iso-27017-2015": [ "12.1.1" ], "general-iso-27018-2025": [ "5.2(a)", "5.37", "8.5(a)" ], "general-iso-42001-2023": [ "A.6.2.7", "A.6.2.8", "A.9", "A.9.2", "A.9.3", "A.9.4" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P5" ], "general-nist-800-53-r4": [ "IP-4", "IP-4(1)" ], "general-nist-800-66-r2": [ "164.310(b)", "164.316(b)" ], "general-nist-800-171-r3": [ "03.15.01.b" ], "general-nist-800-218": [ "PO.3.2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.SADMI" ], "usa-federal-fbi-cjis-6-0": [ "5.1.2" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-law-hipaa-simplification-2013": [ "164.310(b)", "164.312(e)(2)(ii)", "164.316(b)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.310(b)", "164.312(e)(2)(ii)", "164.316(b)(2)(ii)" ], "usa-federal-cms-marse-2-0": [ "IP-4", "IP-4(1)" ], "emea-eu-dora-2023": [ "Article 9.1", "Article 9.2" ], "emea-deu-bsrit-2017": [ "8.1", "8.2", "11.1", "11.2", "11.3", "11.4", "11.5", "11.6", "11.7", "11.8" ], "apac-chn-pipl-2021": [ "51" ], "apac-jpn-ismap": [ "13.1.1.11.P", "13.1.4.1.P", "13.1.4.2.P", "14.1.1.19.P", "14.1.1.20.P" ], "apac-sgp-mas-trm-2021": [ "7.1.1" ], "amaericas-can-osfi-self-assessment": [ "1.3", "1.5" ], "americas-can-osfi-b13-2022": [ "2.2.1", "2.8" ], "americas-can-itsp-10-171-2025": [ "03.15.01.B" ] } }, { "control_id": "OPS-04", "title": "Security Operations Center (SOC)", "family": "OPS", "description": "Mechanisms exist to establish and maintain a Security Operations Center (SOC) that facilitates a 24x7 response capability.", "scf_question": "Does the organization establish and maintain a Security Operations Center (SOC) that facilitates a 24x7 response capability?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-OPS-01" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Security Operations (OPS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security operations management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security operations management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel create “run books,” or SOPs, to capture operational knowledge in documentation form for critical business functions and/or for sensitive/regulated obligations to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.", "3": "Security Operations (OPS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are well-documented and kept current by process owners.\n▪ A Security Operations Center (SOC), or similar function, is appropriately staffed and supported to implement and maintain OPS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security operations management (e.g., SIEM solution, EDR/XDR tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Cybersecurity personnel create “run books,” or SOPs, to capture operational knowledge in documentation form for critical business functions and/or for sensitive/regulated obligations.\n▪ An implemented and operational capability exists to establish and maintain a Security Operations Center (SOC) that facilitates a 24x7 response capability.", "4": "Security Operations (OPS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Outsourced 24x7 Security Operations Center (SOC) through a Managed Security Services Provider (MSSP).", "small": "∙ Outsourced 24x7 Security Operations Center (SOC) through a Managed Security Services Provider (MSSP).", "medium": "∙ Outsourced 24x7 Security Operations Center (SOC) through a Managed Security Services Provider (MSSP).\n∙ Internal 8x5 staff augmentation", "large": "∙ In-house 24x7 Security Operations Center (SOC)", "enterprise": "∙ In-house 24x7 Security Operations Center (SOC)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Operations", "crosswalks": { "general-nist-800-53-r4": [ "SC-38" ], "general-nist-800-53-r5-2": [ "IR-04(14)", "SC-38" ], "general-nist-800-53-r5-2-privacy": [ "SC-38" ], "general-nist-800-82-r3": [ "IR-04(14)", "SC-38" ], "general-nist-800-161-r1": [ "SC-38" ], "general-nist-800-161-r1-level-2": [ "SC-38" ], "general-nist-800-161-r1-level-3": [ "SC-38" ], "general-nist-800-172": [ "3.6.1e" ], "usa-federal-dow-cmmc-2-level-3": [ "IR.L3-3.6.1E" ], "usa-federal-dow-zt-roadmap-1-1": [ "6.7", "7.3", "7.5" ], "usa-federal-gsa-fedramp-5-low": [ "SC-38" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-38" ], "usa-federal-gsa-fedramp-5-high": [ "SC-38" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-38" ], "apac-ind-sebi-2024": [ "DE.CM.S1" ], "apac-sgp-mas-trm-2021": [ "12.2.1" ], "amaericas-can-osfi-self-assessment": [ "1.4" ] } }, { "control_id": "OPS-05", "title": "Secure Practices Guidelines", "family": "OPS", "description": "Mechanisms exist to provide guidelines and recommendations for the secure use of Technology Assets, Applications and/or Services (TAAS) to assist in the configuration, installation and use of the product and/or service.", "scf_question": "Does the organization provide guidelines and recommendations for the secure use of Technology Assets, Applications and/or Services (TAAS) to assist in the configuration, installation and use of the product and/or service?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Security Operations (OPS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security operations management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security operations management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel create “run books,” or SOPs, to capture operational knowledge in documentation form for critical business functions and/or for sensitive/regulated obligations to protect the Confidentiality, Integrity, Availability and Safety (CIAS) of the organization's TAASD.", "3": "Security Operations (OPS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are well-documented and kept current by process owners.\n▪ A Security Operations Center (SOC), or similar function, is appropriately staffed and supported to implement and maintain OPS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security operations management (e.g., SIEM solution, EDR/XDR tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Cybersecurity personnel create “run books,” or SOPs, to capture operational knowledge in documentation form for critical business functions and/or for sensitive/regulated obligations.\n▪ An implemented and operational capability exists to provide guidelines and recommendations for the secure use of Technology Assets, Applications and/or Services (TAAS) to assist in the configuration, installation and use of the product and/or service.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Product / project management", "small": "∙ Product / project management", "medium": "∙ Product / project management", "large": "∙ Product / project management\n∙ Program Management Office (PMO)", "enterprise": "∙ Product / project management\n∙ Program Management Office (PMO)" }, "risks": [ "R-BC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Operations", "crosswalks": { "general-iso-42001-2023": [ "A.6.2.7", "A.6.2.8" ], "general-tisax-6-0-3": [ "9.8.1" ], "usa-federal-dow-zt-roadmap-1-1": [ "6.5.3" ], "emea-deu-c5-2020": [ "PSS-01" ], "amaericas-can-osfi-self-assessment": [ "4.29", "4.30" ] } }, { "control_id": "OPS-06", "title": "Security Orchestration, Automation, and Response (SOAR)", "family": "OPS", "description": "Mechanisms exist to utilize Security Orchestration, Automation and Response (SOAR) tools to define, prioritize and automate the response to security incidents.", "scf_question": "Does the organization utilize Security Orchestration, Automation and Response (SOAR) tools to define, prioritize and automate the response to security incidents?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Operations (OPS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with OPS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cybersecurity operations-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Cybersecurity operations are primarily viewed as additional duties for IT staff.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Security Operations (OPS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are well-documented and kept current by process owners.\n▪ A Security Operations Center (SOC), or similar function, is appropriately staffed and supported to implement and maintain OPS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security operations management (e.g., SIEM solution, EDR/XDR tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Cybersecurity personnel create “run books,” or SOPs, to capture operational knowledge in documentation form for critical business functions and/or for sensitive/regulated obligations.\n▪ An implemented and operational capability exists to utilize Security Orchestration, Automation and Response (SOAR) tools to define, prioritize and automate the response to security incidents.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Centralized event logging\n∙ Managed Security Services Provider (MSSP)", "small": "∙ Centralized event logging\n∙ Security Incident Event Manager (SIEM)\n∙ Managed Security Services Provider (MSSP)", "medium": "∙ Centralized event logging\n∙ Security Incident Event Management (SIEM)\n∙ Managed Security Services Provider (MSSP)\n∙ Security Orchestration, Automation & Response (SOAR)\n∙ Extended Detection and Response (XDR)", "large": "∙ Centralized event logging\n∙ Security Incident Event Management (SIEM)\n∙ Managed Security Services Provider (MSSP)\n∙ Security Orchestration, Automation & Response (SOAR)\n∙ Extended Detection and Response (XDR)", "enterprise": "∙ Centralized event logging\n∙ Security Incident Event Management (SIEM)\n∙ Managed Security Services Provider (MSSP)\n∙ Security Orchestration, Automation & Response (SOAR)\n∙ Extended Detection and Response (XDR)" }, "risks": [ "R-GV-1", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Operations", "crosswalks": { "general-nist-800-172": [ "3.11.3e" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EN.SOARE" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.3E" ], "usa-federal-dow-zt-roadmap-1-1": [ "6.5", "6.5.2", "6.7.4" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.D.2.d" ] } }, { "control_id": "OPS-07", "title": "Shadow Information Technology Detection", "family": "OPS", "description": "Mechanisms exist to detect the presence of unauthorized Technology Assets, Applications and/or Services (TAAS) in use.", "scf_question": "Does the organization detect the presence of unauthorized Technology Assets, Applications and/or Services (TAAS) in use?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Operations (OPS) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with OPS domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Cybersecurity operations-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Cybersecurity operations are primarily viewed as additional duties for IT staff.\n▪ There is no Security Operations Center (SOC) with 24x7x365 operations coverage.", "2": "Security Operations (OPS) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security operations management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security operations management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Security Operations (OPS) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with OPS domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with OPS domain capabilities are well-documented and kept current by process owners.\n▪ A Security Operations Center (SOC), or similar function, is appropriately staffed and supported to implement and maintain OPS domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security operations management (e.g., SIEM solution, EDR/XDR tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with OPS domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to detect the presence of unauthorized Technology Assets, Applications and/or Services (TAAS) in use.", "4": "Security Operations (OPS) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Product / project management", "small": "∙ Product / project management", "medium": "∙ Product / project management", "large": "∙ Product / project management\n∙ Program Management Office (PMO)", "enterprise": "∙ Product / project management\n∙ Program Management Office (PMO)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Operations", "crosswalks": { "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.EN.SITDE" ], "apac-ind-sebi-2024": [ "ID.AM.S3" ] } }, { "control_id": "SAT-01", "title": "Security, Compliance & Resilience-Minded Workforce", "family": "SAT", "description": "Mechanisms exist to facilitate the implementation of security workforce development and awareness controls.", "scf_question": "Does the organization facilitate the implementation of security workforce development and awareness controls?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-SAT-02", "E-SAT-04", "E-SAT-05" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Awareness & Training (SAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security awareness and training-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Security awareness and training methods are often generic, without organization-specific content.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Users are educated on their responsibilities to protect TAASD assigned to them or under their supervision.\n▪ IT and/or cybersecurity personnel create/govern security and awareness training to meet specific statutory, regulatory and/or contractual compliance obligations.\n▪ Privileged users receive formal security and/or data privacy awareness training to ensure they understand their unique roles and responsibilities.\n▪ The responsibility for training users and enforcing policies may be assigned to user’s immediate supervisor(s)/manager(s), including the definition and enforcement of the user’s specific role(s) and responsibilities.", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of security workforce development and awareness controls.", "4": "Security Awareness & Training (SAT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Third-party advisors (e.g., virtual CISO, Managed Security Services Provider (MSSP), etc.)", "small": "∙ Third-party advisors (e.g., virtual CISO, Managed Security Services Provider (MSSP), etc.)", "medium": "∙ Chief Information Security Officer (CISO)", "large": "∙ Chief Information Security Officer (CISO)", "enterprise": "∙ Chief Information Security Officer (CISO)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed", "family_name": "Security Awareness & Training", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4", "CC1.4-POF3", "CC2.2-POF8", "CC2.2-POF12" ], "general-bsi-200-1-1-0": [ "6" ], "general-cis-csc-8-1": [ "14.0", "14.1" ], "general-cis-csc-8-1-ig1": [ "14.1" ], "general-cis-csc-8-1-ig2": [ "14.1" ], "general-cis-csc-8-1-ig3": [ "14.1" ], "general-coso-2013": [ "4" ], "general-csa-cmm-4-1-0": [ "HRS-11" ], "general-csa-iot-2": [ "TRN-01", "TRN-02" ], "general-govramp": [ "AT-01" ], "general-govramp-low": [ "AT-01" ], "general-govramp-low-plus": [ "AT-01" ], "general-govramp-mod": [ "AT-01" ], "general-govramp-high": [ "AT-01" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.4" ], "general-iso-21434-2021": [ "RQ-05-06" ], "general-iso-27001-2022": [ "7.4", "7.4(a)", "7.4(b)", "7.4(c)", "7.4(d)" ], "general-iso-27002-2022": [ "6.3" ], "general-iso-27018-2025": [ "6.3" ], "general-iso-31000-2018": [ "6.2" ], "general-mpa-csbp-5-3-1": [ "OR-3.3" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(4)(a)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.0", "GOVERN 4.1" ], "general-nist-privacy-framework-1-0": [ "GV.AT-P", "GV.AT-P1", "GV.AT-P2", "GV.AT-P3", "GV.AT-P4" ], "general-nist-800-53-r4": [ "AT-1", "PM-13" ], "general-nist-800-53-r5-2": [ "AT-01", "PM-13" ], "general-nist-800-53-r5-2-privacy": [ "AT-01", "PM-13" ], "general-nist-800-53-r5-2-low": [ "AT-01" ], "general-nist-800-66-r2": [ "164.308(a)(5)" ], "general-nist-800-82-r3": [ "AT-01", "PM-13" ], "general-nist-800-82-r3-low": [ "PM-13" ], "general-nist-800-82-r3-mod": [ "PM-13" ], "general-nist-800-82-r3-high": [ "PM-13" ], "general-nist-800-161-r1": [ "AT-1", "PM-13" ], "general-nist-800-161-r1-cscrm": [ "AT-1" ], "general-nist-800-161-r1-level-1": [ "AT-1", "PM-13" ], "general-nist-800-161-r1-level-2": [ "AT-1", "PM-13" ], "general-nist-800-171-r2": [ "NFO - AT-1" ], "general-nist-800-171-r3": [ "03.02.01.a" ], "general-nist-800-171a-r3": [ "A.03.02.01.ODP[01]", "A.03.02.01.ODP[02]", "A.03.02.01.a.01[01]", "A.03.02.01.a.01[02]" ], "general-nist-csf-2-0": [ "PR.AT" ], "general-pci-dss-4-0-1": [ "8.3.8", "9.5.1", "9.5.1.3", "12.6", "12.6.1", "12.6.2", "12.6.3", "A3.1.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.8", "12.6.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.5.1", "9.5.1.3", "12.6.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.5.1", "9.5.1.3", "12.6.1" ], "general-pci-dss-4-0-1-saq-c": [ "8.3.8", "9.5.1", "9.5.1.3", "12.6.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.6.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.3.8", "9.5.1", "9.5.1.3", "12.6.1", "12.6.2", "12.6.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.3.8", "9.5.1", "9.5.1.3", "12.6.1", "12.6.2", "12.6.3" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.5.1", "9.5.1.3", "12.6.1" ], "general-scf-dpmp-2025": [ "1.6", "7.6" ], "general-swift-cscf-2025": [ "7.2" ], "general-tisax-6-0-3": [ "8.2.3" ], "usa-federal-dow-cert-rmm-1-2": [ "OTA:SG1", "OTA:SG1.SP1", "OTA:SG1.SP2", "OTA:SG1.SP3", "OTA:SG2", "OTA:SG2.SP1", "OTA:SG2.SP2", "OTA:SG2.SP3", "OTA:SG3", "OTA:SG3.SP1", "OTA:SG3.SP2", "OTA:SG3.SP3", "OTA:SG4", "OTA:SG4.SP1", "OTA:SG4.SP2", "OTA:SG4.SP3", "OTA:GG1.GP1", "OTA:GG2", "OTA:GG2.GP2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.UATRA" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.I" ], "usa-federal-fbi-cjis-6-0": [ "AT-1" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-2a", "WORKFORCE-2b", "WORKFORCE-2c", "WORKFORCE-4f" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-gsa-fedramp-5-low": [ "AT-01", "PM-13" ], "usa-federal-gsa-fedramp-5-mod": [ "AT-01", "PM-13" ], "usa-federal-gsa-fedramp-5-high": [ "AT-01", "PM-13" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AT-01", "PM-13" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(e)(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(5)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(5)(i)" ], "usa-federal-irs-1075-2021": [ "2.D.2", "AT-1" ], "usa-federal-cms-marse-2-0": [ "AT-1", "AT-1.e", "AT-1-IS.1", "PM-13" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.2.1" ], "usa-federal-nispom-2020": [ "§117.18(b)(3)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(12)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.3(h)", "500.10(a)(2)", "500.14(a)(3)" ], "usa-state-tx-txramp-2-0-level-1": [ "AT-01" ], "usa-state-tx-txramp-2-0-level-2": [ "AT-01" ], "emea-eu-eba-ict-srm-2025": [ "3.2.1(3)", "3.4.7(49)" ], "emea-eu-dora-2023": [ "Article 13.6" ], "emea-eu-nis2-2022": [ "Article 21.2(g)" ], "emea-eu-nis2-annex-2024": [ "8.1.3", "8.2.5" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "4.9" ], "emea-deu-c5-2020": [ "HR-03", "DEV-04" ], "emea-isr-cmo-1-0": [ "20.1" ], "emea-qat-pdppl-2020": [ "11.3" ], "emea-sau-cgiot-2024": [ "1-9-1" ], "emea-sau-ecc-1-2018": [ "1-10-1", "1-10-5" ], "emea-sau-otcc-1-2022": [ "1-8" ], "emea-sau-sacs-002-2022": [ "TPC-7" ], "emea-sau-sama-csf-1-2017": [ "3.1.6" ], "emea-zaf-popia-2013": [ "4.1.e" ], "emea-esp-boe-a-2022-7191": [ "Article 6.2" ], "emea-esp-decree-311-2022": [ "6.2" ], "emea-esp-ccn-stic-825-2023": [ "8.2.3 [MP.PER.3]", "8.2.4 [MP.PER.4]" ], "emea-gbr-caf-4-0": [ "B6.a" ], "emea-gbr-cap-1850-2020": [ "B6" ], "apac-aus-ism-2024-june": [ "ISM-0252", "ISM-0720", "ISM-0735" ], "apac-chn-cybersecurity-law-2017": [ "Article 34(2)" ], "apac-ind-sebi-2024": [ "GV.RR.S6", "PR.AT.S1" ], "apac-jpn-ismap": [ "7.2.2.1", "7.2.2.2", "7.2.2.3", "7.2.2.4", "7.2.2.5", "7.2.2.6", "7.2.2.17", "7.2.2.18" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP22", "HML22" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP20" ], "apac-nzl-ism-3-9": [ "9.1.4.C.01" ], "apac-sgp-mas-trm-2021": [ "3.6.1", "3.6.4", "6.1.5" ], "americas-bmu-mba-coc-2020": [ "6.7" ], "amaericas-can-osfi-self-assessment": [ "1.7", "1.8", "1.9" ], "americas-can-osfi-b13-2022": [ "3.1.7" ], "americas-can-itsp-10-171-2025": [ "03.02.01.A" ] } }, { "control_id": "SAT-01.1", "title": "Maintaining Workforce Development Relevancy", "family": "SAT", "description": "Mechanisms exist to periodically review security workforce development and awareness training to account for changes to:\n(1) Organizational policies, standards and procedures;\n(2) Assigned roles and responsibilities;\n(3) Relevant threats and risks; and\n(4) Technological developments.", "scf_question": "Does the organization periodically review security workforce development and awareness training to account for changes to:\n(1) Organizational policies, standards and procedures;\n(2) Assigned roles and responsibilities;\n(3) Relevant threats and risks; and\n(4) Technological developments?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Awareness & Training (SAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security awareness and training-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Security awareness and training methods are often generic, without organization-specific content.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Business process owners are required to incorporate vendor-specific security training in support of new technology initiatives.", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to periodically review security workforce development and awareness training to account for changes to:\n(1) Organizational policies, standards and procedures;\n(2) Assigned roles and responsibilities;\n(3) Relevant threats and risks; and\n(4) Technological developments.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Provide role-specific security guidance for IT/admin roles", "small": "∙ Role-based security training for IT personnel", "medium": "∙ Formal role-based security training program\n∙ IT/admin-specific cybersecurity curriculum", "large": "∙ Enterprise role-based security training platform\n∙ Technical security training for IT/admin roles", "enterprise": "∙ Enterprise role-based security training program (e.g., KnowBe4, SANS)\n∙ Technical training paths by role\n∙ Certification support" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Awareness & Training", "crosswalks": { "general-bsi-200-1-1-0": [ "6" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.6" ], "general-nist-600-1-gen-ai-profile": [ "MP-3.4-002" ], "general-swift-cscf-2025": [ "7.2" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-2g", "WORKFORCE-4e" ], "emea-eu-nis2-annex-2024": [ "8.1.2(a)" ], "apac-jpn-ismap": [ "4.5.2.4", "4.5.2.5" ] } }, { "control_id": "SAT-02", "title": "Security, Compliance & Resilience Awareness Training", "family": "SAT", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "scf_question": "Does the organization provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-SAT-02" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Awareness & Training (SAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security awareness and training-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Security awareness and training methods are often generic, without organization-specific content.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Users are educated on their responsibilities to protect TAASD assigned to them or under their supervision.\n▪ IT and/or cybersecurity personnel create/govern security and awareness training to meet specific statutory, regulatory and/or contractual compliance obligations.", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "4": "Security Awareness & Training (SAT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Initial & annual security, compliance and resilience awareness training\n∙ KnowB4 (https://knowbe4.com)", "small": "∙ Initial & annual security, compliance and resilience awareness training\n∙ KnowB4 (https://knowbe4.com)", "medium": "∙ Initial & annual security, compliance and resilience awareness training\n∙ KnowB4 (https://knowbe4.com)", "large": "∙ Initial & annual security, compliance and resilience awareness training\n∙ KnowB4 (https://knowbe4.com)", "enterprise": "∙ Initial & annual security, compliance and resilience awareness training\n∙ KnowB4 (https://knowbe4.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Security Awareness & Training", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4-POF7", "CC2.2-POF8", "CC2.2-POF12" ], "general-bsi-200-1-1-0": [ "6" ], "general-cis-csc-8-1": [ "14.3", "14.7", "14.8" ], "general-cis-csc-8-1-ig1": [ "14.3", "14.7", "14.8" ], "general-cis-csc-8-1-ig2": [ "14.3", "14.7", "14.8" ], "general-cis-csc-8-1-ig3": [ "14.3", "14.7", "14.8" ], "general-csa-cmm-4-1-0": [ "HRS-12" ], "general-csa-iot-2": [ "TRN-02" ], "general-govramp": [ "AT-02" ], "general-govramp-low": [ "AT-02" ], "general-govramp-low-plus": [ "AT-02" ], "general-govramp-mod": [ "AT-02" ], "general-govramp-high": [ "AT-02" ], "general-iec-62443-2-1-2024": [ "ORG 1.4" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.6", "3.5.4.2", "3.5.5.3", "3.5.6.2" ], "general-iso-27001-2022": [ "7.4", "7.4(a)", "7.4(b)", "7.4(c)", "7.4(d)" ], "general-iso-27002-2022": [ "6.3" ], "general-iso-27018-2025": [ "6.3" ], "general-mpa-csbp-5-3-1": [ "OR-3.1", "OR-3.3" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(5)" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.1-002" ], "general-nist-privacy-framework-1-0": [ "GV.AT-P1", "GV.AT-P2", "GV.AT-P3" ], "general-nist-800-53-r4": [ "AT-2" ], "general-nist-800-53-r5-2": [ "AT-02" ], "general-nist-800-53-r5-2-privacy": [ "AT-02" ], "general-nist-800-53-r5-2-low": [ "AT-02" ], "general-nist-800-66-r2": [ "164.308(a)(5)" ], "general-nist-800-82-r3": [ "AT-02" ], "general-nist-800-82-r3-low": [ "AT-02" ], "general-nist-800-82-r3-mod": [ "AT-02" ], "general-nist-800-82-r3-high": [ "AT-02" ], "general-nist-800-161-r1": [ "AT-2" ], "general-nist-800-171-r2": [ "3.2.1" ], "general-nist-800-171-r3": [ "03.01.22.a", "03.02.01.a.01", "03.02.01.a.02", "03.02.01.a.03", "03.02.01.b", "03.06.04.a.03" ], "general-nist-800-171a": [ "3.2.1[a]", "3.2.1[b]", "3.2.1[c]", "3.2.1[d]" ], "general-nist-800-171a-r3": [ "A.03.02.01.ODP[03]", "A.03.02.01.ODP[04]", "A.03.02.01.a.03[03]", "A.03.02.01.a.03[04]", "A.03.02.01.a.03[05]", "A.03.02.01.a.03[06]" ], "general-nist-csf-2-0": [ "PR.AT", "PR.AT-01" ], "general-pci-dss-4-0-1": [ "8.3.8", "9.5.1", "9.5.1.3", "12.6", "12.6.1", "12.6.3", "12.6.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "8.3.8", "12.6.1", "12.6.3.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.5.1", "9.5.1.3", "12.6.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.5.1", "9.5.1.3", "12.6.1" ], "general-pci-dss-4-0-1-saq-c": [ "8.3.8", "9.5.1", "9.5.1.3", "12.6.1", "12.6.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.6.1", "12.6.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "8.3.8", "9.5.1", "9.5.1.3", "12.6.1", "12.6.3", "12.6.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.3.8", "9.5.1", "9.5.1.3", "12.6.1", "12.6.3", "12.6.3.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.5.1", "9.5.1.3", "12.6.1" ], "general-scf-dpmp-2025": [ "1.6" ], "general-swift-cscf-2025": [ "7.2" ], "general-tisax-6-0-3": [ "2.1.3", "8.2.3" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.UATRA" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.I" ], "usa-federal-fbi-cjis-6-0": [ "AT-2" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-2a", "WORKFORCE-2b", "WORKFORCE-2c", "WORKFORCE-2d", "WORKFORCE-4d" ], "usa-federal-dow-cmmc-2-level-2": [ "ATL2.-3.2.1" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)" ], "usa-federal-gsa-fedramp-5-low": [ "AT-02" ], "usa-federal-gsa-fedramp-5-mod": [ "AT-02" ], "usa-federal-gsa-fedramp-5-high": [ "AT-02" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AT-02" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(e)(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(5)(i)", "164.530(b)(2)(i)", "164.530(b)(2)(i)(A)", "164.530(b)(2)(i)(B)", "164.530(b)(2)(i)(C)", "164.530(b)(2)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(5)(i)" ], "usa-federal-irs-1075-2021": [ "2.D.2.1", "AT-2", "AT-2(IRS-Defined)-1", "AT-2(IRS-Defined)-2" ], "usa-federal-cms-marse-2-0": [ "AT-2", "AT-2.a", "AT-2.b", "AT-2-IS.1", "AT-2-IS.2" ], "usa-federal-nerc-cip-2024": [ "CIP-004-7 1.1", "CIP-004-7 R2", "CIP-004-7 2.1.1", "CIP-004-7 2.1.2", "CIP-004-7 2.1.3", "CIP-004-7 2.1.4", "CIP-004-7 2.1.5", "CIP-004-7 2.1.6", "CIP-004-7 2.1.7", "CIP-004-7 2.1.8", "CIP-004-7 2.1.9", "CIP-004-7 2.2" ], "usa-federal-nispom-2020": [ "§117.12(e)", "§117.12(i)", "§117.12(j)", "§117.12(k)", "§117.12(l)" ], "usa-state-ca-ccpa-cpra-2026": [ "7100(a)", "7123(c)(12)", "7123(c)(13)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)1", "17.04(8)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(2)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(A)(4)", "5.8" ], "usa-state-tx-txramp-2-0-level-1": [ "AT-02" ], "usa-state-tx-txramp-2-0-level-2": [ "AT-02" ], "usa-state-vt-act-171-2018": [ "2447(b)(2)(A)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.7(49)" ], "emea-eu-dora-2023": [ "Article 13.6" ], "emea-eu-nis2-annex-2024": [ "8.1.1", "8.1.2" ], "emea-deu-c5-2020": [ "HR-03", "DEV-04" ], "emea-isr-cmo-1-0": [ "20.2" ], "emea-sau-cgiot-2024": [ "1-9-1", "1-9-2" ], "emea-sau-ecc-1-2018": [ "1-10-2", "1-10-3", "1-10-3-1", "1-10-3-2", "1-10-3-3", "1-10-3-4" ], "emea-sau-otcc-1-2022": [ "1-8" ], "emea-sau-sacs-002-2022": [ "TPC-7" ], "emea-esp-ccn-stic-825-2023": [ "8.2.3 [MP.PER.3]", "8.2.4 [MP.PER.4]" ], "emea-gbr-caf-4-0": [ "B6" ], "emea-gbr-cap-1850-2020": [ "B6" ], "emea-gbr-def-stan-05-138-2024": [ "2600", "2602", "2603" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2600", "2603" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2600", "2602", "2603" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2600", "2602", "2603" ], "apac-aus-ism-2024-june": [ "ISM-0252", "ISM-0824", "ISM-1146", "ISM-1740" ], "apac-jpn-ismap": [ "6.2.1.20", "7.2.2", "7.2.2.7", "7.2.2.8", "7.2.2.9", "7.2.2.10", "7.2.2.11", "7.2.2.12", "7.2.2.13", "7.2.2.15", "7.2.2.25" ], "apac-nzl-ism-3-9": [ "9.1.5.C.01", "9.1.5.C.02", "9.1.6.C.01", "9.1.6.C.02" ], "apac-sgp-mas-trm-2021": [ "3.6.1" ], "amaericas-can-osfi-self-assessment": [ "1.8", "1.9" ], "americas-can-osfi-b13-2022": [ "3.1.7" ], "americas-can-itsp-10-171-2025": [ "03.01.22.A", "03.02.01.A.01", "03.02.01.A.02", "03.02.01.A.03", "03.02.01.B", "03.06.04.A.03" ] } }, { "control_id": "SAT-02.1", "title": "Simulated Cyber Attack Scenario Training", "family": "SAT", "description": "Mechanisms exist to include simulated actual cyber-attacks through practical exercises that are aligned with current threat scenarios.", "scf_question": "Does the organization include simulated actual cyber-attacks through practical exercises that are aligned with current threat scenarios?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [ "E-SAT-03" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Awareness & Training (SAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security awareness and training-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Security awareness and training methods are often generic, without organization-specific content.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to include simulated actual cyber-attacks through practical exercises that are aligned with current threat scenarios.", "4": "Security Awareness & Training (SAT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Provide basic insider threat awareness information to staff", "small": "∙ Insider threat awareness training module", "medium": "∙ Formal insider threat awareness program\n∙ Annual training for all staff", "large": "∙ Enterprise insider threat awareness and behavior monitoring program", "enterprise": "∙ Enterprise insider threat program (NITTF-aligned)\n∙ Dedicated insider threat team\n∙ UEBA for behavioral monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Awareness & Training", "crosswalks": { "general-cr-cmm-2026": [ "CR6.2.2" ], "general-nist-800-53-r4": [ "AT-2(1)" ], "general-nist-800-53-r5-2": [ "AT-02(01)", "AT-06" ], "general-nist-800-82-r3": [ "AT-02(01)", "AT-06" ], "general-nist-800-160-vol-2-r1": [ "AT-02(01)" ], "general-nist-800-161-r1": [ "AT-2(1)" ], "general-nist-800-161-r1-level-2": [ "AT-2(1)" ], "general-scf-dpmp-2025": [ "1.6" ], "usa-federal-irs-1075-2021": [ "AT-2(CE-1)", "AT-6" ], "emea-gbr-def-stan-05-138-2024": [ "2605" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2605" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2605" ] } }, { "control_id": "SAT-02.2", "title": "Social Engineering & Mining", "family": "SAT", "description": "Mechanisms exist to include awareness training on recognizing and reporting potential and actual instances of social engineering and social mining.", "scf_question": "Does the organization include awareness training on recognizing and reporting potential and actual instances of social engineering and social mining?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-SAT-02" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Awareness & Training (SAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security awareness and training-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Security awareness and training methods are often generic, without organization-specific content.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Users are educated on their responsibilities to protect TAASD assigned to them or under their supervision.\n▪ IT and/or cybersecurity personnel create/govern security and awareness training to meet specific statutory, regulatory and/or contractual compliance obligations.\n▪ Privileged users receive formal security and/or data privacy awareness training to ensure they understand their unique roles and responsibilities.\n▪ The responsibility for training users and enforcing policies may be assigned to user’s immediate supervisor(s)/manager(s), including the definition and enforcement of the user’s specific role(s) and responsibilities.\n▪ Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to include awareness training on recognizing and reporting potential and actual instances of social engineering and social mining.", "4": "Security Awareness & Training (SAT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Train staff to recognize and report suspicious behavior", "small": "∙ Security awareness training including insider threat recognition", "medium": "∙ Formal security awareness program including insider threat indicators", "large": "∙ Enterprise security awareness program with insider threat focus\n∙ Reporting hotline", "enterprise": "∙ Enterprise security culture program\n∙ Anonymous reporting hotline\n∙ Insider threat training integration\n∙ Regular awareness campaigns" }, "risks": [ "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Awareness & Training", "crosswalks": { "general-cis-csc-8-1": [ "9.0", "14.2" ], "general-cis-csc-8-1-ig1": [ "14.2" ], "general-cis-csc-8-1-ig2": [ "14.2" ], "general-cis-csc-8-1-ig3": [ "14.2" ], "general-mpa-csbp-5-3-1": [ "OR-3.3" ], "general-nist-800-53-r5-2": [ "AT-02(03)" ], "general-nist-800-53-r5-2-mod": [ "AT-02(03)" ], "general-nist-800-82-r3": [ "AT-02(03)" ], "general-nist-800-82-r3-mod": [ "AT-02(03)" ], "general-nist-800-82-r3-high": [ "AT-02(03)" ], "general-nist-800-160-vol-2-r1": [ "AT-02(03)" ], "general-nist-800-161-r1": [ "AT-2(3)" ], "general-nist-800-161-r1-level-2": [ "AT-2(3)" ], "general-nist-800-171-r3": [ "03.02.01.a.03" ], "general-nist-800-172": [ "3.2.1e" ], "general-pci-dss-4-0-1": [ "12.6.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.6.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.6.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.6.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.6.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.6.3.1" ], "usa-federal-fbi-cjis-6-0": [ "AT-2(3)" ], "usa-federal-dow-cmmc-2-level-3": [ "AT.L3-3.2.1E" ], "usa-federal-gsa-fedramp-5-mod": [ "AT-02(03)" ], "usa-federal-gsa-fedramp-5-high": [ "AT-02(03)" ], "usa-federal-irs-1075-2021": [ "AT-2(CE-3)" ], "usa-state-tx-txramp-2-0-level-2": [ "AT-02 (03)" ], "emea-isr-cmo-1-0": [ "20.4" ], "emea-sau-ecc-1-2018": [ "1-10-3" ], "emea-gbr-def-stan-05-138-2024": [ "2602" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2602" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2602" ], "apac-aus-ism-2024-june": [ "ISM-0817" ], "amaericas-can-osfi-self-assessment": [ "1.8", "1.9" ], "americas-can-itsp-10-171-2025": [ "03.02.01.A.03" ] } }, { "control_id": "SAT-03", "title": "Role-Based Security, Compliance & Resilience Training", "family": "SAT", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "scf_question": "Does the organization provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafterystem changes; and \n (3) Annually thereafter?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-SAT-05" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Awareness & Training (SAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security awareness and training-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Security awareness and training methods are often generic, without organization-specific content.\n▪ IT/cybersecurity personnel self-manage their professional certification requirements to support their assigned duties.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Users are educated on their responsibilities to protect TAASD assigned to them or under their supervision.\n▪ IT and/or cybersecurity personnel create/govern security and awareness training to meet specific statutory, regulatory and/or contractual compliance obligations.\n▪ Privileged users receive formal security and/or data privacy awareness training to ensure they understand their unique roles and responsibilities.\n▪ The responsibility for training users and enforcing policies may be assigned to user’s immediate supervisor(s)/manager(s), including the definition and enforcement of the user’s specific role(s) and responsibilities.\n▪ Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "4": "Security Awareness & Training (SAT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ KnowB4 (https://knowbe4.com)", "small": "∙ KnowB4 (https://knowbe4.com)", "medium": "∙ KnowB4 (https://knowbe4.com)", "large": "∙ KnowB4 (https://knowbe4.com)", "enterprise": "∙ KnowB4 (https://knowbe4.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Security Awareness & Training", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF3" ], "general-aicpa-tsc-2017": [ "CC1.4-POF7", "CC2.2-POF12", "CC2.2-POF13" ], "general-bsi-200-1-1-0": [ "6" ], "general-cis-csc-8-1": [ "14.3", "14.4", "14.7", "14.8", "14.9", "16.9" ], "general-cis-csc-8-1-ig1": [ "14.3", "14.4", "14.7", "14.8" ], "general-cis-csc-8-1-ig2": [ "14.3", "14.4", "14.7", "14.8", "14.9", "16.9" ], "general-cis-csc-8-1-ig3": [ "14.3", "14.4", "14.7", "14.8", "14.9", "16.9" ], "general-csa-cmm-4-1-0": [ "DCS-12" ], "general-csa-iot-2": [ "TRN-01", "TRN-02" ], "general-govramp": [ "AT-03" ], "general-govramp-low": [ "AT-03" ], "general-govramp-low-plus": [ "AT-03" ], "general-govramp-mod": [ "AT-03" ], "general-govramp-high": [ "AT-03" ], "general-iec-62443-2-1-2024": [ "ORG 1.5" ], "general-iec-62443-4-1-2018": [ "SM-4" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.6", "3.5.5.3", "3.5.6.2" ], "general-iso-27002-2022": [ "5.4", "6.3" ], "general-iso-27018-2025": [ "6.3" ], "general-iso-27701-2025": [ "7.2" ], "general-iso-29100-2024": [ "6.1" ], "general-mpa-csbp-5-3-1": [ "OR-3.1", "OR-3.3" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(5)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.0", "GOVERN 2.2" ], "general-nist-privacy-framework-1-0": [ "GV.AT-P1", "GV.AT-P2", "GV.AT-P3" ], "general-nist-800-53-r4": [ "AT-3" ], "general-nist-800-53-r5-2": [ "AT-03", "AT-03(02)" ], "general-nist-800-53-r5-2-privacy": [ "AT-03" ], "general-nist-800-53-r5-2-low": [ "AT-03" ], "general-nist-800-66-r2": [ "164.308(a)(5)" ], "general-nist-800-82-r3": [ "AT-03", "AT-03(02)" ], "general-nist-800-82-r3-low": [ "AT-03" ], "general-nist-800-82-r3-mod": [ "AT-03" ], "general-nist-800-82-r3-high": [ "AT-03" ], "general-nist-800-161-r1": [ "AT-3", "AT-3(2)", "AT-3(6)" ], "general-nist-800-161-r1-cscrm": [ "AT-3" ], "general-nist-800-161-r1-flowdown": [ "AT-3" ], "general-nist-800-161-r1-level-2": [ "AT-3", "AT-3(2)", "AT-3(6)" ], "general-nist-800-171-r2": [ "3.2.2" ], "general-nist-800-171-r3": [ "03.01.22.a", "03.02.01.a.01", "03.02.01.a.02", "03.02.02.a", "03.02.02.a.01", "03.02.02.a.02", "03.02.02.b", "03.06.04.a", "03.06.04.a.01", "03.06.04.a.02", "03.06.04.b" ], "general-nist-800-171a": [ "3.2.2[a]", "3.2.2[b]", "3.2.2[c]" ], "general-nist-800-171a-r3": [ "A.03.02.02.ODP[01]", "A.03.02.02.ODP[02]", "A.03.02.02.ODP[03]", "A.03.02.02.ODP[04]", "A.03.02.02.a.01[01]", "A.03.02.02.a.01[02]", "A.03.02.02.a.01[03]", "A.03.02.02.a.02", "A.03.02.02.b[01]", "A.03.02.02.b[02]", "A.03.06.04.a.01", "A.03.06.04.a.02", "A.03.06.04.a.03" ], "general-nist-800-172": [ "3.2.1e" ], "general-nist-800-218": [ "PO.2.2" ], "general-nist-csf-2-0": [ "PR.AT", "PR.AT-01", "PR.AT-02" ], "general-pci-dss-4-0-1": [ "1.1.2", "6.2.2", "8.3.8", "9.5.1", "9.5.1.3", "12.6", "12.6.1", "12.6.3", "12.6.3.1", "12.6.3.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.2", "8.3.8", "12.6.1", "12.6.3.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.5.1", "9.5.1.3", "12.6.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.5.1", "9.5.1.3", "12.6.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.2", "8.3.8", "9.5.1", "9.5.1.3", "12.6.1", "12.6.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.6.1", "12.6.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.1.2", "6.2.2", "8.3.8", "9.5.1", "9.5.1.3", "12.6.1", "12.6.3", "12.6.3.1", "12.6.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.1.2", "6.2.2", "8.3.8", "9.5.1", "9.5.1.3", "12.6.1", "12.6.3", "12.6.3.1", "12.6.3.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.5.1", "9.5.1.3", "12.6.1" ], "general-scf-dpmp-2025": [ "1.6" ], "general-sparta": [ "CM0041" ], "general-swift-cscf-2025": [ "7.2" ], "general-tisax-6-0-3": [ "2.1.4", "9.7.2" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:GG2.GP5", "AM:GG2.GP5", "COMM:GG2.GP5", "COMP:GG2.GP5", "CTRL:GG2.GP5", "EC:GG2.GP5", "EF:GG2.GP5", "EXD:GG2.GP5", "FRM:GG2.GP5", "HRM:GG2.GP5", "ID:GG2.GP5", "IMC:GG2.GP5", "KIM:GG2.GP5", "MA:GG2.GP5", "MON:GG2.GP5", "OPD:GG2.GP5", "OPF:GG2.GP5", "OTA:GG2.GP5", "PM:GG2.GP5", "RISK:GG2.GP5", "RRD:GG2.GP5", "RRM:GG2.GP5", "RTSE:GG2.GP5", "SC:GG2.GP5", "TM:GG2.GP5", "VAR:GG2.GP5", "GG2.GP5" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.UATRA" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.I", "2.J" ], "usa-federal-fbi-cjis-6-0": [ "AT-3" ], "usa-federal-doe-c2m2-2-1": [ "WORKFORCE-2e", "WORKFORCE-2f", "WORKFORCE-4a" ], "usa-federal-dow-cmmc-2-level-2": [ "ATL2.-3.2.2" ], "usa-federal-dow-cmmc-2-level-3": [ "AT.L3-3.2.1E" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-gsa-fedramp-5-low": [ "AT-03" ], "usa-federal-gsa-fedramp-5-mod": [ "AT-03" ], "usa-federal-gsa-fedramp-5-high": [ "AT-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AT-03" ], "usa-federal-sro-finra": [ "248.201(e)(3)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(e)(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(5)(ii)(C)", "164.308(a)(5)(ii)(D)", "164.530(b)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(5)(ii)(C)", "164.308(a)(5)(ii)(D)" ], "usa-federal-irs-1075-2021": [ "2.D.2.1", "AT-3" ], "usa-federal-cms-marse-2-0": [ "AT-3", "AT-3.a", "AT-3.b", "AT-3-IS.1" ], "usa-federal-nerc-cip-2024": [ "CIP-004-7 2.2", "CIP-004-7 2.3" ], "usa-federal-nispom-2020": [ "§117.12(a)", "§117.12(b)", "§117.12(e)(6)" ], "usa-state-ca-ccpa-cpra-2026": [ "7100(a)", "7123(c)(12)", "7123(c)(13)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AT-03", "PE-01-SID" ], "usa-state-tx-txramp-2-0-level-1": [ "AT-03" ], "usa-state-tx-txramp-2-0-level-2": [ "AT-03" ], "emea-eu-ai-act-2024": [ "Article 9.5(c)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.1(3)", "3.4.7(49)" ], "emea-eu-dora-2023": [ "Article 13.6" ], "emea-eu-nis2-annex-2024": [ "8.2.1", "8.2.2", "8.2.3", "8.2.3(a)", "8.2.3(c)", "8.2.4" ], "emea-deu-c5-2020": [ "DEV-04" ], "emea-isr-cmo-1-0": [ "20.2", "25.3" ], "emea-qat-pdppl-2020": [ "11.3" ], "emea-sau-cgiot-2024": [ "1-9-1" ], "emea-sau-ecc-1-2018": [ "1-10-3", "1-10-3-1", "1-10-3-2", "1-10-3-3", "1-10-3-4", "1-10-4", "1-10-4-1", "1-10-4-2", "1-10-4-3" ], "emea-sau-otcc-1-2022": [ "1-8-1", "1-8-2", "1-8-3" ], "emea-sau-sacs-002-2022": [ "TPC-7" ], "emea-sau-sama-csf-1-2017": [ "3.1.6", "3.1.7" ], "emea-esp-ccn-stic-825-2023": [ "8.2.3 [MP.PER.3]", "8.2.4 [MP.PER.4]" ], "emea-gbr-caf-4-0": [ "B6.b" ], "emea-gbr-def-stan-05-138-2024": [ "2321", "2602" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2321" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2321", "2602" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2321", "2602" ], "apac-aus-ism-2024-june": [ "ISM-1146", "ISM-1565", "ISM-1740" ], "apac-chn-data-security-law-2021": [ "27" ], "apac-ind-sebi-2024": [ "PR.AT.S2" ], "apac-jpn-ismap": [ "4.5.2.4", "4.5.3.1", "7.2.1.6", "7.2.2.14", "7.2.2.19.PB" ], "apac-nzl-ism-3-9": [ "9.1.6.C.01", "9.1.6.C.02", "9.1.6.C.03" ], "apac-sgp-mas-trm-2021": [ "3.6.2", "3.6.3", "6.1.5" ], "amaericas-can-osfi-self-assessment": [ "1.7", "1.8", "1.9" ], "americas-can-osfi-b13-2022": [ "3.1.7" ], "americas-can-itsp-10-171-2025": [ "03.01.22.A", "03.02.01.A.01", "03.02.01.A.02", "03.02.02.A", "03.02.02.A.01", "03.02.02.A.02", "03.02.02.B", "03.06.04.A", "03.06.04.A.01", "03.06.04.A.02", "03.06.04.B" ] } }, { "control_id": "SAT-03.1", "title": "Practical Exercises", "family": "SAT", "description": "Mechanisms exist to include practical exercises in security, compliance and resilience training that reinforce training objectives.", "scf_question": "Does the organization include practical exercises in security, compliance and resilience training that reinforce training objectives?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [ "E-SAT-03" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Awareness & Training (SAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security awareness and training-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Security awareness and training methods are often generic, without organization-specific content.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to include practical exercises in security, compliance and resilience training that reinforce training objectives.", "4": "Security Awareness & Training (SAT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Provide security training specific to developers", "small": "∙ Developer-specific secure coding training", "medium": "∙ Formal secure coding training program for developers (e.g., OWASP training)", "large": "∙ Enterprise developer security training (e.g., Secure Code Warrior, Checkmarx)\n∙ Security champions program", "enterprise": "∙ Enterprise developer security training platform (e.g., Secure Code Warrior, Veracode eLearning)\n∙ Security champions\n∙ Gamified training" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Security Awareness & Training", "crosswalks": { "general-cis-csc-8-1": [ "14.9" ], "general-cis-csc-8-1-ig2": [ "14.9" ], "general-cis-csc-8-1-ig3": [ "14.9" ], "general-govramp": [ "AT-03(03)" ], "general-govramp-high": [ "AT-03(03)" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.6" ], "general-nist-800-53-r4": [ "AT-3(3)" ], "general-nist-800-53-r5-2": [ "AT-03(03)" ], "general-nist-800-82-r3": [ "AT-03(03)" ], "general-nist-800-160-vol-2-r1": [ "AT-03(03)" ], "general-nist-800-172": [ "3.2.2e" ], "general-scf-dpmp-2025": [ "1.6" ], "usa-federal-dow-cmmc-2-level-3": [ "AT.L3-3.2.2E" ], "emea-gbr-def-stan-05-138-2024": [ "2605" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2605" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2605" ], "americas-can-osfi-b13-2022": [ "3.1.7" ] } }, { "control_id": "SAT-03.2", "title": "Suspicious Communications & Anomalous System Behavior", "family": "SAT", "description": "Mechanisms exist to provide training to personnel on organization-defined indicators of malware to recognize suspicious communications and anomalous behavior.", "scf_question": "Does the organization provide training to personnel on organization-defined indicators of malware to recognize suspicious communications and anomalous behavior?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Awareness & Training (SAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security awareness and training-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Security awareness and training methods are often generic, without organization-specific content.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Users are educated on their responsibilities to protect TAASD assigned to them or under their supervision.\n▪ IT and/or cybersecurity personnel create/govern security and awareness training to meet specific statutory, regulatory and/or contractual compliance obligations.\n▪ Privileged users receive formal security and/or data privacy awareness training to ensure they understand their unique roles and responsibilities.\n▪ The responsibility for training users and enforcing policies may be assigned to user’s immediate supervisor(s)/manager(s), including the definition and enforcement of the user’s specific role(s) and responsibilities.\n▪ Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).\n▪ Security awareness training covers reporting of unauthorized alterations and evidence of tampering of equipment", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide training to personnel on organization-defined indicators of malware to recognize suspicious communications and anomalous behavior.", "4": "Security Awareness & Training (SAT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Provide security training for system administrators", "small": "∙ Role-specific security training for system administrators", "medium": "∙ Formal privileged user security training program", "large": "∙ Enterprise privileged user security training program\n∙ Regular refresher training", "enterprise": "∙ Enterprise role-based technical security training (e.g., SANS courses)\n∙ Privileged user training tracks\n∙ Annual recertification" }, "risks": [ "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Awareness & Training", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF13", "CC2.3-POF12" ], "general-cis-csc-8-1": [ "14.6" ], "general-cis-csc-8-1-ig1": [ "14.6" ], "general-cis-csc-8-1-ig2": [ "14.6" ], "general-cis-csc-8-1-ig3": [ "14.6" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.4.2" ], "general-mpa-csbp-5-3-1": [ "OR-3.3" ], "general-nist-800-53-r4": [ "AT-3(4)" ], "general-nist-800-53-r5-2": [ "AT-02(04)", "AT-02(05)" ], "general-nist-800-66-r2": [ "164.308(a)(5)" ], "general-nist-800-82-r3": [ "AT-02(04)", "AT-02(05)" ], "general-nist-800-82-r3-mod": [ "AT-02(04)" ], "general-nist-800-82-r3-high": [ "AT-02(04)" ], "general-nist-800-160-vol-2-r1": [ "AT-02(05)" ], "general-nist-800-161-r1": [ "AT-2(4)", "AT-2(5)" ], "general-nist-800-161-r1-level-2": [ "AT-2(4)", "AT-2(5)" ], "general-nist-800-172": [ "3.2.1e" ], "general-pci-dss-4-0-1": [ "11.5", "11.5.1", "11.5.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "11.5.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "11.5.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "11.5.1", "11.5.1.1" ], "general-scf-dpmp-2025": [ "1.6" ], "general-sparta": [ "CM0041" ], "general-swift-cscf-2025": [ "2.9" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.BBASE", "3.UNI.DTDIS" ], "usa-federal-dow-cmmc-2-level-3": [ "AT.L3-3.2.1E" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(5)(ii)(B)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(5)(ii)(B)" ], "usa-federal-irs-1075-2021": [ "AT-2(CE-4)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.14(a)(1)" ], "emea-eu-nis2-annex-2024": [ "3.3.1", "3.3.2" ], "emea-sau-otcc-1-2022": [ "1-8-1", "1-8-2", "1-8-3", "2-3-1-12" ], "emea-gbr-def-stan-05-138-2024": [ "2602" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2602" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2602" ], "apac-aus-ism-2024-june": [ "ISM-0817", "ISM-0824", "ISM-1740" ], "apac-sgp-mas-trm-2021": [ "9.2.2", "11.5.5", "12.2.4" ], "amaericas-can-osfi-self-assessment": [ "1.8", "1.9" ], "americas-can-osfi-b13-2022": [ "3.1.7" ] } }, { "control_id": "SAT-03.3", "title": "Sensitive / Regulated Data Storage, Handling & Processing", "family": "SAT", "description": "Mechanisms exist to ensure that every user accessing a system processing, storing or transmitting sensitive/regulated data is formally trained in data handling requirements.", "scf_question": "Does the organization ensure that every user accessing a system processing, storing or transmitting sensitive/regulated data is formally trained in data handling requirements?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Awareness & Training (SAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security awareness and training-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Security awareness and training methods are often generic, without organization-specific content.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Users are educated on their responsibilities to protect TAASD assigned to them or under their supervision.\n▪ IT and/or cybersecurity personnel create/govern security and awareness training to meet specific statutory, regulatory and/or contractual compliance obligations.\n▪ Privileged users receive formal security and/or data privacy awareness training to ensure they understand their unique roles and responsibilities.\n▪ The responsibility for training users and enforcing policies may be assigned to user’s immediate supervisor(s)/manager(s), including the definition and enforcement of the user’s specific role(s) and responsibilities.\n▪ Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that every user accessing a system processing, storing or transmitting sensitive/regulated data is formally trained in data handling requirements.", "4": "Security Awareness & Training (SAT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Provide security training for executives and leadership", "small": "∙ Executive security awareness briefing", "medium": "∙ Formal executive security awareness program\n∙ Board-level cybersecurity briefings", "large": "∙ Enterprise executive security program\n∙ Board cybersecurity education\n∙ Executive threat briefings", "enterprise": "∙ Enterprise board and executive security education program\n∙ Regular threat briefings\n∙ Tabletop exercises for leadership" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Awareness & Training", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF3" ], "general-aicpa-tsc-2017": [ "CC2.2-POF9" ], "general-cis-csc-8-1": [ "14.5" ], "general-cis-csc-8-1-ig1": [ "14.5" ], "general-cis-csc-8-1-ig2": [ "14.5" ], "general-cis-csc-8-1-ig3": [ "14.5" ], "general-csa-cmm-4-1-0": [ "DSP-17" ], "general-csa-iot-2": [ "TRN-02" ], "general-iso-27018-2025": [ "6.3(a)" ], "general-iso-29100-2024": [ "6.1" ], "general-mpa-csbp-5-3-1": [ "OR-3.3" ], "general-nist-800-53-r4": [ "AR-5" ], "general-nist-800-53-r5-2": [ "AT-03(05)" ], "general-nist-800-53-r5-2-privacy": [ "AT-03(05)" ], "general-nist-800-82-r3": [ "AT-03(05)" ], "general-nist-800-171-r3": [ "03.01.22.a", "03.02.01.a.01", "03.02.02.a.01" ], "general-nist-800-218": [ "PO.2.2" ], "general-pci-dss-4-0-1": [ "9.5.1", "9.5.1.3", "12.6.3.1", "12.6.3.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.6.3.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.5.1", "9.5.1.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.5.1", "9.5.1.3" ], "general-pci-dss-4-0-1-saq-c": [ "9.5.1", "9.5.1.3", "12.6.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.6.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.5.1", "9.5.1.3", "12.6.3.1", "12.6.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.5.1", "9.5.1.3", "12.6.3.1", "12.6.3.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.5.1", "9.5.1.3" ], "general-scf-dpmp-2025": [ "1.6" ], "general-sparta": [ "CM0041" ], "general-swift-cscf-2025": [ "7.2" ], "general-tisax-6-0-3": [ "2.1.4" ], "usa-federal-fbi-cjis-6-0": [ "AT-3(5)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(e)(1)" ], "usa-federal-irs-1075-2021": [ "2.D.2.1-1.1", "2.D.2.1-1.2", "2.D.2.1-1.3", "2.D.2.1-1.4", "2.D.2.1-2.1", "2.D.2.1-2.2", "2.D.2.1-2.3", "2.D.2.1-2.4", "2.D.2.1-2.5", "2.D.2.1-2.6", "2.D.2.1-2.7" ], "usa-federal-cms-marse-2-0": [ "AR-5", "AR-5.a", "AR-5.b", "AR-5.c" ], "usa-federal-nispom-2020": [ "§117.12(a)", "§117.12(d)", "§117.12(e)(3)", "§117.12(e)(4)", "§117.12(e)(5)", "§117.12(f)", "§117.12(h)", "§117.12(h)(1)", "§117.12(h)(2)", "§117.12(h)(2)(i)", "§117.12(h)(2)(ii)", "§117.12(h)(2)(iii)", "§117.12(h)(2)(iv)", "§117.12(h)(2)(v)", "§117.12(h)(2)(vi)", "§117.12(h)(2)(vii)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "12-2.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7100(a)", "7123(c)(12)", "7123(c)(13)" ], "usa-state-il-ipa-2009": [ "35(a)(2)", "37(a)(2)" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(8)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(2)" ], "usa-state-vt-act-171-2018": [ "2447(c)(8)" ], "emea-isr-cmo-1-0": [ "20.3" ], "emea-qat-pdppl-2020": [ "11.3" ], "emea-sau-ecc-1-2018": [ "1-10-4-2" ], "emea-sau-sama-csf-1-2017": [ "3.1.7" ], "emea-gbr-def-stan-05-138-2024": [ "2602" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2602" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2602" ], "apac-aus-ism-2024-june": [ "ISM-0831", "ISM-1059" ], "apac-jpn-ismap": [ "7.2.2.16", "7.2.2.19.PB" ], "apac-sgp-mas-trm-2021": [ "3.6.2", "3.6.3", "6.1.5" ], "amaericas-can-osfi-self-assessment": [ "1.7" ], "americas-can-itsp-10-171-2025": [ "03.01.22.A", "03.02.01.A.01", "03.02.02.A.01" ] } }, { "control_id": "SAT-03.4", "title": "Vendor Security, Compliance & Resilience Training", "family": "SAT", "description": "Mechanisms exist to incorporate vendor-specific security, compliance and resilience training in support of new technology initiatives.", "scf_question": "Does the organization incorporate vendor-specific security, compliance and resilience training in support of new technology initiatives?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-SAT-04", "E-SAT-05" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Awareness & Training (SAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security awareness and training-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Security awareness and training methods are often generic, without organization-specific content.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to incorporate vendor-specific security, compliance and resilience training in support of new technology initiatives.", "4": "Security Awareness & Training (SAT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Provide security training for third-party vendors with access to systems", "small": "∙ Vendor security training and awareness requirements", "medium": "∙ Formal vendor security training requirements in contracts", "large": "∙ Enterprise vendor security training and awareness program", "enterprise": "∙ Enterprise third-party security awareness program\n∙ Contractual training requirements\n∙ Vendor compliance monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Security Awareness & Training", "crosswalks": { "usa-federal-dhs-cisa-cpg-2-0": [ "2.J" ], "emea-deu-c5-2020": [ "DEV-04" ] } }, { "control_id": "SAT-03.5", "title": "Privileged Users", "family": "SAT", "description": "Mechanisms exist to provide specific training for privileged users to ensure privileged users understand their unique roles and responsibilities", "scf_question": "Does the organization provide specific training for privileged users to ensure privileged users understand their unique roles and responsibilities", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-SAT-05" ], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Users are educated on their responsibilities to protect TAASD assigned to them or under their supervision.\n▪ IT and/or cybersecurity personnel create/govern security and awareness training to meet specific statutory, regulatory and/or contractual compliance obligations.\n▪ Privileged users receive formal security and/or data privacy awareness training to ensure they understand their unique roles and responsibilities.\n▪ The responsibility for training users and enforcing policies may be assigned to user’s immediate supervisor(s)/manager(s), including the definition and enforcement of the user’s specific role(s) and responsibilities.\n▪ Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide specific training for privileged users to ensure privileged users understand their unique roles and responsibilities", "4": "Security Awareness & Training (SAT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Provide security training for physical security personnel", "small": "∙ Physical security staff security training", "medium": "∙ Formal physical security personnel security training program", "large": "∙ Enterprise physical security training program\n∙ Specialized training for physical security roles", "enterprise": "∙ Enterprise physical security training and certification program\n∙ Regular exercises and drills" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Awareness & Training", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF9" ], "general-mpa-csbp-5-3-1": [ "OR-3.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.2" ], "general-nist-800-171-r3": [ "03.02.01.a.01", "03.02.02.a.01" ], "general-nist-800-218": [ "PO.2.2" ], "general-nist-csf-2-0": [ "PR.AT-02" ], "general-pci-dss-4-0-1": [ "1.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.1.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.1.2" ], "general-shared-assessments-sig-2025": [ "P.4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.J" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(e)(3)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(2)" ], "emea-sau-ecc-1-2018": [ "1-10-4-1" ], "emea-sau-otcc-1-2022": [ "1-8-1", "1-8-2", "1-8-3" ], "apac-aus-ism-2024-june": [ "ISM-1565" ], "apac-ind-sebi-2024": [ "PR.AT.S2" ], "apac-sgp-mas-trm-2021": [ "6.1.5" ], "amaericas-can-osfi-self-assessment": [ "1.7" ], "americas-can-itsp-10-171-2025": [ "03.02.01.A.01", "03.02.02.A.01" ] } }, { "control_id": "SAT-03.6", "title": "Cyber Threat Environment", "family": "SAT", "description": "Mechanisms exist to provide role-based security, compliance and resilience awareness training that is current and relevant to the cyber threats that users might encounter in day-to-day business operations.", "scf_question": "Does the organization provide role-based security, compliance and resilience awareness training that is current and relevant to the cyber threats that users might encounter in day-to-day business operations?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-SAT-04" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Users are educated on their responsibilities to protect TAASD assigned to them or under their supervision.\n▪ IT and/or cybersecurity personnel create/govern security and awareness training to meet specific statutory, regulatory and/or contractual compliance obligations.\n▪ Privileged users receive formal security and/or data privacy awareness training to ensure they understand their unique roles and responsibilities.\n▪ The responsibility for training users and enforcing policies may be assigned to user’s immediate supervisor(s)/manager(s), including the definition and enforcement of the user’s specific role(s) and responsibilities.\n▪ Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).\n▪ Business process owners are required to incorporate vendor-specific security training in support of new technology initiatives.\n▪ Security awareness training covers recommended practices for securing laptops and mobile devices while traveling.\n▪ Security awareness training covers reporting of unauthorized alterations and evidence of tampering of equipment", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide role-based security, compliance and resilience awareness training that is current and relevant to the cyber threats that users might encounter in day-to-day business operations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters", "small": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters", "medium": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters\n∙ InfraGard (https://infragard.org)", "large": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters\n∙ InfraGard (https://infragard.org)", "enterprise": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters\n∙ InfraGard (https://infragard.org)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Security Awareness & Training", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF8" ], "general-bsi-200-1-1-0": [ "4.2", "6" ], "general-csa-iot-2": [ "TRN-02" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.6", "3.5.4.2" ], "general-mpa-csbp-5-3-1": [ "OR-3.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.2" ], "general-nist-800-53-r5-2": [ "AT-02(06)" ], "general-nist-800-66-r2": [ "164.308(a)(5)" ], "general-nist-800-82-r3": [ "AT-02(06)" ], "general-nist-800-161-r1": [ "AT-2(6)" ], "general-nist-800-161-r1-level-2": [ "AT-2(6)" ], "general-nist-800-171-r2": [ "3.2.3" ], "general-nist-800-171-r3": [ "03.02.01.a.01", "03.02.01.a.02", "03.02.01.a.03", "03.02.01.b", "03.02.02.a.01", "03.02.02.a.02", "03.02.02.b", "03.06.04.a.02" ], "general-nist-800-171a-r3": [ "A.03.02.01.a.02", "A.03.02.01.b[01]", "A.03.02.01.b[02]" ], "general-nist-800-172": [ "3.2.1e", "3.2.2e" ], "general-nist-800-218": [ "PO.2.2" ], "general-nist-csf-2-0": [ "PR.AT-01", "PR.AT-02" ], "general-pci-dss-4-0-1": [ "9.5.1", "9.5.1.3", "12.6.3", "12.6.3.1", "12.6.3.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.6.3.1" ], "general-pci-dss-4-0-1-saq-b": [ "9.5.1", "9.5.1.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "9.5.1", "9.5.1.3" ], "general-pci-dss-4-0-1-saq-c": [ "9.5.1", "9.5.1.3", "12.6.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.6.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "9.5.1", "9.5.1.3", "12.6.3", "12.6.3.1", "12.6.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "9.5.1", "9.5.1.3", "12.6.3", "12.6.3.1", "12.6.3.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "9.5.1", "9.5.1.3" ], "general-scf-dpmp-2025": [ "1.6" ], "general-shared-assessments-sig-2025": [ "P.4" ], "general-sparta": [ "CM0041" ], "general-swift-cscf-2025": [ "7.2" ], "general-tisax-6-0-3": [ "2.1.4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "2.I" ], "usa-federal-dow-cmmc-2-level-2": [ "ATL2.-3.2.3" ], "usa-federal-dow-cmmc-2-level-3": [ "AT.L3-3.2.1E", "AT.L3-3.2.2E" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(e)(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(5)(ii)(A)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(5)(ii)(A)" ], "usa-federal-nispom-2020": [ "§117.12(e)(1)", "§117.12(e)(2)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(12)", "7123(c)(13)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(2)" ], "emea-eu-dora-2023": [ "Article 13.6" ], "emea-eu-nis2-annex-2024": [ "8.1.2(b)", "8.1.2(c)", "8.2.3(b)" ], "emea-sau-cgiot-2024": [ "1-9-2" ], "emea-sau-otcc-1-2022": [ "1-8-1", "1-8-2", "1-8-3" ], "emea-gbr-def-stan-05-138-2024": [ "2601", "2602", "2603", "3106" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2603" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2601", "2602", "2603", "3106" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2601", "2602", "2603", "3106" ], "amaericas-can-osfi-self-assessment": [ "1.7", "1.8", "1.9" ], "americas-can-itsp-10-171-2025": [ "03.02.01.A.01", "03.02.01.A.02", "03.02.01.A.03", "03.02.01.B", "03.02.02.A.01", "03.02.02.A.02", "03.02.02.B", "03.06.04.A.02" ] } }, { "control_id": "SAT-03.7", "title": "Continuing Professional Education (CPE) - Security, Compliance & Resilience Personnel", "family": "SAT", "description": "Mechanisms exist to ensure security, compliance and resilience personnel receive Continuing Professional Education (CPE) training to maintain currency and proficiency with industry-recognized secure practices that are pertinent to their assigned roles and responsibilities.", "scf_question": "Does the organization ensure security, compliance and resilience personnel receive Continuing Professional Education (CPE) training to maintain currency and proficiency with industry-recognized secure practices that are pertinent to their assigned roles and responsibilities?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-SAT-01", "E-SAT-04" ], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure security, compliance and resilience personnel receive Continuing Professional Education (CPE) training to maintain currency and proficiency with industry-recognized secure practices that are pertinent to their assigned roles and responsibilities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Annual security awareness training", "small": "∙ Security awareness training platform (e.g., KnowBe4 free tier)\n∙ Annual completion tracking", "medium": "∙ Minimum requirements for Continuing Professional Education (CPE)", "large": "∙ Minimum requirements for Continuing Professional Education (CPE)", "enterprise": "∙ Minimum requirements for Continuing Professional Education (CPE)" }, "risks": [ "R-BC-1", "R-BC-3", "R-EX-7", "R-GV-1", "R-GV-4", "R-SA-2" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Security Awareness & Training", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4", "CC1.4-POF3", "CC1.4-POF7" ], "general-cis-csc-8-1": [ "14.9" ], "general-cis-csc-8-1-ig2": [ "14.9" ], "general-cis-csc-8-1-ig3": [ "14.9" ], "general-iso-27701-2025": [ "7.2" ], "general-nist-800-171-r3": [ "03.06.04.b" ], "general-nist-csf-2-0": [ "PR.AT-02" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(e)(4)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(3)" ], "apac-jpn-ismap": [ "4.5.2.4" ], "americas-can-itsp-10-171-2025": [ "03.06.04.B" ] } }, { "control_id": "SAT-03.8", "title": "Continuing Professional Education (CPE) - DevOps Personnel", "family": "SAT", "description": "Mechanisms exist to ensure application development and operations (DevOps) personnel receive Continuing Professional Education (CPE) training on Secure Software Development Practices (SSDP) to appropriately address evolving threats.", "scf_question": "Does the organization ensure application development and operations (DevOps) personnel receive Continuing Professional Education (CPE) training on Secure Software Development Practices (SSDP) to appropriately address evolving threats?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure application development and operations (DevOps) personnel receive Continuing Professional Education (CPE) training on Secure Software Development Practices (SSDP) to appropriately address evolving threats.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Annual security awareness training", "small": "∙ Security awareness training platform (e.g., KnowBe4 free tier)\n∙ Annual completion tracking", "medium": "∙ Minimum requirements for Continuing Professional Education (CPE)", "large": "∙ Minimum requirements for Continuing Professional Education (CPE)", "enterprise": "∙ Minimum requirements for Continuing Professional Education (CPE)" }, "risks": [ "R-BC-1", "R-BC-3", "R-EX-7", "R-GV-1", "R-GV-4", "R-SA-2" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Awareness & Training", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4-POF7" ], "general-cis-csc-8-1": [ "16.9" ], "general-cis-csc-8-1-ig2": [ "16.9" ], "general-cis-csc-8-1-ig3": [ "16.9" ], "general-pci-dss-4-0-1": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.2" ], "apac-aus-ism-2024-june": [ "ISM-1780" ] } }, { "control_id": "SAT-03.9", "title": "Counterintelligence Training", "family": "SAT", "description": "Mechanisms exist to provide specialized counterintelligence awareness training that enables personnel to collect, interpret and act upon a range of data sources that may signal the presence of a hostile actor.", "scf_question": "Does the organization provide specialized counterintelligence awareness training that enables personnel to collect, interpret and act upon a range of data sources that may signal the presence of a hostile actor?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Awareness & Training (SAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security awareness and training-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Security awareness and training methods are often generic, without organization-specific content.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide specialized counterintelligence awareness training that enables personnel to collect, interpret and act upon a range of data sources that may signal the presence of a hostile actor.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Provide basic privacy awareness training to all staff", "small": "∙ Privacy awareness training for all personnel handling personal data", "medium": "∙ Formal privacy awareness training program\n∙ Annual completion tracking", "large": "∙ Enterprise privacy training program\n∙ Role-based privacy training\n∙ Compliance tracking", "enterprise": "∙ Enterprise privacy training platform (e.g., TrustArc, OneTrust)\n∙ Role-specific curricula\n∙ Automated completion tracking\n∙ Regulatory compliance" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Security Awareness & Training", "crosswalks": {} }, { "control_id": "SAT-04", "title": "Security, Compliance & Resilience Training Records", "family": "SAT", "description": "Mechanisms exist to document, retain and monitor individual training activities, including:\n(1) Initial security, compliance and resilience awareness training;\n(2) Recurring awareness training; and\n(3) Technology Assets, Applications and/or Services (TAAS)-specific training.", "scf_question": "Does the organization document, retain and monitor individual training activities, including:\n(1) Initial security, compliance and resilience awareness training;\n(2) Recurring awareness training; and\n(3) Technology Assets, Applications and/or Services (TAAS)-specific training?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-SAT-02", "E-SAT-03", "E-SAT-04", "E-SAT-05", "E-SAT-06", "E-SAT-07" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Awareness & Training (SAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security awareness and training-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Security awareness and training methods are often generic, without organization-specific content.\n▪ IT/cybersecurity personnel self-manage their professional certification requirements to support their assigned duties.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel self-manage their professional certification requirements to support their assigned duties.", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document, retain and monitor individual training activities, including:\n(1) Initial security, compliance and resilience awareness training;\n(2) Recurring awareness training; and\n(3) Technology Assets, Applications and/or Services (TAAS)-specific training.", "4": "Security Awareness & Training (SAT) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ KnowB4 (https://knowbe4.com)", "small": "∙ KnowB4 (https://knowbe4.com)", "medium": "∙ KnowB4 (https://knowbe4.com)", "large": "∙ KnowB4 (https://knowbe4.com)", "enterprise": "∙ KnowB4 (https://knowbe4.com)" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Security Awareness & Training", "crosswalks": { "general-govramp": [ "AT-04" ], "general-govramp-low": [ "AT-04" ], "general-govramp-low-plus": [ "AT-04" ], "general-govramp-mod": [ "AT-04" ], "general-govramp-high": [ "AT-04" ], "general-mpa-csbp-5-3-1": [ "OR-3.3" ], "general-nist-800-53-r4": [ "AT-4" ], "general-nist-800-53-r5-2": [ "AT-04" ], "general-nist-800-53-r5-2-privacy": [ "AT-04" ], "general-nist-800-53-r5-2-low": [ "AT-04" ], "general-nist-800-82-r3": [ "AT-04" ], "general-nist-800-82-r3-low": [ "AT-04" ], "general-nist-800-82-r3-mod": [ "AT-04" ], "general-nist-800-82-r3-high": [ "AT-04" ], "general-nist-800-161-r1": [ "AT-4" ], "general-nist-800-161-r1-cscrm": [ "AT-4" ], "general-nist-800-161-r1-level-2": [ "AT-4" ], "general-nist-800-171-r2": [ "NFO - AT-4" ], "general-pci-dss-4-0-1": [ "12.6", "12.6.1", "12.6.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.6.1" ], "general-pci-dss-4-0-1-saq-b": [ "12.6.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.6.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.6.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.6.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.6.1", "12.6.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.6.1", "12.6.3" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.6.1" ], "general-scf-dpmp-2025": [ "1.6" ], "general-tisax-6-0-3": [ "8.2.3" ], "usa-federal-fbi-cjis-6-0": [ "AT-4" ], "usa-federal-gsa-fedramp-5-low": [ "AT-04" ], "usa-federal-gsa-fedramp-5-mod": [ "AT-04" ], "usa-federal-gsa-fedramp-5-high": [ "AT-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AT-04" ], "usa-federal-irs-1075-2021": [ "AT-4" ], "usa-federal-cms-marse-2-0": [ "AT-4", "AT-4.a", "AT-4.b" ], "usa-federal-nispom-2020": [ "§117.12(g)(3)", "§117.12(h)(3)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(12)", "7123(c)(13)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AT-04" ], "usa-state-tx-txramp-2-0-level-1": [ "AT-04" ], "usa-state-tx-txramp-2-0-level-2": [ "AT-04" ], "apac-jpn-ismap": [ "4.5.2.4", "4.5.2.5" ] } }, { "control_id": "SAT-05", "title": "Security, Compliance & Resilience Knowledge Sharing", "family": "SAT", "description": "Mechanisms exist to improve knowledge sharing across security, compliance and resilience personnel allowing for:\n(1) Efficient operations; and\n(2) Rapid and effective response to incidents.", "scf_question": "Does the organization improve knowledge sharing across security, compliance and resilience personnel allowing for:\n(1) Efficient operations; and\n(2) Rapid and effective response to incidents?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Security Awareness & Training (SAT) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with SAT domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Security awareness and training-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Security awareness and training methods are often generic, without organization-specific content.", "2": "Security Awareness & Training (SAT) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Security Awareness & Training-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Security Awareness & Training may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Security Awareness & Training (SAT) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with SAT domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with SAT domain capabilities are well-documented and kept current by process owners.\n▪ A security awareness & training team, or similar function, is appropriately staffed and supported to implement and maintain SAT domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of security awareness and training management (e.g., Computer Based Learning (CBL) solutions, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with SAT domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to improve knowledge sharing across security, compliance and resilience personnel allowing for:\n(1) Efficient operations; and\n(2) Rapid and effective response to incidents.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": {}, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Security Awareness & Training", "crosswalks": { "usa-federal-dhs-cisa-cpg-2-0": [ "1.D" ] } }, { "control_id": "TDA-01", "title": "Technology Development & Acquisition", "family": "TDA", "description": "Mechanisms exist to facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs.", "scf_question": "Does the organization facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-01", "E-TDA-02", "E-TDA-08", "E-TDA-17" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.\n▪ Development and acquisition management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "small": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "medium": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "large": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "enterprise": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-26", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.3-POF10", "CC5.2", "CC5.2-POF4", "PI1.2", "PI1.3" ], "general-cis-csc-8-1": [ "15.7", "16.0" ], "general-cis-csc-8-1-ig3": [ "15.7" ], "general-cobit-2019": [ "APO03.02", "APO03.03", "APO04.01", "BAI03.02" ], "general-coso-2013": [ "11" ], "general-csa-cmm-4-1-0": [ "AIS-01", "AIS-04" ], "general-csa-iot-2": [ "SET-06" ], "general-govramp": [ "PL-01", "SA-01", "SA-04" ], "general-govramp-low": [ "PL-01", "SA-01" ], "general-govramp-low-plus": [ "PL-01", "SA-01" ], "general-govramp-mod": [ "PL-01", "SA-01", "SA-04" ], "general-govramp-high": [ "PL-01", "SA-01", "SA-04" ], "general-iec-62443-2-1-2024": [ "ORG 2.3" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.3" ], "general-iso-27002-2022": [ "8.25", "8.3" ], "general-iso-27017-2015": [ "14.2.1", "14.2.7" ], "general-iso-27018-2025": [ "8.25", "8.30" ], "general-iso-31000-2018": [ "5.5" ], "general-iso-42001-2023": [ "A.6.1", "A.6.1.3", "A.6.2.3" ], "general-mitre-att&ck-16-1": [ "T1078", "T1078.001", "T1078.003", "T1078.004", "T1134.005", "T1574.002" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(e)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.2", "GOVERN 3.1", "GOVERN 4.2", "MANAGE 2.0" ], "general-nist-800-53-r4": [ "PL-1", "SA-1", "SA-4" ], "general-nist-800-53-r5-2": [ "PL-01", "SA-01", "SA-04", "SA-23" ], "general-nist-800-53-r5-2-privacy": [ "PL-01", "SA-01", "SA-04", "SA-23" ], "general-nist-800-53-r5-2-low": [ "PL-01", "SA-01", "SA-04" ], "general-nist-800-82-r3": [ "PL-01", "SA-01", "SA-04", "SA-23" ], "general-nist-800-82-r3-low": [ "PL-01", "SA-01", "SA-04" ], "general-nist-800-82-r3-mod": [ "PL-01", "SA-01", "SA-04" ], "general-nist-800-82-r3-high": [ "PL-01", "SA-01", "SA-04" ], "general-nist-800-160-vol-2-r1": [ "SA-23" ], "general-nist-800-161-r1": [ "PL-1", "SA-1", "SA-4" ], "general-nist-800-161-r1-cscrm": [ "PL-1", "SA-1", "SA-4" ], "general-nist-800-161-r1-level-1": [ "SA-1", "SA-4" ], "general-nist-800-161-r1-level-2": [ "PL-1", "SA-1", "SA-4" ], "general-nist-800-161-r1-level-3": [ "SA-1", "SA-4" ], "general-nist-800-171-r2": [ "NFO - SA-4" ], "general-nist-800-171-r3": [ "03.12.01", "03.12.03", "03.14.01.a", "03.16.01", "03.17.02" ], "general-nist-800-171a-r3": [ "A.03.16.01.ODP[01]", "A.03.17.02[04]", "A.03.17.02[05]", "A.03.17.02[06]" ], "general-nist-800-218": [ "PO.1", "PO.3", "PO.3.2", "RV.3.4" ], "general-nist-csf-2-0": [ "ID.RA-09", "PR.PS-06" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A03:2025", "A04:2025", "A05:2025", "A06:2025", "A07:2025", "A08:2025", "A09:2025", "A10:2025" ], "general-pci-dss-4-0-1": [ "6.2", "6.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.1" ], "general-scf-dpmp-2025": [ "7.0" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.d", "4.b" ], "usa-federal-fbi-cjis-6-0": [ "PL-1", "SA-1", "SA-4" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-4a", "ARCHITECTURE-4b", "ARCHITECTURE-4e" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.2", "3.2.2" ], "usa-federal-eo-14028": [ "4e(i)(D)", "4e(iv)" ], "usa-federal-gsa-fedramp-5-low": [ "PL-01", "SA-01", "SA-04", "SA-23" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-01", "SA-01", "SA-04", "SA-23" ], "usa-federal-gsa-fedramp-5-high": [ "PL-01", "SA-01", "SA-04", "SA-23" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-01", "SA-01", "SA-04", "SA-23" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(4)" ], "usa-federal-irs-1075-2021": [ "PL-1", "SA-1", "SA-4" ], "usa-federal-cms-marse-2-0": [ "PL-1", "SA-1", "SA-4", "SA-4.a", "SA-4.b", "SA-4.c", "SA-4.d", "SA-4.e", "SA-4.f", "SA-4.g", "SA-4.h", "SA-4-IS.1", "SA-4-IS.2", "SA-4-IS.2.a", "SA-4-IS.2.b", "SA-4-IS.2.c", "SA-4-IS.2.d", "SA-4-IS.2.e" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.3(i)", "500.8(a)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PL-01", "SA-01", "SA-04" ], "usa-state-tx-txramp-2-0-level-1": [ "PL-01", "SA-01", "SA-04" ], "usa-state-tx-txramp-2-0-level-2": [ "PL-01", "SA-01", "SA-04" ], "emea-eu-ai-act-2024": [ "Article 14.4" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(67)", "3.6.2(74)" ], "emea-eu-dora-2023": [ "Article 13.7" ], "emea-eu-nis2-2022": [ "Article 21.2(e)", "Article 21.3" ], "emea-eu-nis2-annex-2024": [ "5.1.1", "6.2.1", "6.2.2(c)", "6.2.4" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "7.7", "7.8", "7.9", "7.10", "7.11", "7.12", "7.13", "7.14" ], "emea-deu-c5-2020": [ "DEV-01" ], "emea-isr-cmo-1-0": [ "17.1", "17.9" ], "emea-qat-pdppl-2020": [ "11.4", "11.5", "11.6" ], "emea-sau-cscc-1-2019": [ "2-13", "2-13-3-1", "2-13-3-2", "2-13-3-3", "2-13-3-4" ], "emea-sau-ecc-1-2018": [ "1-6-3", "2-5-4" ], "emea-sau-otcc-1-2022": [ "1-1-2" ], "emea-sau-sama-csf-1-2017": [ "3.3.6" ], "emea-esp-boe-a-2022-7191": [ "Article 19.1", "Article 19.2", "Article 19.2(a)", "Article 19.2(b)", "Article 19.2(c)", "Article 19.3" ], "emea-esp-decree-311-2022": [ "19.1", "19.2", "19.2(a)", "19.2(b)", "19.2(c)", "19.3" ], "emea-esp-ccn-stic-825-2023": [ "7.1.3 [OP.PL.3]", "8.6.1 [MP.SW.1]" ], "apac-aus-ism-2024-june": [ "ISM-0938", "ISM-1780" ], "apac-jpn-ismap": [ "14", "14.2", "14.2.1", "14.2.1.13.PB", "14.2.7" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP50", "HML50" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP42" ], "apac-sgp-mas-trm-2021": [ "5.3.1", "5.3.2", "6.1.1", "6.1.2", "6.1.3", "6.1.4", "6.1.5", "6.1.6", "6.1.7", "6.2.1", "6.2.2", "6.3.1", "6.3.2", "6.4.1", "6.4.2", "6.4.3", "6.4.4", "6.4.5", "6.4.6", "6.4.7", "6.4.8", "6.5.1", "6.5.2", "6.5.3" ], "amaericas-can-osfi-self-assessment": [ "4.8", "4.9" ], "americas-can-osfi-b13-2022": [ "2.4.3" ], "americas-can-itsp-10-171-2025": [ "03.12.01", "03.12.03", "03.14.01.A", "03.16.01", "03.17.02" ] } }, { "control_id": "TDA-01.1", "title": "Product Management", "family": "TDA", "description": "Mechanisms exist to design and implement product management processes to proactively govern the design, development and production of Technology Assets, Applications and/or Services (TAAS) across the System Development Life Cycle (SDLC) to:\n(1) Improve functionality;\n(2) Enhance security and resiliency capabilities; \n(3) Correct security deficiencies; and\n(4) Conform with applicable statutory, regulatory and/or contractual obligations.", "scf_question": "Does the organization design and implement product management processes to proactively govern the design, development and production of Technology Assets, Applications and/or Services (TAAS) across the System Development Life Cycle (SDLC) to:\n(1) Improve functionality;\n(2) Enhance security and resiliency capabilities; \n(3) Correct security deficiencies; and\n(4) Conform with applicable statutory, regulatory and/or contractual obligations?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-06", "E-TDA-05", "E-TDA-06", "E-TDA-07", "E-TDA-15", "E-TDA-17" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.). \n▪ IT and/or cybersecurity personnel use an informal process to govern changes to the software library to prevent unauthorized changes and create an audit trail of changes made.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.\n▪ Development and acquisition management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to design and implement product management processes to proactively govern the design, development and production of Technology Assets, Applications and/or Services (TAAS) across the System Development Life Cycle (SDLC) to:\n(1) Improve functionality;\n(2) Enhance security and resiliency capabilities; \n(3) Correct security deficiencies; and\n(4) Conform with applicable statutory, regulatory and/or contractual obligations.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "small": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "medium": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "large": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "enterprise": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-26", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-aicpa-tsc-2017": [ "PI1.1-POF1", "PI1.1-POF2", "PI1.1-POF3" ], "general-cis-csc-8-1": [ "15.7" ], "general-cis-csc-8-1-ig3": [ "15.7" ], "general-cobit-2019": [ "APO03.02", "APO03.03", "BAI03.03", "BAI03.05", "BAI03.10", "BAI03.11", "BAI04.01", "BAI05.02", "BAI05.03", "BAI05.04", "BAI05.05", "BAI05.06", "BAI06.01", "BAI07.07", "BAI08.01", "BAI08.02", "BAI08.03" ], "general-coso-2013": [ "11" ], "general-iec-tr-60601-4-5-2021": [ "4.2", "4.6.2", "4.6.3" ], "general-iec-62443-4-1-2018": [ "DM-6", "SG-1", "SG-1(a)", "SG-1(b)", "SG-1(c)", "SG-2", "SG-7", "SG-7(a)", "SG-7(b)", "SG-7(c)" ], "general-iec-62443-4-2-2019": [ "CR 3.10", "EDR 3.10", "HDR 3.10", "NDR 3.10" ], "general-iso-21434-2021": [ "RQ-06-04", "RQ-06-21", "RQ-06-33(a)", "RQ-06-34", "RQ-06-34(a)", "RQ-06-34(b)", "RQ-06-34(c)", "RQ-10-01", "RQ-10-01(a)", "RQ-10-01(b)", "RQ-10-01(c)", "RQ-10-03", "RQ-10-04", "RQ-10-04(a)", "RQ-10-04(b)", "RQ-10-04(c)", "RQ-10-04(d)", "RQ-10-04(e)", "RQ-10-04(f)", "RQ-10-05", "RQ-14-01", "14.4.3" ], "general-iso-42001-2023": [ "A.6.2", "A.6.2.2", "A.6.2.7", "A.6.2.8" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.2", "GOVERN 3.1", "GOVERN 4.1", "GOVERN 4.2", "GOVERN 5.1", "GOVERN 5.2", "GOVERN 6.0", "MAP 2.1", "MANAGE 2.0", "MANAGE 2.2" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.2-005", "MP-1.1-004", "MP-3.4-003", "MS-1.1-008" ], "general-nist-privacy-framework-1-0": [ "CT.DP-P1" ], "general-nist-800-53-r5-2": [ "SA-23" ], "general-nist-800-53-r5-2-privacy": [ "SA-23" ], "general-nist-800-82-r3": [ "SA-23" ], "general-nist-800-160-vol-2-r1": [ "SA-23" ], "general-nist-800-171-r3": [ "03.12.03" ], "general-nist-800-218": [ "PO.1", "PO.1.1", "PO.1.2", "PO.4.2", "PW.1.2", "PW.4", "PW.4.2", "PW.5", "PW.5.1", "PW.6.2", "PW.8.1", "RV.2.2", "RV.3", "RV.3.3", "RV.3.4" ], "general-nist-csf-2-0": [ "GV.SC-09", "PR.PS-06" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A03:2025", "A04:2025", "A05:2025", "A06:2025", "A07:2025", "A08:2025", "A09:2025", "A10:2025" ], "general-scf-dpmp-2025": [ "7.1" ], "general-ul-2900-1-2017": [ "7.1", "7.1.1", "7.1.2", "7.1.3", "7.1.4", "7.1.5", "8.1", "8.2", "8.3", "8.3(a)", "8.3(b)", "8.3(c)", "8.3(c)(i)", "8.3(c)(ii)", "8.3(c)(iii)", "8.3(d)", "8.3(e)", "8.3(f)", "8.4", "8.4(a)", "8.4(b)", "8.5", "8.6", "8.7", "8.8", "8.9", "9.1", "10.1", "10.2", "10.3", "10.4", "11.1", "11.2", "11.3", "11.4", "11.5", "11.5(a)", "11.5(b)", "11.5(c)", "11.6", "11.6(a)", "11.6(b)", "11.6(c)", "11.7", "11.8" ], "general-ul-2900-2-2-2016": [ "4.1", "5.1", "6.1", "7.1", "8.1", "8.4", "9.1", "9.3", "9.4", "9.5", "10.1", "11.1", "11.2", "11.4(a)", "11.4(b)", "11.4(c)", "12.1", "13.1", "14.1", "15.1.1", "15.1.2", "16.1", "17.1", "18.1", "19.1" ], "general-un-155-2021": [ "3.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.3", "3.3(a)", "3.3(b)", "4.1", "4.1.1", "4.1.2", "4.2", "4.3", "4.4", "5.4", "7.2.2.5", "7.3.1", "7.3.2", "7.3.3", "7.3.4", "7.3.5", "7.3.6", "7.3.7", "7.3.7(a)", "7.3.7(b)", "7.3.7(c)", "7.3.8", "7.4.1", "7.4.2", "8.1", "8.1.1", "8.1.2", "8.1.3", "9.1", "9.1.1", "9.1.2", "11.1" ], "general-un-ece-wp-29-2020": [ "3.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.3", "3.3(a)", "3.3(b)", "4.1", "4.1.1", "4.1.2", "4.2", "4.3", "4.4", "5.4", "7.2.2.5", "7.3.1", "7.3.2", "7.3.3", "7.3.4", "7.3.5", "7.3.6", "7.3.7", "7.3.7(a)", "7.3.7(b)", "7.3.7(c)", "7.3.8", "7.4.1", "8.1", "8.1.1", "8.1.2", "8.1.3", "9.1", "9.1.1", "9.1.2", "11.1" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.d", "2" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-4c" ], "usa-federal-eo-14028": [ "4e(i)(D)", "4e(iii)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-23" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-23" ], "usa-federal-gsa-fedramp-5-high": [ "SA-23" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-23" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-state-ca-sb327-2018": [ "1798.91.04(a)", "1798.91.04(a)(1)", "1798.91.04(a)(2)", "1798.91.04(a)(3)", "1798.91.04(b)", "1798.91.04(b)(1)", "1798.91.04(b)(2)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-ai-act-2024": [ "Article 14.3(b)" ], "emea-eu-cyber-resilience-act-2022": [ "Article 5", "Article 5.1", "Article 5.2", "Article 10.1", "Article 10.5", "Article 10.6", "Article 10.9", "Article 10.10", "Article 10.11", "Article 13.1", "Article 13.2", "Article 13.2(a)", "Article 13.2(b)", "Article 13.2(c)", "Article 13.3", "Article 13.4", "Article 13.5", "Article 13.6", "Article 14.1", "Article 14.2", "Article 14.2(a)", "Article 14.2(b)", "Article 14.3", "Article 14.4" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 1.1(3)(j)", "Annex 1.2(2)", "Annex 2.1", "Annex 2.2", "Annex 2.3", "Annex 2.4", "Annex 2.5", "Annex 2.6", "Annex 2.7", "Annex 2.8", "Annex 2.9", "Annex 2.9(a)", "Annex 2.9(b)", "Annex 2.9(c)", "Annex 2.9(d)", "Annex 6 Module A.3", "Annex 6 Module A.4.1", "Annex 6 Module C.2.1", "Annex 6 Module C.3.1", "Annex 6 Module H.2", "Annex 6 Module H.3.2", "Annex 6 Module H.3.4", "Annex 6 Module H.5.1", "Annex 6 Module H.5.2", "Annex 6 Module H.6" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(68)" ], "emea-eu-dora-2023": [ "Article 13.7" ], "emea-deu-bsrit-2017": [ "7.7", "7.8", "7.9", "7.10", "7.11", "7.12", "7.13", "7.14" ], "emea-isr-cmo-1-0": [ "17.9" ], "emea-qat-pdppl-2020": [ "11.4", "11.5", "11.6" ], "emea-sau-cscc-1-2019": [ "2-13-1", "2-13-2", "2-13-3-1", "2-13-3-2", "2-13-3-3", "2-13-3-4" ], "emea-sau-otcc-1-2022": [ "1-1-2", "4-1-1-1" ], "apac-aus-ism-2024-june": [ "ISM-1796", "ISM-1797", "ISM-1798" ], "apac-chn-cybersecurity-law-2017": [ "Article 22", "Article 46", "Article 48" ], "apac-jpn-ismap": [ "14.1.1", "14.2.7.11" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP50", "HML50" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP42" ], "apac-nzl-ism-3-9": [ "12.1.31.C.01", "12.1.32.C.01", "12.1.32.C.02", "12.1.32.C.03", "12.1.33.C.01", "12.1.34.C.01", "12.1.34.C.02", "12.1.35.C.01", "12.1.36.C.01", "12.1.37.C.01", "12.4.3.C.01", "12.4.4.C.01", "12.4.4.C.02", "12.4.4.C.03", "12.4.4.C.04", "12.4.4.C.05", "12.4.4.C.06", "12.4.5.C.01", "12.4.6.C.01", "12.4.7.C.01" ], "apac-sgp-mas-trm-2021": [ "5.8.1", "5.8.2", "7.6.1", "7.6.2", "14.4.1", "14.4.2", "14.4.3" ], "americas-can-osfi-b13-2022": [ "2.4.3" ], "americas-can-itsp-10-171-2025": [ "03.12.03" ] } }, { "control_id": "TDA-01.2", "title": "Integrity Mechanisms for Software / Firmware Updates", "family": "TDA", "description": "Mechanisms exist to utilize integrity validation mechanisms for security updates.", "scf_question": "Does the organization utilize integrity validation mechanisms for security updates?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-TDA-15" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize integrity validation mechanisms for security updates.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Checksum comparison", "small": "∙ Checksum comparison", "medium": "∙ Checksum comparison\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "large": "∙ Checksum comparison\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)", "enterprise": "∙ Checksum comparison\n∙ CimTrak Integrity Suite (https://cimcor.com/cimtrak)\n∙ Netwrix Auditor (https://netrix.com)" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-800-172": [ "3.14.1e", "3.14.7e" ], "general-nist-csf-2-0": [ "ID.RA-09" ], "general-owasp-top-10-2025": [ "A08:2025" ], "usa-federal-dow-cmmc-2-level-3": [ "SI.L3-3.14.1E" ] } }, { "control_id": "TDA-01.3", "title": "Malware Testing Prior to Release", "family": "TDA", "description": "Mechanisms exist to utilize at least one(1) malware detection tool to identify if any known malware exists in the final binaries of the product or security update.", "scf_question": "Does the organization utilize at least one (1) malware detection tool to identify if any known malware exists in the final binaries of the product or security update?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize at least one(1) malware detection tool to identify if any known malware exists in the final binaries of the product or security update.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Review security requirements before buying/building software", "small": "∙ Security requirements in software acquisition checklist", "medium": "∙ Formal security requirements process for technology acquisition", "large": "∙ Enterprise technology acquisition security standards\n∙ Formal security review", "enterprise": "∙ Enterprise technology acquisition security program\n∙ Automated security assessment in procurement" }, "risks": [ "R-AC-1", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-ul-2900-1-2017": [ "14.1", "14.2" ], "general-ul-2900-2-2-2016": [ "14.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ] } }, { "control_id": "TDA-01.4", "title": "DevSecOps", "family": "TDA", "description": "Mechanisms exist to integrate security, compliance and resilience into Development, Security and Operations (DevSecOps) to prioritize secure practices throughout the Software Development Lifecycle (SDLC).", "scf_question": "Does the organization integrate security, compliance and resilience into Development, Security and Operations (DevSecOps) to prioritize secure practices throughout the Software Development Lifecycle (SDLC)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.). \n▪ IT and/or cybersecurity personnel use an informal process to govern changes to the software library to prevent unauthorized changes and create an audit trail of changes made.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to integrate security, compliance and resilience into Development, Security and Operations (DevSecOps) to prioritize secure practices throughout the Software Development Lifecycle (SDLC).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "small": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "medium": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "large": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "enterprise": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Technology Development & Acquisition", "crosswalks": { "usa-federal-dow-zt-roadmap-1-1": [ "3.2.1", "3.2.2" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ] } }, { "control_id": "TDA-02", "title": "Minimum Viable Product (MVP) Security Requirements", "family": "TDA", "description": "Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "scf_question": "Does the organization design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-06" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "small": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "medium": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "large": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "enterprise": "∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.2", "PI1.1-POF1", "PI1.1-POF2", "PI1.1-POF3" ], "general-cis-csc-8-1": [ "16.4" ], "general-cis-csc-8-1-ig2": [ "16.4" ], "general-cis-csc-8-1-ig3": [ "16.4" ], "general-cobit-2019": [ "BAI03.03", "BAI03.05" ], "general-coso-2013": [ "11" ], "general-csa-iot-2": [ "SDV-07" ], "general-govramp": [ "SA-04" ], "general-govramp-mod": [ "SA-04" ], "general-govramp-high": [ "SA-04" ], "general-iec-tr-60601-4-5-2021": [ "4.2", "4.6.2", "4.6.3" ], "general-iec-62443-4-1-2018": [ "SM-11", "SR-1", "SR-4", "SR-4(a)", "SR-4(b)" ], "general-iso-27002-2022": [ "8.25", "8.29", "8.3" ], "general-iso-27017-2015": [ "14.2.9" ], "general-iso-27018-2025": [ "8.25", "8.29", "8.30" ], "general-iso-42001-2023": [ "A.6.2.2" ], "general-nist-800-53-r4": [ "SA-4" ], "general-nist-800-53-r5-2": [ "SA-04" ], "general-nist-800-53-r5-2-privacy": [ "SA-04" ], "general-nist-800-53-r5-2-low": [ "SA-04" ], "general-nist-800-82-r3": [ "SA-04" ], "general-nist-800-82-r3-low": [ "SA-04" ], "general-nist-800-82-r3-mod": [ "SA-04" ], "general-nist-800-82-r3-high": [ "SA-04" ], "general-nist-800-161-r1": [ "SA-4" ], "general-nist-800-161-r1-cscrm": [ "SA-4" ], "general-nist-800-161-r1-level-1": [ "SA-4" ], "general-nist-800-161-r1-level-2": [ "SA-4" ], "general-nist-800-161-r1-level-3": [ "SA-4" ], "general-nist-800-171-r2": [ "NFO - SA-4" ], "general-nist-800-171-r3": [ "03.16.01" ], "general-nist-800-218": [ "PO.1", "PO.1.1", "PO.1.2", "PW.1.2", "PW.1.3", "PW.2", "PW.4.4", "PW.5.1", "PW.9.1", "PW.9.2" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A03:2025", "A04:2025", "A05:2025", "A06:2025", "A07:2025", "A08:2025", "A09:2025", "A10:2025" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.d", "1.e" ], "usa-federal-fbi-cjis-6-0": [ "SA-4" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-4b", "ARCHITECTURE-4c", "ARCHITECTURE-4e" ], "usa-federal-eo-14028": [ "4e(i)(D)", "4e(i)(E)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-04" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-04" ], "usa-federal-gsa-fedramp-5-high": [ "SA-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-04" ], "usa-federal-irs-1075-2021": [ "SA-4" ], "usa-federal-cms-marse-2-0": [ "SA-4" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-04" ], "usa-state-tx-txramp-2-0-level-1": [ "SA-04" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-04" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 1.1(1)", "Annex 1.1(3)(b)", "Annex 1.1(3)(c)", "Annex 1.1(3)(d)", "Annex 1.1(3)(f)", "Annex 1.1(3)(g)", "Annex 1.1(3)(i)", "Annex 6 Module A.3" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(68)" ], "emea-deu-bsrit-2017": [ "7.7" ], "emea-deu-c5-2020": [ "DEV-02" ], "emea-sau-cscc-1-2019": [ "2-13-1", "2-13-2", "2-13-3-1", "2-13-3-2", "2-13-3-3", "2-13-3-4" ], "apac-jpn-ismap": [ "14.1.1.2", "14.1.1.3", "14.1.1.4", "14.1.1.5", "14.1.1.6", "14.1.1.7", "14.1.1.8", "14.1.1.9", "14.1.1.10", "14.1.1.11", "14.1.1.16", "14.2.1.3" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP31", "HML31" ], "apac-sgp-mas-trm-2021": [ "5.3.3" ], "americas-can-itsp-10-171-2025": [ "03.16.01" ] } }, { "control_id": "TDA-02.1", "title": "Ports, Protocols & Services In Use", "family": "TDA", "description": "Mechanisms exist to require the developers of Technology Assets, Applications and/or Services (TAAS) to identify early in the Secure Development Life Cycle (SDLC), the functions, ports, protocols and services intended for use.", "scf_question": "Does the organization require the developers of Technology Assets, Applications and/or Services (TAAS) to identify early in the Secure Development Life Cycle (SDLC), the functions, ports, protocols and services intended for use?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-06", "E-TDA-07" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require the developers of Technology Assets, Applications and/or Services (TAAS) to identify early in the Secure Development Life Cycle (SDLC), the functions, ports, protocols and services intended for use.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Defined & documented Ports, Protocols & Services (PPS) to support \"least functionality\" governance", "small": "∙ Defined & documented Ports, Protocols & Services (PPS) to support \"least functionality\" governance", "medium": "∙ Defined & documented Ports, Protocols & Services (PPS) to support \"least functionality\" governance", "large": "∙ Defined & documented Ports, Protocols & Services (PPS) to support \"least functionality\" governance", "enterprise": "∙ Defined & documented Ports, Protocols & Services (PPS) to support \"least functionality\" governance" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "12.6", "16.4" ], "general-cis-csc-8-1-ig2": [ "12.6", "16.4" ], "general-cis-csc-8-1-ig3": [ "12.6", "16.4" ], "general-govramp": [ "SA-04(09)" ], "general-govramp-high": [ "SA-04(09)" ], "general-nist-800-53-r4": [ "SA-4(9)" ], "general-nist-800-53-r5-2": [ "SA-04(09)" ], "general-nist-800-53-r5-2-mod": [ "SA-04(09)" ], "general-nist-800-82-r3": [ "SA-04(09)" ], "general-nist-800-82-r3-mod": [ "SA-04(09)" ], "general-nist-800-82-r3-high": [ "SA-04(09)" ], "general-nist-800-171-r2": [ "NFO - SA-4(9)" ], "general-nist-800-218": [ "PW.4.4" ], "general-pci-dss-4-0-1": [ "1.2.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.4" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.d" ], "usa-federal-fbi-cjis-6-0": [ "SA-4(9)" ], "usa-federal-eo-14028": [ "4e(i)(D)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-04(09)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-04(09)" ], "usa-federal-irs-1075-2021": [ "SA-4(CE-9)" ], "usa-federal-cms-marse-2-0": [ "SA-4(9)" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-04 (09)" ], "emea-isr-cmo-1-0": [ "12.9", "12.29" ], "emea-sau-ecc-1-2018": [ "2-5-3-5", "2-15-3-3" ], "apac-nzl-ism-3-9": [ "18.1.15.C.01", "18.1.15.C.02", "18.1.15.C.03", "18.1.15.C.04" ] } }, { "control_id": "TDA-02.2", "title": "Information Assurance Enabled Products", "family": "TDA", "description": "Mechanisms exist to limit the use of commercially-provided Information Assurance (IA) and IA-enabled IT products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile or the cryptographic module is FIPS-validated or NSA-approved.", "scf_question": "Does the organization limit the use of commercially-provided Information Assurance (IA) and IA-enabled IT products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile or the cryptographic module is FIPS-validated or NSA-approved?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to limit the use of commercially-provided Information Assurance (IA) and IA-enabled IT products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile or the cryptographic module is FIPS-validated or NSA-approved.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Review code for obvious security issues before release", "small": "∙ Basic code review with security focus before release", "medium": "∙ Formal secure code review process (manual + automated SAST)", "large": "∙ Enterprise SAST program (e.g., Checkmarx, Veracode)\n∙ Mandatory code reviews with security gates", "enterprise": "∙ Enterprise DevSecOps with SAST/DAST automation (e.g., Veracode, Checkmarx)\n∙ Security gates in CI/CD pipeline" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-govramp": [ "IA-02(01)", "IA-02(02)", "SA-04(10)" ], "general-govramp-core": [ "IA-02(01)" ], "general-govramp-low": [ "IA-02(01)" ], "general-govramp-low-plus": [ "IA-02(01)" ], "general-govramp-mod": [ "IA-02(01)", "IA-02(02)" ], "general-govramp-high": [ "IA-02(01)", "IA-02(02)", "SA-04(10)" ], "general-nist-800-53-r4": [ "SA-4(10)", "IA-5(11)" ], "general-nist-800-53-r5-2": [ "IA-02(01)", "IA-02(02)", "SA-04(07)", "SA-04(10)" ], "general-nist-800-53-r5-2-privacy": [ "IA-02(01)", "IA-02(02)" ], "general-nist-800-53-r5-2-low": [ "IA-02(01)", "IA-02(02)", "SA-04(10)" ], "general-nist-800-82-r3": [ "IA-02(01)", "IA-02(02)", "SA-04(07)", "SA-04(10)" ], "general-nist-800-82-r3-low": [ "IA-02(01)", "IA-02(02)", "SA-04(10)" ], "general-nist-800-82-r3-mod": [ "IA-02(01)", "IA-02(02)", "SA-04(10)" ], "general-nist-800-82-r3-high": [ "IA-02(01)", "IA-02(02)", "SA-04(10)" ], "general-nist-800-161-r1": [ "SA-4(7)" ], "general-nist-800-161-r1-level-2": [ "SA-4(7)" ], "general-nist-800-161-r1-level-3": [ "SA-4(7)" ], "general-nist-800-171-r2": [ "NFO - SA-4(10)" ], "usa-federal-fbi-cjis-6-0": [ "IA-2(1)", "IA-2(2)", "SA-4(10)" ], "usa-federal-gsa-fedramp-5-low": [ "IA-02(01)", "IA-02(02)", "SA-04(10)" ], "usa-federal-gsa-fedramp-5-mod": [ "IA-02(01)", "IA-02(02)", "SA-04(10)" ], "usa-federal-gsa-fedramp-5-high": [ "IA-02(01)", "IA-02(02)", "SA-04(10)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IA-02(01)", "IA-02(02)", "SA-04(10)" ], "usa-federal-irs-1075-2021": [ "IA-2(CE-1)", "IA-2(CE-2)" ], "usa-federal-cms-marse-2-0": [ "IA-2(1)", "IA-2(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IA-02(1)", "IA-02(2)" ], "usa-state-tx-txramp-2-0-level-1": [ "IA-02 (01)" ], "usa-state-tx-txramp-2-0-level-2": [ "IA-02 (01)" ] } }, { "control_id": "TDA-02.3", "title": "Development Methods, Techniques & Processes", "family": "TDA", "description": "Mechanisms exist to require software developers to ensure that their software development processes employ industry-recognized secure practices for secure programming, engineering methods, quality control processes and validation techniques to minimize flawed and/or malformed software.", "scf_question": "Does the organization require software developers to ensure that their software development processes employ industry-recognized secure practices for secure programming, engineering methods, quality control processes and validation techniques to minimize flawed and/or malformed software?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-04" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require software developers to ensure that their software development processes employ industry-recognized secure practices for secure programming, engineering methods, quality control processes and validation techniques to minimize flawed and/or malformed software.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Product / project management", "small": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Product / project management", "medium": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Product / project management", "large": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "enterprise": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.1" ], "general-cis-csc-8-1-ig2": [ "16.1" ], "general-cis-csc-8-1-ig3": [ "16.1" ], "general-cobit-2019": [ "BAI03.12" ], "general-csa-cmm-4-1-0": [ "AIS-04" ], "general-csa-iot-2": [ "SDV-07" ], "general-iso-27002-2022": [ "8.25", "8.29" ], "general-iso-27017-2015": [ "14.2.9" ], "general-iso-27018-2025": [ "8.25", "8.29" ], "general-iso-42001-2023": [ "A.6.1.3", "A.6.2.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 4.1", "GOVERN 4.2" ], "general-nist-800-53-r4": [ "SA-4(3)" ], "general-nist-800-53-r5-2": [ "SA-04(03)", "SR-03(01)" ], "general-nist-800-53-r5-2-privacy": [ "SA-04(03)", "SR-03(01)" ], "general-nist-800-82-r3": [ "SA-04(03)", "SR-03(01)" ], "general-nist-800-160-vol-2-r1": [ "SR-03(01)" ], "general-nist-800-161-r1": [ "SR-3(1)" ], "general-nist-800-161-r1-level-2": [ "SR-3(1)" ], "general-nist-800-161-r1-level-3": [ "SR-3(1)" ], "general-nist-800-171-r3": [ "03.16.01" ], "general-nist-800-171a-r3": [ "A.03.16.01.ODP[01]", "A.03.16.01" ], "general-nist-800-218": [ "PO.1", "PO.3", "PO.3.1", "PO.3.2", "PO.3.3", "PO.4.2", "PW.2", "PW.5", "PW.6.1", "RV.1", "RV.2" ], "general-owasp-top-10-2025": [ "A04:2025" ], "general-pci-dss-4-0-1": [ "6.2", "6.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.1" ], "general-scf-dpmp-2025": [ "7.1" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "2" ], "usa-federal-eo-14028": [ "4e(iii)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-04(03)", "SR-03(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-04(03)", "SR-03(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-04(03)", "SR-03(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-04(03)", "SR-03(01)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-ai-act-2024": [ "Article 14.1" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(69)", "3.6.2(74)" ], "emea-esp-ccn-stic-825-2023": [ "8.6.1 [MP.SW.1]" ], "apac-sgp-mas-trm-2021": [ "6.1.4", "6.1.5", "6.1.6", "6.1.7" ], "americas-can-osfi-b13-2022": [ "2.4.3", "2.4.5" ], "americas-can-itsp-10-171-2025": [ "03.16.01" ] } }, { "control_id": "TDA-02.4", "title": "Pre-Established Secure Configurations", "family": "TDA", "description": "Mechanisms exist to ensure vendors / manufacturers:\n(1) Deliver the Technology Asset, Application and/or Service (TAAS) with a pre-established, secure configuration implemented; and\n(2) Use the pre-established, secure configuration as the default for any subsequent TAAS reinstallation or upgrade.", "scf_question": "Does the organization ensure vendors / manufacturers:\n (1) Deliver the Technology Asset, Application and/or Service (TAAS) with a pre-established, secure configuration implemented; and\n (2) Use the pre-established, secure configuration as the default for any subsequent TAAS reinstallation or upgrade?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure vendors / manufacturers:\n(1) Deliver the Technology Asset, Application and/or Service (TAAS) with a pre-established, secure configuration implemented; and\n(2) Use the pre-established, secure configuration as the default for any subsequent TAAS reinstallation or upgrade.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Product / project management", "small": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Product / project management", "medium": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Product / project management", "large": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Product / project management\n∙ System Development Lifecycle (SDLC) governance / oversight", "enterprise": "∙ Secure Baseline Configurations (SBC)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Product / project management\n∙ System Development Lifecycle (SDLC) governance / oversight" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-800-53-r5-2": [ "SA-04(05)" ], "general-nist-800-53-r5-2-high": [ "SA-04(05)" ], "general-nist-800-82-r3": [ "SA-04(05)" ], "general-nist-800-82-r3-high": [ "SA-04(05)" ], "general-nist-800-161-r1": [ "SA-4(5)" ], "general-nist-800-161-r1-level-3": [ "SA-4(5)" ], "general-nist-800-171-r3": [ "03.16.01" ], "general-nist-800-218": [ "PW.4", "PW.5.1", "PW.9.1", "PW.9.2" ], "general-scf-dpmp-2025": [ "7.1" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.e" ], "usa-federal-eo-14028": [ "4e(i)(E)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-04(05)" ], "usa-state-ca-sb327-2018": [ "1798.91.04(b)(1)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 1.1(3)(a)" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(69)" ], "apac-aus-ism-2024-june": [ "ISM-1798" ], "americas-can-itsp-10-171-2025": [ "03.16.01" ] } }, { "control_id": "TDA-02.5", "title": "Identification & Justification of Ports, Protocols & Services", "family": "TDA", "description": "Mechanisms exist to require process owners to identify, document and justify the business need for the ports, protocols and other services necessary to operate their technology solutions.", "scf_question": "Does the organization require process owners to identify, document and justify the business need for the ports, protocols and other services necessary to operate their technology solutions?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-06", "E-TDA-07" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require process owners to identify, document and justify the business need for the ports, protocols and other services necessary to operate their technology solutions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Defined & documented Ports, Protocols & Services (PPS) to support \"least functionality\" governance", "small": "∙ Defined & documented Ports, Protocols & Services (PPS) to support \"least functionality\" governance", "medium": "∙ Defined & documented Ports, Protocols & Services (PPS) to support \"least functionality\" governance", "large": "∙ Defined & documented Ports, Protocols & Services (PPS) to support \"least functionality\" governance", "enterprise": "∙ Defined & documented Ports, Protocols & Services (PPS) to support \"least functionality\" governance" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.4" ], "general-cis-csc-8-1-ig2": [ "16.4" ], "general-cis-csc-8-1-ig3": [ "16.4" ], "general-nist-800-218": [ "PO.3.3", "PW.4.4" ], "general-pci-dss-4-0-1": [ "1.2.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.5" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.2.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.5" ], "emea-sau-cgiot-2024": [ "2-15-1" ] } }, { "control_id": "TDA-02.6", "title": "Insecure Ports, Protocols & Services", "family": "TDA", "description": "Mechanisms exist to mitigate the risk associated with the use of insecure ports, protocols and services necessary to operate technology solutions.", "scf_question": "Does the organization mitigate the risk associated with the use of insecure ports, protocols and services necessary to operate technology solutions?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to mitigate the risk associated with the use of insecure ports, protocols and services necessary to operate technology solutions.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "4.6" ], "general-cis-csc-8-1-ig1": [ "4.6" ], "general-cis-csc-8-1-ig2": [ "4.6" ], "general-cis-csc-8-1-ig3": [ "4.6" ], "general-nist-800-218": [ "PW.2", "PW.4.4" ], "general-pci-dss-4-0-1": [ "1.2.6", "2.2.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.6", "2.2.5" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.2.6" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.2.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.6", "2.2.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.6", "2.2.5" ], "general-scf-dpmp-2025": [ "7.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ] } }, { "control_id": "TDA-02.7", "title": "Security, Compliance & Resilience Representatives For Product Changes", "family": "TDA", "description": "Mechanisms exist to include appropriate security, compliance and resilience representatives in the product feature and/or functionality change control review process.", "scf_question": "Does the organization include appropriate security, compliance and resilience representatives in the product feature and/or functionality change control review process?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to include appropriate security, compliance and resilience representatives in the product feature and/or functionality change control review process.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Data Protection Impact Assessment (DPIA)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "small": "∙ Data Protection Impact Assessment (DPIA)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements", "medium": "∙ Data Protection Impact Assessment (DPIA)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "large": "∙ Data Protection Impact Assessment (DPIA)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "enterprise": "∙ Data Protection Impact Assessment (DPIA)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Technology Development & Acquisition", "crosswalks": { "general-iec-62443-4-1-2018": [ "SR-5", "SR-5(a)", "SR-5(b)", "SR-5(c)", "SR-5(d)" ], "general-nist-800-53-r5-2": [ "SA-10(07)" ], "general-nist-800-82-r3": [ "SA-10(07)" ], "general-nist-800-218": [ "PW.2", "RV.1", "RV.3.4" ], "general-scf-dpmp-2025": [ "7.1" ], "usa-federal-irs-1075-2021": [ "SA-10(CE-7)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(69)" ] } }, { "control_id": "TDA-02.8", "title": "Minimizing Attack Surfaces", "family": "TDA", "description": "Mechanisms exist to minimize the attack surface of Technology Assets, Applications and/or Services (TAAS) by reasonably mitigating known exploitable vulnerabilities.", "scf_question": "Does the organization minimize the attack surface of Technology Assets, Applications and/or Services (TAAS) by reasonably mitigating known exploitable vulnerabilities?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to minimize the attack surface of Technology Assets, Applications and/or Services (TAAS) by reasonably mitigating known exploitable vulnerabilities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "medium": "∙ Formal API security testing in development process", "large": "∙ Enterprise API security testing program (e.g., 42Crunch, Salt Security)", "enterprise": "∙ Enterprise API security platform (e.g., 42Crunch, Salt Security, Noname)\n∙ Automated API security testing in CI/CD" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-scf-dpmp-2025": [ "7.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 1.1(2)", "Annex 1.1(3)(h)" ] } }, { "control_id": "TDA-02.9", "title": "Ongoing Product Security Support", "family": "TDA", "description": "Mechanisms exist to deliver security updates to Technology Assets, Applications and/or Services (TAAS), where applicable, through:\n(1) Automatic updates; and\n(2) Notification of available updates to affected users.", "scf_question": "Does the organization deliver security updates to Technology Assets, Applications and/or Services (TAAS), where applicable, through:\n(1) Automatic updates; and\n(2) Notification of available updates to affected users?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to deliver security updates to Technology Assets, Applications and/or Services (TAAS), where applicable, through:\n(1) Automatic updates; and\n(2) Notification of available updates to affected users.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "large": "∙ Formal threat modeling for enterprise applications", "enterprise": "∙ Enterprise threat modeling program (e.g., Microsoft Threat Modeling Tool)\n∙ Automated threat model generation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-iec-62443-4-1-2018": [ "SUM-2", "SUM-2(a)", "SUM-2(b)", "SUM-2(c)", "SUM-2(d)", "SUM-2(e)", "SUM-4", "SUM-5", "SUM-5(a)", "SUM-5(b)", "SUM-5(c)", "SUM-5(d)", "SUM-5(e)" ], "general-scf-dpmp-2025": [ "7.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-cyber-resilience-act-2022": [ "Article 10.6" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 1.1(3)(k)", "Annex 1.2(2)", "Annex 1.2(7)", "Annex 1.2(8)" ] } }, { "control_id": "TDA-02.10", "title": "Product Testing & Reviews", "family": "TDA", "description": "Mechanisms exist to regularly review Technology Assets, Applications and/or Services (TAAS) for an appropriate level of security and resiliency based on applicable risks and threats.", "scf_question": "Does the organization regularly review Technology Assets, Applications and/or Services (TAAS) for an appropriate level of security and resiliency based on applicable risks and threats?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to regularly review Technology Assets, Applications and/or Services (TAAS) for an appropriate level of security and resiliency based on applicable risks and threats.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "large": "∙ Formal security architecture review for enterprise technology", "enterprise": "∙ Enterprise security architecture review board\n∙ Automated architecture analysis tools" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cr-cmm-2026": [ "CR8.3.1" ], "general-iec-62443-4-1-2018": [ "SM-11(a)", "SM-11(b)", "SM-11(c)", "SM-11(d)", "SM-11(e)", "SM-12", "SUM-1", "SUM-1(1)", "SUM-1(2)", "SUM-1(2)(a)", "SUM-1(2)(b)", "SUM-1(2)(c)" ], "general-scf-dpmp-2025": [ "7.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 1.2(3)" ] } }, { "control_id": "TDA-02.11", "title": "Disclosure of Vulnerabilities", "family": "TDA", "description": "Mechanisms exist to disclose information about vulnerabilities to relevant stakeholders, including:\n(1) A description of the vulnerability(ies);\n(2) Affected product(s) and/or service(s);\n(3) Potential impact of the vulnerability(ies);\n(4) Severity of the vulnerability(ies); and\n(5) Guidance to remediate the vulnerability(ies).", "scf_question": "Does the organization disclose information about vulnerabilities to relevant stakeholders, including:\n(1) A description of the vulnerability(ies);\n(2) Affected product(s) and/or service(s);\n(3) Potential impact of the vulnerability(ies);\n(4) Severity of the vulnerability(ies); and\n(5) Guidance to remediate the vulnerability(ies)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to disclose information about vulnerabilities to relevant stakeholders, including:\n(1) A description of the vulnerability(ies);\n(2) Affected product(s) and/or service(s);\n(3) Potential impact of the vulnerability(ies);\n(4) Severity of the vulnerability(ies); and\n(5) Guidance to remediate the vulnerability(ies).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "large": "∙ Red team exercises for critical applications", "enterprise": "∙ Enterprise red team program\n∙ Regular adversarial simulation exercises" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-iec-62443-4-1-2018": [ "DM-5", "DM-5(a)", "DM-5(b)" ], "general-scf-dpmp-2025": [ "7.1" ], "usa-federal-nerc-cip-2024": [ "CIP-013-2 1.2.4" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(6)", "7123(c)(14)" ], "emea-eu-cyber-resilience-act-2022": [ "Article 11.7" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 1.2(4)", "Annex 1.2(6)" ], "emea-eu-nis2-annex-2024": [ "6.10.2(e)" ] } }, { "control_id": "TDA-02.12", "title": "Products With Digital Elements", "family": "TDA", "description": "Mechanisms exist to categorize applicable security and resiliency requirements for products and/or services with digital elements.", "scf_question": "Does the organization categorize applicable security and resiliency requirements for products and/or services with digital elements?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to categorize applicable security and resiliency requirements for products and/or services with digital elements.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "enterprise": "∙ Enterprise bug bounty program (e.g., HackerOne, Bugcrowd)\n∙ Coordinated vulnerability disclosure" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 3 Class 1.1", "Annex 3 Class 1.2", "Annex 3 Class 1.3", "Annex 3 Class 1.4", "Annex 3 Class 1.5", "Annex 3 Class 1.6", "Annex 3 Class 1.7", "Annex 3 Class 1.8", "Annex 3 Class 1.9", "Annex 3 Class 1.10", "Annex 3 Class 1.11", "Annex 3 Class 1.12", "Annex 3 Class 1.13", "Annex 3 Class 1.14", "Annex 3 Class 1.15", "Annex 3 Class 1.16", "Annex 3 Class 1.17", "Annex 3 Class 1.18", "Annex 3 Class 1.19", "Annex 3 Class 1.20", "Annex 3 Class 1.21", "Annex 3 Class 1.22", "Annex 3 Class 1.23", "Annex 3 Class 2.1", "Annex 3 Class 2.2", "Annex 3 Class 2.3", "Annex 3 Class 2.4", "Annex 3 Class 2.5", "Annex 3 Class 2.6", "Annex 3 Class 2.7", "Annex 3 Class 2.8", "Annex 3 Class 2.9", "Annex 3 Class 2.10", "Annex 3 Class 2.11", "Annex 3 Class 2.12", "Annex 3 Class 2.13", "Annex 3 Class 2.14", "Annex 3 Class 2.15" ] } }, { "control_id": "TDA-02.13", "title": "Reporting Exploitable Vulnerabilities", "family": "TDA", "description": "Mechanisms exist to notify applicable stakeholders about potentially exploitable vulnerabilities in organization-developed Technology Assets, Applications and/or Services (TAAS), as required by statutory, regulatory and/or contractual obligations.", "scf_question": "Does the organization notify applicable stakeholders about potentially exploitable vulnerabilities in organization-developed Technology Assets, Applications and/or Services (TAAS), as required by statutory, regulatory and/or contractual obligations?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to notify applicable stakeholders about potentially exploitable vulnerabilities in organization-developed Technology Assets, Applications and/or Services (TAAS), as required by statutory, regulatory and/or contractual obligations.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "enterprise": "∙ Enterprise formal verification for highest-assurance systems" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(6)", "7123(c)(14)" ], "emea-eu-cyber-resilience-act-2022": [ "Article 11.1" ] } }, { "control_id": "TDA-02.14", "title": "Logging Syntax", "family": "TDA", "description": "Mechanisms exist to require system developers to use an industry-defined secure logging format to generate event logs for specified event types at organization-defined level of detail.", "scf_question": "Does the organization require system developers to use an industry-defined secure logging format to generate event logs for specified event types at organization-defined level of detail?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require system developers to use an industry-defined secure logging format to generate event logs for specified event types at organization-defined level of detail.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "enterprise": "∙ Enterprise assurance case development for highest-assurance systems" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-800-53-r5-2": [ "SA-15(13)" ], "general-nist-800-82-r3": [ "SA-15(13)" ] } }, { "control_id": "TDA-03", "title": "Commercial Off-The-Shelf (COTS) Security Solutions", "family": "TDA", "description": "Mechanisms exist to utilize only Commercial Off-the-Shelf (COTS) security products.", "scf_question": "Does the organization utilize only Commercial Off-the-Shelf (COTS) security products?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.\n▪ An application development team, or similar function, custom-develops business-critical TAAS, when Commercial Off The Shelf (COTS) solutions are unavailable.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize only Commercial Off-the-Shelf (COTS) security products.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Product / project management\n∙ Data Protection Impact Assessment (DPIA)", "small": "∙ Product / project management\n∙ Data Protection Impact Assessment (DPIA)", "medium": "∙ Product / project management\n∙ Data Protection Impact Assessment (DPIA)", "large": "∙ Product / project management\n∙ Data Protection Impact Assessment (DPIA)\n∙ Data governance program", "enterprise": "∙ Product / project management\n∙ Data Protection Impact Assessment (DPIA)\n∙ Data governance program" }, "risks": [ "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-iso-21434-2021": [ "RQ-06-21", "RQ-06-21(a)", "RQ-06-21(b)" ], "general-nist-800-53-r4": [ "SA-4(6)" ], "general-nist-800-53-r5-2": [ "SA-04(06)" ], "general-nist-800-82-r3": [ "SA-04(06)" ], "general-nist-800-171-r3": [ "03.16.01" ], "general-nist-800-218": [ "PW.4", "PW.4.1" ], "general-sparta": [ "CM0007" ], "apac-sgp-mas-trm-2021": [ "5.3.3", "6.1.3" ], "americas-can-itsp-10-171-2025": [ "03.16.01" ] } }, { "control_id": "TDA-03.1", "title": "Supplier Diversity", "family": "TDA", "description": "Mechanisms exist to obtain security, compliance and resilience technologies from different suppliers to minimize supply chain risk.", "scf_question": "Does the organization obtain security, compliance and resilience technologies from different suppliers to minimize supply chain risk?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to obtain security, compliance and resilience technologies from different suppliers to minimize supply chain risk.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-800-53-r4": [ "PL-8(2)" ], "general-nist-800-53-r5-2": [ "PL-08(02)", "SR-03(01)" ], "general-nist-800-53-r5-2-privacy": [ "SR-03(01)" ], "general-nist-800-82-r3": [ "PL-08(02)", "SR-03(01)" ], "general-nist-800-160-vol-2-r1": [ "PL-08(02)", "SR-03(01)" ], "general-nist-800-161-r1": [ "PL-8(2)", "SR-3(1)" ], "general-nist-800-161-r1-level-2": [ "PL-8(2)", "SR-3(1)" ], "general-nist-800-161-r1-level-3": [ "PL-8(2)", "SR-3(1)" ], "usa-federal-gsa-fedramp-5-low": [ "SR-03(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SR-03(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SR-03(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SR-03(01)" ] } }, { "control_id": "TDA-04", "title": "Documentation Requirements", "family": "TDA", "description": "Mechanisms exist to obtain, protect and distribute administrator documentation for Technology Assets, Applications and/or Services (TAAS) that describe:\n(1) Secure configuration, installation and operation of the TAAS;\n(2) Effective use and maintenance of security features/functions; and\n(3) Known vulnerabilities regarding configuration and use of administrative (e.g., privileged) functions.", "scf_question": "Does the organization obtain, protect and distribute administrator documentation for Technology Assets, Applications and/or Services (TAAS) that describe:\n (1) Secure configuration, installation and operation of the TAAS;\n (2) Effective use and maintenance of security features/functions; and\n (3) Known vulnerabilities regarding configuration and use of administrative (e.g., privileged) functions?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-06", "E-TDA-06", "E-TDA-10" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to obtain, protect and distribute administrator documentation for Technology Assets, Applications and/or Services (TAAS) that describe:\n(1) Secure configuration, installation and operation of the TAAS;\n(2) Effective use and maintenance of security features/functions; and\n(3) Known vulnerabilities regarding configuration and use of administrative (e.g., privileged) functions.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-3", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-govramp": [ "SA-05" ], "general-govramp-low": [ "SA-05" ], "general-govramp-low-plus": [ "SA-05" ], "general-govramp-mod": [ "SA-05" ], "general-govramp-high": [ "SA-05" ], "general-iec-tr-60601-4-5-2021": [ "6(a)", "6(b)", "6(c)", "6(d)", "6(e)", "6(f)", "6(g)", "6(h)", "6(i)", "6(j)", "6(k)", "6(l)", "6(m)", "6(n)", "6(o)", "6(p)", "6(q)", "6(r)", "6(s)", "6(t)", "6(u)", "6(v)" ], "general-iec-62443-4-1-2018": [ "SG-3", "SG-3(a)", "SG-3(b)", "SG-3(c)", "SG-3(d)", "SG-3(d)(1)", "SG-3(d)(2)", "SG-3(d)(3)", "SG-3(e)", "SG-3(f)", "SG-3(g)", "SG-3(h)", "SG-4", "SG-4(a)", "SG-4(b)", "SG-4(c)", "SG-4(d)", "SG-5", "SG-5(a)", "SG-5(b)", "SG-6", "SG-6(a)", "SG-6(b)" ], "general-iso-21434-2021": [ "RQ-06-21(c)" ], "general-iso-42001-2023": [ "A.6.2.7", "A.6.2.8" ], "general-mpa-csbp-5-3-1": [ "TS-1.17", "TS-1.18" ], "general-nist-100-1-ai-rmf": [ "GOVERN 4.2" ], "general-nist-800-53-r4": [ "SA-5" ], "general-nist-800-53-r5-2": [ "SA-05" ], "general-nist-800-53-r5-2-privacy": [ "SA-05" ], "general-nist-800-53-r5-2-low": [ "SA-05" ], "general-nist-800-82-r3": [ "SA-05" ], "general-nist-800-82-r3-low": [ "SA-05" ], "general-nist-800-82-r3-mod": [ "SA-05" ], "general-nist-800-82-r3-high": [ "SA-05" ], "general-nist-800-161-r1": [ "CM-8(10)", "SA-5" ], "general-nist-800-161-r1-cscrm": [ "SA-5" ], "general-nist-800-161-r1-level-3": [ "CM-8(10)", "SA-5" ], "general-nist-800-171-r2": [ "NFO - SA-5" ], "general-nist-800-218": [ "PO.3.3", "PS.3.2", "RV.1.1" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A03:2025", "A04:2025", "A05:2025", "A06:2025", "A07:2025", "A08:2025", "A09:2025", "A10:2025" ], "general-ul-2900-1-2017": [ "4.1", "4.1(a)", "5.1", "5.1(a)", "5.1(b)", "6.1", "6.2", "6.3", "6.4", "6.5", "6.6", "6.7", "6.8", "6.9", "6.10" ], "usa-federal-fbi-cjis-6-0": [ "SA-5" ], "usa-federal-gsa-fedramp-5-low": [ "SA-05" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-05" ], "usa-federal-gsa-fedramp-5-high": [ "SA-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-05" ], "usa-federal-irs-1075-2021": [ "SA-5" ], "usa-federal-cms-marse-2-0": [ "SA-5", "SA-5.a", "SA-5.a.1", "SA-5.a.2", "SA-5.a.3", "SA-5.b", "SA-5.b.1", "SA-5.b.2", "SA-5.b.3", "SA-5.c", "SA-5-IS.1", "SA-5-IS.2", "SA-5-IS.3", "SA-5-IS.4" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-05" ], "usa-state-tx-txramp-2-0-level-1": [ "SA-05" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-05" ], "emea-eu-ai-act-2024": [ "Article 11.1" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(73)" ], "emea-deu-c5-2020": [ "DEV-02" ], "emea-isr-cmo-1-0": [ "17.6", "17.10" ], "emea-sau-otcc-1-2022": [ "1-1-2" ], "apac-aus-ism-2024-june": [ "ISM-1798" ], "apac-jpn-ismap": [ "14.1.1.15", "14.2.7.10" ], "apac-nzl-ism-3-9": [ "3.4.10.C.01", "3.4.10.C.02" ], "apac-sgp-mas-trm-2021": [ "6.1.4" ] } }, { "control_id": "TDA-04.1", "title": "Functional Properties", "family": "TDA", "description": "Mechanisms exist to require software developers to provide information describing the functional properties of the security, compliance and resilience controls to be utilized within Technology Assets, Applications and/or Services (TAAS) in sufficient detail to permit analysis and testing of the controls.", "scf_question": "Does the organization require software developers to provide information describing the functional properties of the security, compliance and resilience controls to be utilized within Technology Assets, Applications and/or Services (TAAS) in sufficient detail to permit analysis and testing of the controls?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-06", "E-TDA-06", "E-TDA-10", "E-TDA-15" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require software developers to provide information describing the functional properties of the security, compliance and resilience controls to be utilized within Technology Assets, Applications and/or Services (TAAS) in sufficient detail to permit analysis and testing of the controls.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Technology Development & Acquisition", "crosswalks": { "general-govramp": [ "SA-04(01)", "SA-04(02)" ], "general-govramp-mod": [ "SA-04(01)" ], "general-govramp-high": [ "SA-04(01)", "SA-04(02)" ], "general-iec-62443-4-1-2018": [ "SR-3" ], "general-nist-800-53-r4": [ "SA-4(1)", "SA-4(2)" ], "general-nist-800-53-r5-2": [ "SA-04(01)", "SA-04(02)" ], "general-nist-800-53-r5-2-privacy": [ "SA-04(01)", "SA-04(02)" ], "general-nist-800-53-r5-2-mod": [ "SA-04(01)", "SA-04(02)" ], "general-nist-800-82-r3": [ "SA-04(01)", "SA-04(02)" ], "general-nist-800-82-r3-mod": [ "SA-04(01)", "SA-04(02)" ], "general-nist-800-82-r3-high": [ "SA-04(01)", "SA-04(02)" ], "general-nist-800-161-r1": [ "CM-8(10)" ], "general-nist-800-161-r1-level-3": [ "CM-8(10)" ], "general-nist-800-171-r2": [ "NFO - SA-4(1)", "NFO - SA-4(2)" ], "general-nist-800-218": [ "PO.3.3", "RV.1.1" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A03:2025", "A04:2025", "A05:2025", "A06:2025", "A07:2025", "A08:2025", "A09:2025", "A10:2025" ], "general-ul-2900-1-2017": [ "4.1(b)", "4.1(b)(1)", "4.1(b)(2)", "4.1(b)(3)", "4.1(b)(4)" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.d" ], "usa-federal-fbi-cjis-6-0": [ "SA-4(1)", "SA-4(2)" ], "usa-federal-eo-14028": [ "4e(i)(D)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-04(01)", "SA-04(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-04(01)", "SA-04(02)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-04(01)", "SA-04(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-04(01)", "SA-04(02)" ], "usa-federal-irs-1075-2021": [ "SA-4(CE-1)", "SA-4(CE-2)" ], "usa-federal-cms-marse-2-0": [ "SA-4(1)", "SA-4(2)" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-04 (01)", "SA-04 (02)" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(69)" ], "emea-deu-c5-2020": [ "DEV-02" ], "emea-isr-cmo-1-0": [ "17.6", "17.10" ], "apac-aus-ism-2024-june": [ "ISM-1798" ] } }, { "control_id": "TDA-04.2", "title": "Software Bill of Materials (SBOM)", "family": "TDA", "description": "Mechanisms exist to generate, or obtain, a Software Bill of Materials (SBOM) for Technology Assets, Applications and/or Services (TAAS) that lists software packages in use, including versions and applicable licenses.", "scf_question": "Does the organization generate, or obtain, a Software Bill of Materials (SBOM) for Technology Assets, Applications and/or Services (TAAS) that lists software packages in use, including versions and applicable licenses?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-12" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to generate, or obtain, a Software Bill of Materials (SBOM) for Technology Assets, Applications and/or Services (TAAS) that lists software packages in use, including versions and applicable licenses.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Software Bill of Materials (SBOM)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "small": "∙ Software Bill of Materials (SBOM)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "medium": "∙ Software Bill of Materials (SBOM)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "large": "∙ Software Bill of Materials (SBOM)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "enterprise": "∙ Software Bill of Materials (SBOM)\n∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.2", "16.4" ], "general-cis-csc-8-1-ig2": [ "16.2", "16.4" ], "general-cis-csc-8-1-ig3": [ "16.2", "16.4" ], "general-csa-cmm-4-1-0": [ "STA-09" ], "general-csa-iot-2": [ "SDV-02" ], "general-iec-62443-4-1-2018": [ "SUM-3", "SUM-3(a)", "SUM-3(b)" ], "general-nist-800-161-r1": [ "CM-8(10)" ], "general-nist-800-161-r1-level-3": [ "CM-8(10)" ], "general-nist-800-218": [ "PS.3.2", "PW.4.4", "RV.1.1" ], "general-nist-csf-2-0": [ "GV.OC-05" ], "general-owasp-top-10-2025": [ "A03:2025" ], "general-pci-dss-4-0-1": [ "6.3.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.2" ], "general-sparta": [ "CM0012" ], "general-ul-2900-1-2017": [ "4.1(c)" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "2" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.1.1", "3.3", "3.4.4" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "4.2" ], "usa-federal-eo-14028": [ "4e(iii)", "4e(vii)" ], "emea-eu-cyber-resilience-act-2022": [ "Article 11.7" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 1.2(1)", "Annex 1.2(6)" ], "emea-sau-cgiot-2024": [ "4-1-3" ], "apac-aus-ism-2024-june": [ "ISM-1730" ], "apac-ind-sebi-2024": [ "GV.SC.S5", "PR.IP.S5" ] } }, { "control_id": "TDA-05", "title": "Developer Architecture & Design", "family": "TDA", "description": "Mechanisms exist to require the developers of Technology Assets, Applications and/or Services (TAAS) to produce a design specification and security architecture that: \n(1) Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;\n(2) Accurately and completely describes the required security functionality and the allocation of security, compliance and resilience controls among physical and logical components; and\n(3) Expresses how individual security functions, mechanisms and services work together to provide required security capabilities and a unified approach to protection.", "scf_question": "Does the organization require the developers of Technology Assets, Applications and/or Services (TAAS) to produce a design specification and security architecture that: \n(1) Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;\n(2) Accurately and completely describes the required security functionality and the allocation of security, compliance and resilience controls among physical and logical components; and\n(3) Expresses how individual security functions, mechanisms and services work together to provide required security capabilities and a unified approach to protection?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-04" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require the developers of Technology Assets, Applications and/or Services (TAAS) to produce a design specification and security architecture that: \n(1) Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;\n(2) Accurately and completely describes the required security functionality and the allocation of security, compliance and resilience controls among physical and logical components; and\n(3) Expresses how individual security functions, mechanisms and services work together to provide required security capabilities and a unified approach to protection.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Product / project management", "small": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Product / project management", "medium": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Product / project management", "large": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight", "enterprise": "∙ Defined \"secure engineering principles\" (e.g., alignment with NIST 800-160)\n∙ Defined business processes\n∙ Product / project management\n∙ Defined technical requirements\n∙ Defined business requirements\n∙ System Development Lifecycle (SDLC) governance / oversight" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.1" ], "general-cis-csc-8-1-ig2": [ "16.1" ], "general-cis-csc-8-1-ig3": [ "16.1" ], "general-govramp": [ "SA-17" ], "general-govramp-high": [ "SA-17" ], "general-iec-62443-4-1-2018": [ "SD-1", "SD-1(a)", "SD-1(b)", "SD-1(c)", "SD-1(d)", "SD-1(e)", "SD-1(f)", "SD-1(g)", "SD-1(h)", "SD-1(i)", "SD-1(j)" ], "general-iso-21434-2021": [ "RQ-10-07" ], "general-iso-27002-2022": [ "8.27", "8.3" ], "general-iso-27018-2025": [ "8.27", "8.30" ], "general-mitre-att&ck-16-1": [ "T1078", "T1078.001", "T1078.003", "T1078.004", "T1134.005", "T1482", "T1574.002" ], "general-nist-100-1-ai-rmf": [ "GOVERN 4.2" ], "general-nist-800-53-r4": [ "SA-17" ], "general-nist-800-53-r5-2": [ "SA-17" ], "general-nist-800-53-r5-2-high": [ "SA-17" ], "general-nist-800-82-r3": [ "SA-17" ], "general-nist-800-82-r3-high": [ "SA-17" ], "general-nist-800-161-r1": [ "CM-8(10)", "SA-17" ], "general-nist-800-161-r1-level-2": [ "SA-17" ], "general-nist-800-161-r1-level-3": [ "CM-8(10)", "SA-17" ], "general-nist-800-171-r3": [ "03.16.01" ], "general-nist-800-218": [ "PW.4.2", "RV.1.1" ], "general-owasp-top-10-2025": [ "A04:2025" ], "general-pci-dss-4-0-1": [ "6.2", "6.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.1" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.d" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-4f" ], "usa-federal-eo-14028": [ "4e(i)(D)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-17" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(69)" ], "emea-deu-c5-2020": [ "DEV-02" ], "emea-isr-cmo-1-0": [ "17.6" ], "emea-sau-ecc-1-2018": [ "1-6-3-4" ], "apac-sgp-mas-trm-2021": [ "6.1.5", "6.2.1", "6.2.2", "6.3.1", "6.3.2", "6.4.1", "6.4.2", "6.4.3", "6.4.4", "6.4.5", "6.4.6", "6.4.7", "6.4.8", "6.5.1", "6.5.2", "6.5.3" ], "americas-can-itsp-10-171-2025": [ "03.16.01" ] } }, { "control_id": "TDA-05.1", "title": "Physical Diagnostic & Test Interfaces", "family": "TDA", "description": "Mechanisms exist to secure physical diagnostic and test interfaces to prevent misuse.", "scf_question": "Does the organization secure physical diagnostic and test interfaces to prevent misuse?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to secure physical diagnostic and test interfaces to prevent misuse.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Secure Baseline Configurations (SBC)", "small": "∙ Secure Baseline Configurations (SBC)", "medium": "∙ Secure Baseline Configurations (SBC)", "large": "∙ Secure Baseline Configurations (SBC)", "enterprise": "∙ Secure Baseline Configurations (SBC)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-iec-62443-4-2-2019": [ "EDR 2.13", "HDR 2.13", "NDR 2.13" ], "general-pci-dss-4-0-1": [ "2.2.6" ], "general-pci-dss-4-0-1-saq-a-ep": [ "2.2.6" ], "general-pci-dss-4-0-1-saq-c": [ "2.2.6" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.2.6" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "2.2.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "2.2.6" ] } }, { "control_id": "TDA-05.2", "title": "Diagnostic & Test Interface Monitoring", "family": "TDA", "description": "Mechanisms exist to enable endpoint devices to log events and generate alerts for attempts to access diagnostic and test interfaces.", "scf_question": "Does the organization enable endpoint devices to log events and generate alerts for attempts to access diagnostic and test interfaces?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enable endpoint devices to log events and generate alerts for attempts to access diagnostic and test interfaces.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Review software for known vulnerabilities before purchase/deployment", "small": "∙ Third-party software security assessment before deployment", "medium": "∙ Formal third-party software security review process\n∙ SCA for open source", "large": "∙ Enterprise third-party software security program (SCA, TPRM)\n∙ Vendor security assessments", "enterprise": "∙ Enterprise software supply chain security program\n∙ SCA (e.g., Snyk, Black Duck)\n∙ Vendor security audits\n∙ SBOM management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-iec-62443-4-2-2019": [ "EDR 2.13(1)", "HDR 2.13(1)", "NDR 2.13(1)" ], "general-shared-assessments-sig-2025": [ "M.1.1" ] } }, { "control_id": "TDA-06", "title": "Secure Software Development Practices (SSDP)", "family": "TDA", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "scf_question": "Does the organization develop applications based on Secure Software Development Practices (SSDP)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-08", "E-TDA-11" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop applications based on Secure Software Development Practices (SSDP).", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Microsoft Security Development Lifecycle (SDL) practices\n∙ OWASP's Application Security Verification Standard (ASVS) \n∙ Mobile Application Security Verification Standard (MASVS)", "small": "∙ Microsoft Security Development Lifecycle (SDL) practices\n∙ OWASP's Application Security Verification Standard (ASVS) \n∙ Mobile Application Security Verification Standard (MASVS)", "medium": "∙ Microsoft Security Development Lifecycle (SDL) practices\n∙ OWASP's Application Security Verification Standard (ASVS) \n∙ Mobile Application Security Verification Standard (MASVS)", "large": "∙ Microsoft Security Development Lifecycle (SDL) practices\n∙ OWASP's Application Security Verification Standard (ASVS) \n∙ Mobile Application Security Verification Standard (MASVS)", "enterprise": "∙ Microsoft Security Development Lifecycle (SDL) practices\n∙ OWASP's Application Security Verification Standard (ASVS) \n∙ Mobile Application Security Verification Standard (MASVS)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-aicpa-tsc-2017": [ "PI1.1", "PI1.2", "PI1.2-POF1", "PI1.2-POF2", "PI1.2-POF3", "PI1.3", "PI1.3-POF1", "PI1.3-POF2", "PI1.3-POF3", "PI1.3-POF4", "PI1.3-POF5", "PI1.4", "PI1.4-POF1", "PI1.4-POF2", "PI1.4-POF3", "PI1.4-POF4", "PI1.5", "PI1.5-POF1", "PI1.5-POF2", "PI1.5-POF3", "PI1.5-POF4" ], "general-cis-csc-8-1": [ "16.0", "16.1", "16.5", "16.11" ], "general-cis-csc-8-1-ig2": [ "16.1", "16.5", "16.11" ], "general-cis-csc-8-1-ig3": [ "16.1", "16.5", "16.11" ], "general-cobit-2019": [ "APO03.02" ], "general-csa-cmm-4-1-0": [ "AIS-04", "AIS-06" ], "general-csa-iot-2": [ "SDV-05" ], "general-govramp": [ "SA-01", "SA-15" ], "general-govramp-low": [ "SA-01" ], "general-govramp-low-plus": [ "SA-01" ], "general-govramp-mod": [ "SA-01" ], "general-govramp-high": [ "SA-01", "SA-15" ], "general-iec-62443-2-1-2024": [ "ORG 2.3" ], "general-iec-62443-4-1-2018": [ "SD-4", "SD-4(a)", "SD-4(b)", "SD-4(c)", "SD-4(d)", "SD-4(e)", "SD-4(f)", "SD-4(g)", "SI-2", "SI-2(a)", "SI-2(b)", "SI-2(c)", "SI-2(d)", "SI-2(e)", "SI-2(f)" ], "general-iso-21434-2021": [ "RQ-10-06" ], "general-iso-27002-2022": [ "8.25", "8.26", "8.27", "8.28", "8.3" ], "general-iso-27017-2015": [ "14.2.1", "14.2.5" ], "general-iso-27018-2025": [ "8.25", "8.26", "8.27", "8.28", "8.30" ], "general-iso-42001-2023": [ "A.6.1.3", "A.6.2.3" ], "general-mitre-att&ck-16-1": [ "T1078", "T1078.001", "T1078.003", "T1078.004", "T1195.001", "T1213.003", "T1528", "T1552", "T1552.001", "T1552.002", "T1552.004", "T1552.006", "T1558.004", "T1574.002" ], "general-mpa-csbp-5-3-1": [ "OR-1.2", "TS-1.13" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(e)" ], "general-nist-privacy-framework-1-0": [ "CT.DP-P1" ], "general-nist-800-53-r4": [ "SA-1", "SA-15" ], "general-nist-800-53-r5-2": [ "SA-01", "SA-04(03)", "SA-15" ], "general-nist-800-53-r5-2-privacy": [ "SA-01", "SA-04(03)" ], "general-nist-800-53-r5-2-low": [ "SA-01" ], "general-nist-800-53-r5-2-mod": [ "SA-15" ], "general-nist-800-82-r3": [ "SA-01", "SA-04(03)", "SA-15" ], "general-nist-800-82-r3-low": [ "SA-01" ], "general-nist-800-82-r3-mod": [ "SA-01", "SA-15" ], "general-nist-800-82-r3-high": [ "SA-01", "SA-15" ], "general-nist-800-161-r1": [ "SA-1", "SA-15" ], "general-nist-800-161-r1-cscrm": [ "SA-1" ], "general-nist-800-161-r1-level-1": [ "SA-1" ], "general-nist-800-161-r1-level-2": [ "SA-1", "SA-15" ], "general-nist-800-161-r1-level-3": [ "SA-1", "SA-15" ], "general-nist-800-171-r2": [ "NFO - SA-1" ], "general-nist-800-171-r3": [ "03.16.01" ], "general-nist-800-171a": [ "3.13.2[b]", "3.13.2[e]" ], "general-nist-800-218": [ "PO.1", "PW.1", "PW.1.3", "PW.4.2", "PW.5", "PW.5.1", "PW.6.1", "PW.6.2", "RV.3.4" ], "general-nist-csf-2-0": [ "PR.PS-06" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A03:2025", "A04:2025", "A05:2025", "A06:2025", "A07:2025", "A08:2025", "A09:2025", "A10:2025" ], "general-pci-dss-4-0-1": [ "6.2", "6.2.1", "6.2.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.1", "6.2.4" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.1", "6.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.1", "6.2.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.1", "6.2.4" ], "general-scf-dpmp-2025": [ "5.12", "7.1" ], "general-sparta": [ "CM0017", "CM0043" ], "general-ul-2900-1-2017": [ "4.1(f)" ], "general-ul-2900-2-2-2016": [ "11.3", "11.3(a)", "11.3(b)", "11.3(c)", "11.3(d)", "11.5", "11.6", "11.7", "11.8" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.e" ], "usa-federal-fbi-cjis-6-0": [ "SA-1", "SA-15" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-4a", "ARCHITECTURE-4d" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.2", "3.2.4" ], "usa-federal-eo-14028": [ "4e(i)(E)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-01", "SA-04(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-01", "SA-04(03)", "SA-15" ], "usa-federal-gsa-fedramp-5-high": [ "SA-01", "SA-04(03)", "SA-15" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-01", "SA-04(03)" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)(4)" ], "usa-federal-irs-1075-2021": [ "SA-1", "SA-15" ], "usa-federal-cms-marse-2-0": [ "SA-1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.8(a)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-01" ], "usa-state-tx-txramp-2-0-level-1": [ "SA-01" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-03", "SA-15" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(69)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-deu-bsrit-2017": [ "7.6", "7.7", "7.8", "7.9", "7.10" ], "emea-deu-c5-2020": [ "DEV-02", "DEV-07", "DEV-08" ], "emea-isr-cmo-1-0": [ "11.9", "17.6", "17.9", "17.20", "17.25" ], "emea-sau-cscc-1-2019": [ "1-3-2-3", "2-13-1", "2-13-2", "2-13-3-1", "2-13-3-2", "2-13-3-3", "2-13-3-4" ], "emea-sau-cgiot-2024": [ "2-14-3" ], "emea-sau-ecc-1-2018": [ "1-6-3-1" ], "emea-sau-sacs-002-2022": [ "TPC-60", "TPC-62" ], "emea-gbr-caf-4-0": [ "A4.b" ], "apac-aus-ism-2024-june": [ "ISM-0401", "ISM-1239", "ISM-1419", "ISM-1552" ], "apac-jpn-ismap": [ "14.1.1.1", "14.2.1.2", "14.2.1.9", "14.2.1.10" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP50", "HML50" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP42" ], "apac-nzl-ism-3-9": [ "14.4.5.C.01" ], "apac-sgp-mas-trm-2021": [ "5.3.2", "6.1.1", "6.1.2", "6.2.1", "6.2.2", "6.3.1", "6.3.2", "6.4.1", "6.4.2", "6.4.3", "6.4.4", "6.4.5", "6.4.6", "6.4.7", "6.4.8", "6.5.1", "6.5.2", "6.5.3" ], "americas-bmu-mba-coc-2020": [ "6.20" ], "amaericas-can-osfi-self-assessment": [ "4.8", "4.9" ], "americas-can-osfi-b13-2022": [ "2.4.5" ], "americas-can-itsp-10-171-2025": [ "03.16.01" ] } }, { "control_id": "TDA-06.1", "title": "Criticality Analysis During Development", "family": "TDA", "description": "Mechanisms exist to require the developer of the Technology Asset, Application and/or Service (TAAS) to perform a criticality analysis at organization-defined decision points in the Secure Development Life Cycle (SDLC).", "scf_question": "Does the organization require the developer of the Technology Asset, Application and/or Service (TAAS) to perform a criticality analysis at organization-defined decision points in the Secure Development Life Cycle (SDLC)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-BCM-08", "E-CHG-01", "E-TPM-02" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require the developer of the Technology Asset, Application and/or Service (TAAS) to perform a criticality analysis at organization-defined decision points in the Secure Development Life Cycle (SDLC).", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "medium": "∙ Formal test environment security policy (separate from production)", "large": "∙ Enterprise test environment management with security controls", "enterprise": "∙ Enterprise test environment security program\n∙ Test data management\n∙ Production/test environment separation" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed", "family_name": "Technology Development & Acquisition", "crosswalks": { "general-aicpa-tsc-2017": [ "PI1.1" ], "general-cobit-2019": [ "BAI09.02" ], "general-iso-27002-2022": [ "8.29" ], "general-iso-27018-2025": [ "8.29" ], "general-mitre-att&ck-16-1": [ "T1195.003", "T1495", "T1542", "T1542.001", "T1542.003", "T1542.004", "T1542.005", "T1553", "T1553.006", "T1601", "T1601.001", "T1601.002" ], "general-nist-privacy-framework-1-0": [ "ID.BE-P3" ], "general-nist-800-53-r5-2": [ "PM-30(01)", "RA-09", "SA-15(03)" ], "general-nist-800-53-r5-2-privacy": [ "PM-30(01)", "RA-09" ], "general-nist-800-53-r5-2-mod": [ "RA-09", "SA-15(03)" ], "general-nist-800-82-r3": [ "PM-30(01)", "RA-09", "SA-15(03)" ], "general-nist-800-82-r3-low": [ "PM-30(01)" ], "general-nist-800-82-r3-mod": [ "PM-30(01)", "SA-15(03)" ], "general-nist-800-82-r3-high": [ "PM-30(01)", "SA-15(03)" ], "general-nist-800-160-vol-2-r1": [ "PM-30(01)", "RA-09" ], "general-nist-800-161-r1": [ "RA-9", "SA-15(3)" ], "general-nist-800-161-r1-flowdown": [ "RA-9" ], "general-nist-800-161-r1-level-1": [ "RA-9" ], "general-nist-800-161-r1-level-2": [ "RA-9", "SA-15(3)" ], "general-nist-800-161-r1-level-3": [ "RA-9", "SA-15(3)" ], "general-nist-800-218": [ "PW.1" ], "general-nist-csf-2-0": [ "PR.PS-06" ], "general-scf-dpmp-2025": [ "11.7" ], "general-sparta": [ "CM0022" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.d" ], "usa-federal-fbi-cjis-6-0": [ "RA-9" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-1c", "ASSET-1d", "ASSET-2c", "ASSET-2d" ], "usa-federal-eo-14028": [ "4e(i)(D)" ], "usa-federal-gsa-fedramp-5-low": [ "PM-30(01)", "RA-09" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-30(01)", "RA-09", "SA-15(03)" ], "usa-federal-gsa-fedramp-5-high": [ "PM-30(01)", "RA-09", "SA-15(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-30(01)", "RA-09" ], "usa-federal-irs-1075-2021": [ "SA-15(CE-3)", "SA-15(CE-3).a", "SA-15(CE-3).b" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-gbr-cap-1850-2020": [ "A4" ], "apac-aus-ps-cps-234-2019": [ "21(b)" ], "apac-nzl-ism-3-9": [ "14.4.6.C.01", "14.4.6.C.02", "14.4.6.C.03" ], "americas-can-osfi-b13-2022": [ "2.4.5" ] } }, { "control_id": "TDA-06.2", "title": "Threat Modeling", "family": "TDA", "description": "Mechanisms exist to perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for.", "scf_question": "Does the organization perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-03", "E-TDA-10", "E-THR-05" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "medium": "∙ Anonymize/mask production data before use in test environments", "large": "∙ Enterprise test data management (masking/anonymization)", "enterprise": "∙ Enterprise test data management platform (e.g., Informatica TDM, Delphix)\n∙ Automated data masking" }, "risks": [ "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.2", "16.14" ], "general-cis-csc-8-1-ig2": [ "16.2" ], "general-cis-csc-8-1-ig3": [ "16.2", "16.14" ], "general-csa-cmm-4-1-0": [ "AIS-06" ], "general-csa-iot-2": [ "SDV-06" ], "general-cr-cmm-2026": [ "CR3.1.2" ], "general-govramp": [ "SA-11(02)" ], "general-govramp-mod": [ "SA-11(02)" ], "general-govramp-high": [ "SA-11(02)" ], "general-iec-62443-4-1-2018": [ "SM-13", "SR-2", "SR-2(a)", "SR-2(b)", "SR-2(c)", "SR-2(d)", "SR-2(e)", "SR-2(f)", "SR-2(g)", "SR-2(h)", "SR-2(i)", "SR-2(j)", "SR-2(k)", "SR-2(l)", "SR-2(m)" ], "general-iso-21434-2021": [ "RQ-15-03", "RQ-15-04", "RQ-15-05", "RQ-15-06", "PM-15-07", "RQ-15-08", "RQ-15-09", "RQ-15-10", "RC-15-11", "RC-15-11(a)", "RC-15-11(b)", "RC-15-11(c)", "RC-15-12", "RC-15-12(a)", "RC-15-12(b)", "RC-15-12(c)", "RC-15-12(d)", "RC-15-12(e)", "RC-15-13", "RC-15-13(a)", "RC-15-13(b)", "RC-15-13(c)", "RC-15-13(d)", "RC-15-14", "RQ-15-15", "RQ-15-16" ], "general-nist-600-1-gen-ai-profile": [ "GV-3.2-005" ], "general-nist-800-53-r5-2": [ "SA-11(02)", "SA-15(08)" ], "general-nist-800-53-r5-2-privacy": [ "SA-11(02)" ], "general-nist-800-82-r3": [ "SA-11(02)", "SA-15(08)" ], "general-nist-800-160-vol-2-r1": [ "SA-11(02)" ], "general-nist-800-161-r1": [ "SA-15(4)", "SA-15(8)" ], "general-nist-800-161-r1-level-2": [ "SA-15(4)" ], "general-nist-800-161-r1-level-3": [ "SA-15(4)", "SA-15(8)" ], "general-nist-800-218": [ "PW.1", "PW.1.1", "RV.2.2" ], "general-nist-csf-2-0": [ "GV.OC-01", "PR.PS-06" ], "general-owasp-top-10-2025": [ "A04:2025", "A08:2025" ], "general-sparta": [ "CM0020" ], "general-ul-2900-1-2017": [ "12.1", "12.1(b)" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.d" ], "usa-federal-dow-zt-roadmap-1-1": [ "4.1" ], "usa-federal-eo-14028": [ "4e(i)(D)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-11(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-11(02)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-11(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-11(02)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(69)" ], "emea-sau-cgiot-2024": [ "2-12-1" ], "apac-aus-ism-2024-june": [ "ISM-1238" ], "apac-jpn-ismap": [ "14.2.7.3" ], "apac-nzl-ism-3-9": [ "14.4.6.C.01", "14.4.6.C.02", "14.4.6.C.03" ], "americas-can-osfi-b13-2022": [ "2.4.4", "3.1.6" ] } }, { "control_id": "TDA-06.3", "title": "Software Assurance Maturity Model (SAMM)", "family": "TDA", "description": "Mechanisms exist to utilize a Software Assurance Maturity Model (SAMM) to govern a secure development lifecycle for the development of Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization utilize a Software Assurance Maturity Model (SAMM) to govern a secure development lifecycle for the development of Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-04", "E-TDA-11" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize a Software Assurance Maturity Model (SAMM) to govern a secure development lifecycle for the development of Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Security requirements checklist for new technology", "small": "∙ Security review checklist for technology acquisitions", "medium": "∙ Defined Software Assurance Maturity Model (SAMM)", "large": "∙ Defined Software Assurance Maturity Model (SAMM)", "enterprise": "∙ Defined Software Assurance Maturity Model (SAMM)" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.1", "16.5", "16.11" ], "general-cis-csc-8-1-ig2": [ "16.1", "16.5", "16.11" ], "general-cis-csc-8-1-ig3": [ "16.1", "16.5", "16.11" ], "general-csa-cmm-4-1-0": [ "AIS-06" ], "general-csa-iot-2": [ "SDV-03" ], "general-mpa-csbp-5-3-1": [ "TS-1.13" ], "general-nist-800-218": [ "PW.1", "PW.2", "PW.4.2" ], "general-nist-csf-2-0": [ "PR.PS-06" ], "general-owasp-top-10-2025": [ "A04:2025", "A08:2025" ], "general-pci-dss-4-0-1": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.2" ], "general-sparta": [ "CM0017", "CM0043" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.d", "2" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "4.2" ], "usa-federal-eo-14028": [ "4e(i)(D)", "4e(iii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-esp-ccn-stic-825-2023": [ "8.6.1 [MP.SW.1]" ], "apac-sgp-mas-trm-2021": [ "6.1.1", "6.1.2", "6.2.1", "6.2.2", "6.3.1", "6.3.2", "6.4.1", "6.4.2", "6.4.3", "6.4.4", "6.4.5", "6.4.6", "6.4.7", "6.4.8", "6.5.1", "6.5.2", "6.5.3", "7.6.1", "7.6.2" ] } }, { "control_id": "TDA-06.4", "title": "Supporting Toolchain", "family": "TDA", "description": "Automated mechanisms exist to improve the accuracy, consistency and comprehensiveness of secure practices throughout the asset's lifecycle.", "scf_question": "Does the organization use automated mechanisms to improve the accuracy, consistency and comprehensiveness of secure practices throughout the asset's lifecycle?", "relative_weight": 6, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically improve the accuracy, consistency and comprehensiveness of secure practices throughout the asset's lifecycle.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "large": "∙ Formal operational readiness testing before production release", "enterprise": "∙ Enterprise operational readiness testing program\n∙ Formal go/no-go criteria for releases" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-800-218": [ "PO.3", "PO.3.1", "PO.3.2", "PW.6.1", "PW.6.2" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "2" ], "usa-federal-eo-14028": [ "4e(iii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ] } }, { "control_id": "TDA-06.5", "title": "Software Design Review", "family": "TDA", "description": "Mechanisms exist to have an independent review of the software design to validate:\n(1) Applicable security, compliance and resilience requirements are met; and\n(2) Identified risks are remediated.", "scf_question": "Does the organization have an independent review of the software design to validate:\n(1) Applicable security, compliance and resilience requirements are met; and\n(2) Identified risks are remediated?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-05" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to have an independent review of the software design to validate:\n(1) Applicable security, compliance and resilience requirements are met; and\n(2) Identified risks are remediated.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "large": "∙ Formal system integration testing with security focus", "enterprise": "∙ Enterprise integration testing program with security validation\n∙ Automated integration security testing" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.2", "16.7", "16.12" ], "general-cis-csc-8-1-ig2": [ "16.2", "16.7" ], "general-cis-csc-8-1-ig3": [ "16.2", "16.7", "16.12" ], "general-mpa-csbp-5-3-1": [ "TS-1.13" ], "general-nist-800-218": [ "PO.4", "PW.2", "PW.2.1", "RV.1", "RV.1.2" ], "general-pci-dss-4-0-1": [ "6.2.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.3" ], "general-scf-dpmp-2025": [ "7.1" ], "general-sparta": [ "CM0043" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-4f" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.8(a)" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(69)" ], "emea-sau-cgiot-2024": [ "2-14-3" ], "emea-esp-ccn-stic-825-2023": [ "8.6.2 [MP.SW.2]" ], "apac-sgp-mas-trm-2021": [ "5.7.4", "6.1.1", "6.1.2", "6.1.3", "6.1.4", "6.1.6", "6.1.7" ], "americas-can-osfi-b13-2022": [ "2.4.1", "2.4.2" ] } }, { "control_id": "TDA-06.6", "title": "Software Design Root Cause Analysis", "family": "TDA", "description": "Mechanisms exist to assess software design processes that includes: \n(1) Conducting Root Cause Analysis (RCA) to identify the underlying causes of issues or failures;\n(2) Developing actions to address the root cause of the issue or failure; and\n(3) Implementing the actions and monitoring the implementation for effectiveness.", "scf_question": "Does the organization assess software design processes that includes: \n(1) Conducting Root Cause Analysis (RCA) to identify the underlying causes of issues or failures;\n(2) Developing actions to address the root cause of the issue or failure; and\n(3) Implementing the actions and monitoring the implementation for effectiveness?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to assess software design processes that includes: \n(1) Conducting Root Cause Analysis (RCA) to identify the underlying causes of issues or failures;\n(2) Developing actions to address the root cause of the issue or failure; and\n(3) Implementing the actions and monitoring the implementation for effectiveness.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "enterprise": "∙ Enterprise acceptance testing program with formal security criteria" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-iec-62443-4-1-2018": [ "DM-4", "DM-4(a-1)", "DM-4(a-1)(1)", "DM-4(a-1)(2)", "DM-4(a-1)(3)", "DM-4(a-1)(4)", "DM-4(b-1)", "DM-4(c)", "DM-4(d)", "DM-4(a-2)", "DM-4(b-2)" ], "general-mpa-csbp-5-3-1": [ "TS-1.13" ], "general-nist-800-53-r5-2": [ "SI-02(07)" ], "general-nist-800-82-r3": [ "SI-02(07)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ] } }, { "control_id": "TDA-07", "title": "Secure Development Environments", "family": "TDA", "description": "Mechanisms exist to maintain a segmented development network to ensure a secure development environment.", "scf_question": "Does the organization maintain a segmented development network to ensure a secure development environment?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a segmented development network to ensure a secure development environment.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Keep software development tools secure and updated", "small": "∙ Secure development environment policy\n∙ Control access to dev tools", "medium": "∙ Formal secure development environment standards\n∙ Dev tool security controls", "large": "∙ Enterprise secure development environment program\n∙ Dev tool access controls and monitoring", "enterprise": "∙ Enterprise secure development environment platform\n∙ DevSecOps toolchain security\n∙ Dev tool lifecycle management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.8" ], "general-cis-csc-8-1-ig2": [ "16.8" ], "general-cis-csc-8-1-ig3": [ "16.8" ], "general-cobit-2019": [ "BAI07.04" ], "general-csa-cmm-4-1-0": [ "AIS-06" ], "general-iec-62443-4-1-2018": [ "SM-7" ], "general-iso-27002-2022": [ "8.25", "8.31" ], "general-iso-27017-2015": [ "12.1.4", "14.2.6" ], "general-iso-27018-2025": [ "8.25", "8.31" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.3-004" ], "general-nist-800-53-r5-2": [ "SA-03(01)" ], "general-nist-800-53-r5-2-privacy": [ "SA-03(01)" ], "general-nist-800-82-r3": [ "SA-03(01)" ], "general-nist-800-218": [ "PO.5", "PO.5.1" ], "general-pci-dss-4-0-1": [ "6.5.3", "11.4.5", "11.4.6" ], "general-pci-dss-4-0-1-saq-a-ep": [ "11.4.5" ], "general-pci-dss-4-0-1-saq-b-ip": [ "11.4.5" ], "general-pci-dss-4-0-1-saq-c": [ "11.4.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.5.3", "11.4.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.5.3", "11.4.5", "11.4.6" ], "general-sparta": [ "CM0004" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1", "1.a" ], "usa-federal-eo-14028": [ "4e(i)", "4e(i)(A)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-03(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-03(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-03(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-03(01)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(69)", "3.6.2(72)" ], "emea-eu-nis2-annex-2024": [ "6.2.2(c)", "6.8.2(h)" ], "emea-deu-c5-2020": [ "DEV-02", "DEV-10" ], "emea-isr-cmo-1-0": [ "10.1" ], "emea-sau-cscc-1-2019": [ "1-3-2-4" ], "emea-sau-otcc-1-2022": [ "1-4-1-4" ], "emea-sau-sacs-002-2022": [ "TPC-73" ], "apac-aus-ism-2024-june": [ "ISM-0400", "ISM-1419" ], "apac-jpn-ismap": [ "14.2.1.1", "14.2.6", "14.2.6.1", "14.2.6.2", "14.2.6.3", "14.2.6.4", "14.2.6.5", "14.2.6.6", "14.2.6.7", "14.2.6.8", "14.2.6.9", "14.2.6.10", "14.2.6.11", "14.2.6.12" ], "apac-nzl-ism-3-9": [ "14.4.4.C.01" ], "apac-sgp-mas-trm-2021": [ "5.7.3" ] } }, { "control_id": "TDA-08", "title": "Separation of Development, Testing and Operational Environments", "family": "TDA", "description": "Mechanisms exist to manage separate development, testing and operational environments to reduce the risks of unauthorized access or changes to the operational environment and to ensure no impact to production Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization manage separate development, testing and operational environments to reduce the risks of unauthorized access or changes to the operational environment and to ensure no impact to production Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to manage separate development, testing and operational environments to reduce the risks of unauthorized access or changes to the operational environment and to ensure no impact to production Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use version control for all code", "small": "∙ Version control system (e.g., Git, GitHub)\n∙ Version control policy", "medium": "∙ Formal configuration management for software (version control, branching)", "large": "∙ Enterprise software configuration management program (e.g., GitLab, GitHub Enterprise)", "enterprise": "∙ Enterprise SCM platform (e.g., GitHub Enterprise, GitLab)\n∙ Automated version control enforcement\n∙ SBOM generation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.8" ], "general-cis-csc-8-1-ig2": [ "16.8" ], "general-cis-csc-8-1-ig3": [ "16.8" ], "general-cobit-2019": [ "BAI07.04" ], "general-csa-cmm-4-1-0": [ "AIS-06", "I&S-05" ], "general-govramp": [ "CM-04(01)" ], "general-govramp-high": [ "CM-04(01)" ], "general-iso-27002-2022": [ "8.25", "8.31" ], "general-iso-27017-2015": [ "12.1.4" ], "general-iso-27018-2025": [ "8.25", "8.31" ], "general-mpa-csbp-5-3-1": [ "TS-2.5" ], "general-nist-privacy-framework-1-0": [ "PR.DS-P7" ], "general-nist-800-53-r4": [ "CM-4(1)" ], "general-nist-800-53-r5-2": [ "CM-04(01)" ], "general-nist-800-53-r5-2-high": [ "CM-04(01)" ], "general-nist-800-82-r3": [ "CM-04(01)" ], "general-nist-800-82-r3-high": [ "CM-04(01)" ], "general-nist-800-160-vol-2-r1": [ "CM-04(01)" ], "general-nist-800-161-r1": [ "CM-4(1)" ], "general-nist-800-161-r1-level-3": [ "CM-4(1)" ], "general-nist-800-171-r2": [ "3.4.5" ], "general-nist-800-218": [ "PO.5", "PO.5.1" ], "general-pci-dss-4-0-1": [ "6.5.3", "6.5.6" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.5.3", "6.5.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.5.3", "6.5.6" ], "general-shared-assessments-sig-2025": [ "I.1.1" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1", "1.a" ], "usa-federal-dow-cmmc-2-level-2": [ "CML2.-3.4.5" ], "usa-federal-eo-14028": [ "4e(i)", "4e(i)(A)" ], "usa-federal-gsa-fedramp-5-high": [ "CM-04(01)" ], "usa-federal-cms-marse-2-0": [ "CM-4(1)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(69)", "3.6.2(72)" ], "emea-deu-c5-2020": [ "DEV-10" ], "emea-isr-cmo-1-0": [ "10.1" ], "emea-sau-cscc-1-2019": [ "1-3-2-4" ], "emea-sau-ecc-1-2018": [ "2-5-3-2" ], "emea-sau-otcc-1-2022": [ "1-4-1-4" ], "emea-sau-sacs-002-2022": [ "TPC-73" ], "apac-aus-ism-2024-june": [ "ISM-0400", "ISM-1273", "ISM-1274" ], "apac-ind-sebi-2024": [ "PR.DS.S5" ], "apac-jpn-ismap": [ "12.1.4", "12.1.4.1", "12.1.4.2", "12.1.4.3", "12.1.4.4", "12.1.4.5", "12.1.4.6", "12.1.4.7", "12.1.4.8", "12.1.4.9" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP58", "HML58" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP50" ], "apac-sgp-mas-trm-2021": [ "5.7.3" ] } }, { "control_id": "TDA-08.1", "title": "Secure Migration Practices", "family": "TDA", "description": "Mechanisms exist to ensure secure migration practices purge Technology Assets, Applications and/or Services (TAAS) of test/development/staging data and accounts before it is migrated into a production environment.", "scf_question": "Does the organization ensure secure migration practices purge Technology Assets, Applications and/or Services (TAAS) of test/development/staging data and accounts before it is migrated into a production environment?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure secure migration practices purge Technology Assets, Applications and/or Services (TAAS) of test/development/staging data and accounts before it is migrated into a production environment.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Back up software and code regularly", "small": "∙ Software backup policy\n∙ Repository backup and recovery", "medium": "∙ Formal software backup and recovery program", "large": "∙ Enterprise software repository backup and recovery (e.g., GitHub Enterprise backup)", "enterprise": "∙ Enterprise software backup and recovery program (e.g., Rewind, GitHub Enterprise backup)\n∙ Automated backup and recovery testing" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cobit-2019": [ "BAI07.06" ], "general-csa-cmm-4-1-0": [ "AIS-04", "I&S-07" ], "general-nist-800-218": [ "PO.5" ], "general-pci-dss-4-0-1": [ "6.5.6" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.5.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.5.6" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1" ], "usa-federal-eo-14028": [ "4e(i)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-sau-cscc-1-2019": [ "1-3-2-4" ], "apac-jpn-ismap": [ "14.2.6.11" ] } }, { "control_id": "TDA-09", "title": "Security, Compliance & Resilience Testing Throughout Development", "family": "TDA", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "scf_question": "Does the organization require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-03", "E-TDA-05" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Security Testing and Evaluation (ST&E)", "small": "∙ Security Testing and Evaluation (ST&E)", "medium": "∙ Security Testing and Evaluation (ST&E)", "large": "∙ Security Testing and Evaluation (ST&E)", "enterprise": "∙ Security Testing and Evaluation (ST&E)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Technology Development & Acquisition", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.1-POF1" ], "general-cis-csc-8-1": [ "16.2", "16.3", "16.12" ], "general-cis-csc-8-1-ig2": [ "16.2", "16.3" ], "general-cis-csc-8-1-ig3": [ "16.2", "16.3", "16.12" ], "general-cobit-2019": [ "BAI03.06", "BAI03.07", "BAI03.08" ], "general-csa-cmm-4-1-0": [ "AIS-04", "AIS-05" ], "general-csa-iot-2": [ "SDV-07", "SET-06" ], "general-cr-cmm-2026": [ "CR8.1.2" ], "general-govramp": [ "SA-11" ], "general-govramp-core": [ "SA-11" ], "general-govramp-low-plus": [ "SA-11" ], "general-govramp-mod": [ "SA-11" ], "general-govramp-high": [ "SA-11" ], "general-iec-62443-4-1-2018": [ "SM-9", "SM-10", "SM-10(a)", "SM-10(b)", "SD-3", "SD-3(a)", "SD-3(b)", "SD-3(c)", "SI-1", "SI-1(a)", "SI-1(b)", "SI-1(d)", "SI-1(e)", "SVV-1", "SVV-1(a)", "SVV-1(b)", "SVV-1(c)", "SVV-2", "SVV-2(a)", "SVV-2(b)", "SVV-3", "SVV-3(a)", "SVV-3(b)", "SVV-3(c)", "SVV-3(d)", "SVV-3(d)(1)", "SVV-3(d)(2)", "SVV-3(d)(3)", "SVV-3(d)(4)", "SVV-3(e)", "SVV-5", "DM-1", "DM-1(a)", "DM-1(b)", "DM-1(c)", "DM-1(d)", "DM-3", "DM-3(a)", "DM-3(a)(1)", "DM-3(a)(2)", "DM-3(a)(3)", "DM-3(b)", "DM-3(c)", "DM-3(d)", "DM-3(e)" ], "general-iso-27002-2022": [ "8.25", "8.29", "8.3" ], "general-iso-27017-2015": [ "14.2.7", "14.2.8", "14.2.9" ], "general-iso-27018-2025": [ "8.25", "8.29", "8.30" ], "general-mitre-att&ck-16-1": [ "T1078", "T1078.001", "T1078.003", "T1078.004", "T1134.005", "T1195.001", "T1195.003", "T1213.003", "T1495", "T1505", "T1505.001", "T1505.002", "T1505.004", "T1528", "T1542", "T1542.001", "T1542.003", "T1542.004", "T1542.005", "T1552", "T1552.001", "T1552.002", "T1552.004", "T1552.006", "T1553", "T1553.006", "T1558.004", "T1559.003", "T1574.002", "T1601", "T1601.001", "T1601.002", "T1612", "T1647" ], "general-mpa-csbp-5-3-1": [ "OR-1.2", "TS-1.13", "TS-8.3" ], "general-nist-800-53-r4": [ "SA-11" ], "general-nist-800-53-r5-2": [ "SA-11", "SA-11(05)", "SA-11(06)", "SA-11(07)" ], "general-nist-800-53-r5-2-privacy": [ "SA-11", "SA-11(05)", "SA-11(06)", "SA-11(07)" ], "general-nist-800-53-r5-2-mod": [ "SA-11" ], "general-nist-800-82-r3": [ "SA-11", "SA-11(05)", "SA-11(06)", "SA-11(07)" ], "general-nist-800-82-r3-mod": [ "SA-11" ], "general-nist-800-82-r3-high": [ "SA-11" ], "general-nist-800-160-vol-2-r1": [ "SA-11(05)", "SA-11(06)" ], "general-nist-800-161-r1": [ "SA-11" ], "general-nist-800-161-r1-level-1": [ "SA-11" ], "general-nist-800-161-r1-level-2": [ "SA-11" ], "general-nist-800-161-r1-level-3": [ "SA-11" ], "general-nist-800-171-r2": [ "NFO - SA-11" ], "general-nist-800-171-r3": [ "03.12.01", "03.12.03", "03.14.01.a" ], "general-nist-800-218": [ "PO.4", "PO.4.1", "PW.5.1", "PW.6", "PW.7", "PW.7.1", "PW.8.1", "PW.8.2", "RV.1", "RV.2", "RV.2.1", "RV.2.2", "RV.3.1", "RV.3.2", "RV.3.3" ], "general-nist-csf-2-0": [ "ID.RA-01", "ID.IM-01", "ID.IM-02", "PR.PS-06" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A03:2025", "A04:2025", "A05:2025", "A06:2025", "A07:2025", "A08:2025", "A09:2025", "A10:2025" ], "general-pci-dss-4-0-1": [ "6.2.3", "6.2.3.1", "6.2.4", "6.5.6" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.3.1", "6.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.3", "6.2.3.1", "6.2.4", "6.5.6" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.3", "6.2.3.1", "6.2.4", "6.5.6" ], "general-scf-dpmp-2025": [ "7.0", "7.11", "7.12" ], "general-ul-2900-1-2017": [ "12.3", "12.3(a)", "12.3(b)", "12.3(c)", "12.4", "12.4(a)", "12.4(b)", "12.4(c)", "12.4(d)", "12.5", "12.5(a)", "12.5(b)", "12.5(c)", "12.6", "13.1", "17.1", "17.2", "17.3", "17.3(a)", "17.3(b)", "17.3(c)" ], "general-ul-2900-2-2-2016": [ "13.1", "17.1" ], "general-un-155-2021": [ "7.2.2.3" ], "general-un-ece-wp-29-2020": [ "7.2.2.3", "7.2.2.4" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "2", "4", "4.a" ], "usa-federal-fbi-cjis-6-0": [ "SA-11" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-4h" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.2.3", "3.3", "3.3.4" ], "usa-federal-eo-14028": [ "4e(iii)", "4e(iv)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-11(05)", "SA-11(06)", "SA-11(07)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-11", "SA-11(05)", "SA-11(06)", "SA-11(07)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-11", "SA-11(05)", "SA-11(06)", "SA-11(07)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-11(05)", "SA-11(06)", "SA-11(07)" ], "usa-federal-irs-1075-2021": [ "SA-11", "SA-11(CE-5)", "SA-11(CE-6)" ], "usa-federal-cms-marse-2-0": [ "SA-11", "SA-11.a", "SA-11.b", "SA-11.c", "SA-11.d", "SA-11.e", "SA-11-IS.1", "SA-11-IS.3" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.8(a)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-11" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-11" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(69)", "3.6.2(70)", "3.6.2(71)" ], "emea-eu-nis2-annex-2024": [ "6.2.2(d)", "6.5.1" ], "emea-deu-bsrit-2017": [ "7.7", "7.8", "7.9", "7.10", "7.11", "7.12", "7.13", "7.14" ], "emea-deu-c5-2020": [ "DEV-02" ], "emea-isr-cmo-1-0": [ "11.9", "17.3", "17.4", "17.12", "17.15" ], "emea-sau-cscc-1-2019": [ "1-3-1-1", "1-3-2-1" ], "emea-sau-ecc-1-2018": [ "1-5-3-2", "1-5-3-4", "1-6-3-3" ], "emea-sau-otcc-1-2022": [ "1-4-1-2" ], "emea-sau-sacs-002-2022": [ "TPC-72" ], "emea-esp-ccn-stic-825-2023": [ "8.6.2 [MP.SW.2]" ], "apac-aus-ism-2024-june": [ "ISM-0402", "ISM-1754" ], "apac-ind-sebi-2024": [ "PR.IP.S6" ], "apac-jpn-ismap": [ "14.2.1.4", "14.2.7.5", "14.2.7.6", "14.2.7.7", "14.2.8", "14.2.8.1", "14.2.8.2", "14.2.8.3" ], "apac-sgp-mas-trm-2021": [ "5.7.1", "5.7.2", "5.7.3", "5.7.4", "5.7.5", "5.7.6", "6.1.1", "6.1.2", "6.1.3", "6.1.4", "6.1.6", "6.1.7" ], "amaericas-can-osfi-self-assessment": [ "4.8", "4.9" ], "americas-can-osfi-b13-2022": [ "3.2.9" ], "americas-can-itsp-10-171-2025": [ "03.12.01", "03.12.03", "03.14.01.A" ] } }, { "control_id": "TDA-09.1", "title": "Continuous Monitoring Plan", "family": "TDA", "description": "Mechanisms exist to require the developers of Technology Assets, Applications and/or Services (TAAS) to produce a plan for the continuous monitoring of security, compliance and/or resilience control effectiveness.", "scf_question": "Does the organization require the developers of Technology Assets, Applications and/or Services (TAAS) to produce a plan for the continuous monitoring of security, compliance and/or resilience control effectiveness?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-03" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require the developers of Technology Assets, Applications and/or Services (TAAS) to produce a plan for the continuous monitoring of security, compliance and/or resilience control effectiveness.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "medium": "∙ Formal SDLC process with security gates", "large": "∙ Enterprise SDLC with integrated security checkpoints", "enterprise": "∙ Enterprise DevSecOps SDLC (e.g., NIST SSDF, OWASP SAMM)\n∙ Automated security gates in CI/CD" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.2" ], "general-cis-csc-8-1-ig2": [ "16.2" ], "general-cis-csc-8-1-ig3": [ "16.2" ], "general-csa-iot-2": [ "SDV-07" ], "general-govramp": [ "SA-04(08)" ], "general-govramp-high": [ "SA-04(08)" ], "general-nist-800-53-r4": [ "SA-4(8)" ], "general-nist-800-53-r5-2": [ "SA-04(08)" ], "general-nist-800-82-r3": [ "SA-04(08)" ], "general-nist-800-161-r1": [ "SA-4(8)" ], "general-nist-800-161-r1-level-2": [ "SA-4(8)" ], "general-nist-800-161-r1-level-3": [ "SA-4(8)" ], "general-nist-800-171-r3": [ "03.12.03" ], "general-nist-800-218": [ "RV.1" ], "general-nist-csf-2-0": [ "ID.IM-01", "ID.IM-02" ], "general-un-155-2021": [ "7.2.2.3", "7.2.2.4", "7.2.2.4(a)", "7.2.2.4(b)" ], "general-un-ece-wp-29-2020": [ "7.2.2.3", "7.2.2.4", "7.2.2.4(a)", "7.2.2.4(b)" ], "usa-federal-irs-1075-2021": [ "SA-4(CE-8)" ], "emea-isr-cmo-1-0": [ "17.3", "17.4", "17.12" ], "apac-sgp-mas-trm-2021": [ "6.1.4" ], "americas-can-itsp-10-171-2025": [ "03.12.03" ] } }, { "control_id": "TDA-09.2", "title": "Static Code Analysis", "family": "TDA", "description": "Mechanisms exist to require the developers of Technology Assets, Applications and/or Services (TAAS) to employ static code analysis tools to identify and remediate common flaws and document the results of the analysis.", "scf_question": "Does the organization require the developers of Technology Assets, Applications and/or Services (TAAS) to employ static code analysis tools to identify and remediate common flaws and document the results of the analysis?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-03" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.\n▪ Developers of TAAS are required to employ static code analysis tools to identify and remediate common flaws, documenting the results of the analysis before the application is cleared for production usage.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require the developers of Technology Assets, Applications and/or Services (TAAS) to employ static code analysis tools to identify and remediate common flaws and document the results of the analysis.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "large": "∙ Agile security integration in sprint planning and reviews", "enterprise": "∙ Enterprise agile security program (DevSecOps)\n∙ Security backlog integration\n∙ Security in definition of done" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.12" ], "general-cis-csc-8-1-ig3": [ "16.12" ], "general-csa-iot-2": [ "SDV-04", "SET-06" ], "general-govramp": [ "SA-11(01)" ], "general-govramp-core": [ "SA-11(01)" ], "general-govramp-mod": [ "SA-11(01)" ], "general-govramp-high": [ "SA-11(01)" ], "general-iec-62443-4-1-2018": [ "SI-1(c)" ], "general-mpa-csbp-5-3-1": [ "TS-8.3" ], "general-nist-800-53-r4": [ "SA-11(1)" ], "general-nist-800-53-r5-2": [ "SA-11(01)" ], "general-nist-800-82-r3": [ "SA-11(01)" ], "general-nist-800-218": [ "PO.4", "PW.7", "PW.7.2" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A03:2025", "A04:2025", "A05:2025", "A06:2025", "A07:2025", "A08:2025", "A09:2025", "A10:2025" ], "general-pci-dss-4-0-1": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.4" ], "general-sparta": [ "CM0019", "CM0043" ], "general-ul-2900-1-2017": [ "18.1", "18.2", "18.3", "18.4", "18.5" ], "general-ul-2900-2-2-2016": [ "18.1", "19.1" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "4" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-4h" ], "usa-federal-eo-14028": [ "4e(iv)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-11(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-11(01)" ], "usa-federal-irs-1075-2021": [ "SA-11(CE-1)" ], "usa-federal-cms-marse-2-0": [ "SA-11(1)", "SA-11(1)-IS.1", "SA-11(1)-IS.2" ], "emea-deu-c5-2020": [ "PSS-02" ], "emea-isr-cmo-1-0": [ "17.3", "17.14" ], "emea-sau-cscc-1-2019": [ "1-3-2-1" ], "emea-sau-ecc-1-2018": [ "1-6-3-3" ], "emea-sau-sacs-002-2022": [ "TPC-72" ], "apac-aus-ism-2024-june": [ "ISM-0402" ], "apac-sgp-mas-trm-2021": [ "6.1.6" ], "americas-can-osfi-b13-2022": [ "3.2.9" ] } }, { "control_id": "TDA-09.3", "title": "Dynamic Code Analysis", "family": "TDA", "description": "Mechanisms exist to require the developers of Technology Assets, Applications and/or Services (TAAS) to employ dynamic code analysis tools to identify and remediate common flaws and document the results of the analysis.", "scf_question": "Does the organization require the developers of Technology Assets, Applications and/or Services (TAAS) to employ dynamic code analysis tools to identify and remediate common flaws and document the results of the analysis?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-03" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.\n▪ Developers of TAAS are to employ dynamic code analysis tools to identify and remediate common flaws, documenting the results of the analysis before the application is cleared for production usage.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require the developers of Technology Assets, Applications and/or Services (TAAS) to employ dynamic code analysis tools to identify and remediate common flaws and document the results of the analysis.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "enterprise": "∙ Enterprise DevSecOps pipeline with full automation (CI/CD security gates, SAST, DAST, SCA)" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.12" ], "general-cis-csc-8-1-ig3": [ "16.12" ], "general-csa-cmm-4-1-0": [ "AIS-05" ], "general-csa-iot-2": [ "SDV-04", "SET-06" ], "general-govramp": [ "SA-11(08)" ], "general-govramp-mod": [ "SA-11(08)" ], "general-govramp-high": [ "SA-11(08)" ], "general-mpa-csbp-5-3-1": [ "TS-8.3" ], "general-nist-800-53-r4": [ "SA-11(8)" ], "general-nist-800-53-r5-2": [ "SA-11(08)" ], "general-nist-800-82-r3": [ "SA-11(08)" ], "general-nist-800-218": [ "PO.4", "PW.7", "PW.7.2" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A03:2025", "A04:2025", "A05:2025", "A06:2025", "A07:2025", "A08:2025", "A09:2025", "A10:2025" ], "general-pci-dss-4-0-1": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.4" ], "general-sparta": [ "CM0018", "CM0043" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "4" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-4h" ], "usa-federal-eo-14028": [ "4e(iv)" ], "emea-deu-c5-2020": [ "PSS-02" ], "emea-isr-cmo-1-0": [ "17.3", "17.19" ], "emea-sau-cscc-1-2019": [ "1-3-2-1" ], "emea-sau-ecc-1-2018": [ "1-6-3-3" ], "emea-sau-sacs-002-2022": [ "TPC-72" ], "apac-aus-ism-2024-june": [ "ISM-0402" ], "apac-sgp-mas-trm-2021": [ "6.1.6" ], "americas-can-osfi-b13-2022": [ "3.2.9" ] } }, { "control_id": "TDA-09.4", "title": "Malformed Input Testing", "family": "TDA", "description": "Mechanisms exist to utilize testing methods to ensure Technology Assets, Applications and/or Services (TAAS) continue to operate as intended when subject to invalid or unexpected inputs on its interfaces.", "scf_question": "Does the organization utilize testing methods to ensure Technology Assets, Applications and/or Services (TAAS) continue to operate as intended when subject to invalid or unexpected inputs on its interfaces?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-03" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.\n▪ An application development team, or similar function, implements a process to check the validity of information inputs.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize testing methods to ensure Technology Assets, Applications and/or Services (TAAS) continue to operate as intended when subject to invalid or unexpected inputs on its interfaces.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "enterprise": "∙ Enterprise continuous delivery security program\n∙ Automated security in deployment pipelines" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MS-2.6-006" ], "general-nist-800-218": [ "PW.7", "PW.8" ], "general-owasp-top-10-2025": [ "A03:2025" ], "general-pci-dss-4-0-1": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.4" ], "general-ul-2900-1-2017": [ "15.1", "15.1(a)", "15.1(b)", "15.1(c)", "15.1(d)", "15.1(e)", "15.1(f)", "15.1(g)", "15.1(h)", "15.1(i)", "15.2", "15.3", "15.4", "15.5", "15.6", "15.7", "15.8", "15.9", "15.10", "15.11" ], "general-ul-2900-2-2-2016": [ "15.2.1", "15.2.2", "15.2.3", "15.2.4", "15.2.5", "15.2.6", "15.3.1", "15.3.2", "15.3.3", "15.3.4" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "emea-deu-c5-2020": [ "PSS-02" ], "emea-isr-cmo-1-0": [ "17.3", "17.24" ], "emea-sau-ecc-1-2018": [ "1-6-3-3" ], "emea-sau-sacs-002-2022": [ "TPC-72" ], "apac-aus-ism-2024-june": [ "ISM-0402" ], "apac-nzl-ism-3-9": [ "14.5.6.C.01" ], "apac-sgp-mas-trm-2021": [ "6.1.6" ] } }, { "control_id": "TDA-09.5", "title": "Application Penetration Testing", "family": "TDA", "description": "Mechanisms exist to perform application-level penetration testing of custom-made Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization perform application-level penetration testing of custom-made Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-03" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform application-level penetration testing of custom-made Technology Assets, Applications and/or Services (TAAS).", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "enterprise": "∙ Enterprise site reliability engineering (SRE) with security integration" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.13" ], "general-cis-csc-8-1-ig3": [ "16.13" ], "general-csa-cmm-4-1-0": [ "AIS-05" ], "general-csa-iot-2": [ "SDV-07", "SET-02", "SET-06" ], "general-iec-62443-4-1-2018": [ "SVV-4" ], "general-nist-800-53-r5-2": [ "SA-11(05)" ], "general-nist-800-53-r5-2-privacy": [ "SA-11(05)" ], "general-nist-800-82-r3": [ "SA-11(05)" ], "general-nist-800-160-vol-2-r1": [ "SA-11(05)" ], "general-nist-800-218": [ "PW.7", "PW.8" ], "general-owasp-top-10-2025": [ "A01:2025", "A02:2025", "A03:2025", "A04:2025", "A05:2025", "A06:2025", "A07:2025", "A08:2025", "A09:2025", "A10:2025" ], "general-pci-dss-4-0-1": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.4" ], "general-swift-cscf-2025": [ "7.3A" ], "general-ul-2900-1-2017": [ "16.1", "16.1(a)", "16.1(b)", "16.1(c)", "16.2", "16.2(a)", "16.2(b)", "16.2(c)", "16.2(d)", "16.2(e)", "16.3", "16.4" ], "general-ul-2900-2-2-2016": [ "16.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNL.STEXE" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-4h" ], "usa-federal-gsa-fedramp-5-low": [ "SA-11(05)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-11(05)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-11(05)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-11(05)" ], "usa-federal-irs-1075-2021": [ "SA-11(CE-5)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(6)" ], "emea-deu-c5-2020": [ "PSS-02" ], "emea-isr-cmo-1-0": [ "11.9", "17.3", "17.15", "17.17" ], "emea-sau-ecc-1-2018": [ "1-6-3-3" ], "emea-sau-sacs-002-2022": [ "TPC-72" ], "apac-aus-ism-2024-june": [ "ISM-0402" ], "apac-nzl-ism-3-9": [ "14.5.6.C.01" ], "apac-sgp-mas-trm-2021": [ "6.1.6" ] } }, { "control_id": "TDA-09.6", "title": "Secure Settings By Default", "family": "TDA", "description": "Mechanisms exist to implement secure configuration settings by default to reduce the likelihood of Technology Assets, Applications and/or Services (TAAS) being deployed with weak security settings that would put the TAAS at a greater risk of compromise.", "scf_question": "Does the organization implement secure configuration settings by default to reduce the likelihood of Technology Assets, Applications and/or Services (TAAS) being deployed with weak security settings that would put the TAAS at a greater risk of compromise?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-03" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement secure configuration settings by default to reduce the likelihood of Technology Assets, Applications and/or Services (TAAS) being deployed with weak security settings that would put the TAAS at a greater risk of compromise.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "enterprise": "∙ Enterprise security orchestration in CI/CD pipelines\n∙ Policy-as-code enforcement" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.1" ], "general-cis-csc-8-1-ig2": [ "16.1" ], "general-cis-csc-8-1-ig3": [ "16.1" ], "general-csa-cmm-4-1-0": [ "DSP-07", "DSP-08" ], "general-nist-800-218": [ "PW.1.3", "PW.5.1", "PW.6", "PW.9", "PW.9.1", "PW.9.2" ], "general-shared-assessments-sig-2025": [ "N.11" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.d" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-4c" ], "usa-federal-eo-14028": [ "4e(i)(D)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.8(a)" ], "emea-sau-otcc-1-2022": [ "1-4-1-3" ], "apac-aus-ism-2024-june": [ "ISM-0383" ] } }, { "control_id": "TDA-09.7", "title": "Manual Code Review", "family": "TDA", "description": "Mechanisms exist to require the developers of Technology Assets, Applications and/or Services (TAAS) to employ a manual code review process to identify and remediate unique flaws that require knowledge of the application’s requirements and design.", "scf_question": "Does the organization require the developers of Technology Assets, Applications and/or Services (TAAS) to employ a manual code review process to identify and remediate unique flaws that require knowledge of the application’s requirements and design?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require the developers of Technology Assets, Applications and/or Services (TAAS) to employ a manual code review process to identify and remediate unique flaws that require knowledge of the application’s requirements and design.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "enterprise": "∙ Enterprise policy-as-code program\n∙ Automated compliance in CI/CD (e.g., OPA, Checkov)" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-800-53-r4": [ "SA-11(4)" ], "general-nist-800-53-r5-2": [ "SA-11(04)" ], "general-nist-800-82-r3": [ "SA-11(04)" ], "usa-federal-irs-1075-2021": [ "SA-11(CE-4)" ] } }, { "control_id": "TDA-10", "title": "Use of Live Data", "family": "TDA", "description": "Mechanisms exist to approve, document and control the use of live data in development and test environments.", "scf_question": "Does the organization approve, document and control the use of live data in development and test environments?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to approve, document and control the use of live data in development and test environments.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "medium": "∙ Formal software testing policy with security test cases", "large": "∙ Enterprise software testing program with security integration", "enterprise": "∙ Enterprise software testing platform with security integration (SAST, DAST, IAST)\n∙ Automated security test execution" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-csa-cmm-4-1-0": [ "DSP-15" ], "general-iso-27002-2022": [ "8.33" ], "general-iso-27017-2015": [ "14.3.1" ], "general-iso-27018-2025": [ "8.33" ], "general-nist-800-53-r4": [ "SA-15(9)" ], "general-nist-800-53-r5-2": [ "SA-03(02)" ], "general-nist-800-82-r3": [ "SA-03(02)" ], "general-nist-800-160-vol-2-r1": [ "SA-03(02)" ], "general-pci-dss-4-0-1": [ "6.5.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.5.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.5.5" ], "usa-federal-irs-1075-2021": [ "SA-3(CE-2)", "SA-3(CE-2).a", "SA-3(CE-2).b" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-nis2-annex-2024": [ "6.2.2(f)" ], "emea-isr-cmo-1-0": [ "10.3" ], "apac-aus-ism-2024-june": [ "ISM-1420" ], "apac-jpn-ismap": [ "14.3", "14.3.1", "14.3.1.1", "14.3.1.2", "14.3.1.3", "14.3.1.4", "14.3.1.5", "14.3.1.6" ], "apac-sgp-mas-trm-2021": [ "11.1.6" ] } }, { "control_id": "TDA-10.1", "title": "Test Data Integrity", "family": "TDA", "description": "Mechanisms exist to ensure the integrity of test data through existing security, compliance and resilience controls.", "scf_question": "Does the organization ensure the integrity of test data through existing security, compliance and resilience controls?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the integrity of test data through existing security, compliance and resilience controls.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "medium": "∙ Dynamic application security testing (DAST) before release", "large": "∙ Enterprise DAST program (e.g., OWASP ZAP, Burp Suite)\n∙ Integration with CI/CD", "enterprise": "∙ Enterprise DAST platform (e.g., Veracode DAST, Checkmarx DAST)\n∙ Automated scanning in CI/CD pipeline" }, "risks": [ "R-AM-2", "R-AM-3", "R-BC-2", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Technology Development & Acquisition", "crosswalks": { "emea-eu-nis2-annex-2024": [ "6.2.2(e)" ], "apac-aus-ism-2024-june": [ "ISM-0402" ] } }, { "control_id": "TDA-11", "title": "Product Tampering and Counterfeiting (PTC)", "family": "TDA", "description": "Mechanisms exist to maintain awareness of component authenticity by developing and implementing Product Tampering and Counterfeiting (PTC) practices that include the means to detect and prevent counterfeit components.", "scf_question": "Does the organization maintain awareness of component authenticity by developing and implementing Product Tampering and Counterfeiting (PTC) practices that include the means to detect and prevent counterfeit components?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain awareness of component authenticity by developing and implementing Product Tampering and Counterfeiting (PTC) practices that include the means to detect and prevent counterfeit components.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Test software in isolated environment before production deployment", "small": "∙ Pre-production testing and staging environment", "medium": "∙ Formal pre-production acceptance testing process\n∙ Separate staging environment", "large": "∙ Enterprise pre-production testing program\n∙ Formal acceptance criteria", "enterprise": "∙ Enterprise software release management platform\n∙ Formal acceptance testing process\n∙ Blue/green or canary deployments" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.5" ], "general-cis-csc-8-1-ig2": [ "16.5" ], "general-cis-csc-8-1-ig3": [ "16.5" ], "general-mitre-att&ck-16-1": [ "T1059.002", "T1195", "T1195.001", "T1195.002", "T1195.003", "T1204.003", "T1505", "T1505.001", "T1505.002", "T1505.004", "T1546.006", "T1554", "T1601", "T1601.001", "T1601.002" ], "general-nist-800-53-r4": [ "SA-12(10)", "SA-19" ], "general-nist-800-53-r5-2": [ "SR-04(03)", "SR-04(04)", "SR-10", "SR-11", "SR-11(03)" ], "general-nist-800-53-r5-2-privacy": [ "SR-10" ], "general-nist-800-53-r5-2-low": [ "SR-10", "SR-11" ], "general-nist-800-82-r3": [ "SR-04(03)", "SR-04(04)", "SR-10", "SR-11", "SR-11(03)" ], "general-nist-800-82-r3-low": [ "SR-10", "SR-11" ], "general-nist-800-82-r3-mod": [ "SR-10", "SR-11" ], "general-nist-800-82-r3-high": [ "SR-10", "SR-11" ], "general-nist-800-160-vol-2-r1": [ "SR-04(03)", "SR-04(04)", "SR-10", "SR-11", "SR-11(03)" ], "general-nist-800-161-r1": [ "SR-10", "SR-11", "SR-11(3)" ], "general-nist-800-161-r1-cscrm": [ "SR-10", "SR-11" ], "general-nist-800-161-r1-flowdown": [ "SR-10" ], "general-nist-800-161-r1-level-1": [ "SR-11" ], "general-nist-800-161-r1-level-2": [ "SR-10", "SR-11", "SR-11(3)" ], "general-nist-800-161-r1-level-3": [ "SR-10", "SR-11", "SR-11(3)" ], "general-sparta": [ "CM0024", "CM0028" ], "usa-federal-fbi-cjis-6-0": [ "SR-10" ], "usa-federal-gsa-fedramp-5-low": [ "SR-10", "SR-11" ], "usa-federal-gsa-fedramp-5-mod": [ "SR-10", "SR-11" ], "usa-federal-gsa-fedramp-5-high": [ "SR-10", "SR-11" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SR-10", "SR-11" ], "usa-federal-irs-1075-2021": [ "SR-10", "SR-11" ], "emea-isr-cmo-1-0": [ "17.21" ], "apac-aus-ism-2024-june": [ "ISM-1790", "ISM-1791", "ISM-1792" ] } }, { "control_id": "TDA-11.1", "title": "Anti-Counterfeit Training", "family": "TDA", "description": "Mechanisms exist to train personnel to detect counterfeit system components, including hardware, software and firmware.", "scf_question": "Does the organization train personnel to detect counterfeit system components, including hardware, software and firmware?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to train personnel to detect counterfeit system components, including hardware, software and firmware.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "medium": "∙ Regression testing for security after code changes", "large": "∙ Enterprise security regression testing program", "enterprise": "∙ Enterprise automated security regression testing in CI/CD pipeline" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-800-53-r4": [ "SA-19(1)" ], "general-nist-800-53-r5-2": [ "SR-11(01)" ], "general-nist-800-53-r5-2-low": [ "SR-11(01)" ], "general-nist-800-82-r3": [ "SR-11(01)" ], "general-nist-800-82-r3-low": [ "SR-11(01)" ], "general-nist-800-82-r3-mod": [ "SR-11(01)" ], "general-nist-800-82-r3-high": [ "SR-11(01)" ], "general-nist-800-161-r1": [ "SR-11(1)" ], "general-nist-800-161-r1-cscrm": [ "SR-11(1)" ], "general-nist-800-161-r1-level-2": [ "SR-11(1)" ], "general-nist-800-161-r1-level-3": [ "SR-11(1)" ], "general-sparta": [ "CM0024" ], "usa-federal-gsa-fedramp-5-low": [ "SR-11(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SR-11(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SR-11(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SR-11(01)" ], "usa-federal-irs-1075-2021": [ "SR-11(CE-1)" ], "emea-isr-cmo-1-0": [ "17.21" ] } }, { "control_id": "TDA-11.2", "title": "Component Disposal", "family": "TDA", "description": "[deprecated - incorporated into AST-09]\nMechanisms exist to dispose of system components using organization-defined techniques and methods to prevent such components from entering the gray market.", "scf_question": "[deprecated - incorporated into AST-09]\nDoes the organization dispose of system components using organization-defined techniques and methods to prevent such components from entering the gray market?", "relative_weight": 0, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "N/A", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": false }, "maturity": { "0": "N/A", "1": "N/A", "2": "N/A", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ [deprecated - incorporated into AST-09]\nAn implemented and operational capability exists to dispose of system components using organization-defined techniques and methods to prevent such components from entering the gray market.", "4": "N/A", "5": "N/A" }, "profiles": [], "possible_solutions": { "large": "∙ Fuzz testing for critical applications", "enterprise": "∙ Enterprise fuzz testing program (e.g., AFL, libFuzzer, Google OSS-Fuzz)\n∙ Automated fuzzing in CI/CD" }, "risks": [ "[object Object]" ], "threats": [ "[object Object]" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-800-161-r1": [ "SR-12" ], "general-nist-800-161-r1-cscrm": [ "SR-12" ], "general-nist-800-161-r1-level-2": [ "SR-12" ], "general-nist-800-161-r1-level-3": [ "SR-12" ] } }, { "control_id": "TDA-12", "title": "Customized Development of Critical Components", "family": "TDA", "description": "Mechanisms exist to custom-develop critical system components, when Commercial Off The Shelf (COTS) solutions are unavailable.", "scf_question": "Does the organization custom-develop critical system components, when Commercial Off The Shelf (COTS) solutions are unavailable?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to custom-develop critical system components, when Commercial Off The Shelf (COTS) solutions are unavailable.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Perform basic security testing before deploying new software", "small": "∙ Security testing checklist before software deployment", "medium": "∙ Formal security testing program for software releases", "large": "∙ Enterprise DAST/SAST program integrated with deployment process", "enterprise": "∙ Enterprise DevSecOps security testing automation (SAST, DAST, SCA, IAST)\n∙ Full CI/CD integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.7", "16.11" ], "general-cis-csc-8-1-ig2": [ "16.7", "16.11" ], "general-cis-csc-8-1-ig3": [ "16.7", "16.11" ], "general-csa-iot-2": [ "SDV-03", "SDV-05" ], "general-nist-800-53-r4": [ "SA-20" ], "general-nist-800-53-r5-2": [ "PM-30(01)", "SA-20", "SA-23" ], "general-nist-800-53-r5-2-privacy": [ "PM-30(01)", "SA-23" ], "general-nist-800-82-r3": [ "PM-30(01)", "SA-20", "SA-23" ], "general-nist-800-82-r3-low": [ "PM-30(01)" ], "general-nist-800-82-r3-mod": [ "PM-30(01)" ], "general-nist-800-82-r3-high": [ "PM-30(01)" ], "general-nist-800-160-vol-2-r1": [ "PM-30(01)", "SA-20", "SA-23" ], "general-nist-800-161-r1": [ "SA-20" ], "general-nist-800-161-r1-level-2": [ "SA-20" ], "general-nist-800-161-r1-level-3": [ "SA-20" ], "usa-federal-gsa-fedramp-5-low": [ "PM-30(01)", "SA-23" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-30(01)", "SA-23" ], "usa-federal-gsa-fedramp-5-high": [ "PM-30(01)", "SA-23" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-30(01)", "SA-23" ] } }, { "control_id": "TDA-13", "title": "Developer Screening", "family": "TDA", "description": "Mechanisms exist to ensure that the developers of Technology Assets, Applications and/or Services (TAAS) have the requisite skillset and appropriate access authorizations.", "scf_question": "Does the organization ensure that the developers of Technology Assets, Applications and/or Services (TAAS) have the requisite skillset and appropriate access authorizations?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "People", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that the developers of Technology Assets, Applications and/or Services (TAAS) have the requisite skillset and appropriate access authorizations.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document and communicate security vulnerabilities in released software", "small": "∙ Document and communicate security vulnerabilities in released software", "medium": "∙ Formal coordinated vulnerability disclosure (CVD) policy and process", "large": "∙ Enterprise vulnerability disclosure program (VDP)\n∙ CNA enrollment if applicable", "enterprise": "∙ Enterprise vulnerability disclosure program (VDP)\n∙ Bug bounty integration (e.g., HackerOne, Bugcrowd)\n∙ CVE/CNA participation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-800-53-r4": [ "SA-21" ], "general-nist-800-53-r5-2": [ "SA-21" ], "general-nist-800-53-r5-2-high": [ "SA-21" ], "general-nist-800-82-r3": [ "SA-21" ], "general-nist-800-82-r3-high": [ "SA-21" ], "general-nist-800-161-r1": [ "SA-21", "SA-21(1)" ], "general-nist-800-161-r1-flowdown": [ "SA-21" ], "general-nist-800-161-r1-level-2": [ "SA-21", "SA-21(1)" ], "general-nist-800-161-r1-level-3": [ "SA-21", "SA-21(1)" ], "general-pci-dss-4-0-1": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.2" ], "usa-federal-gsa-fedramp-5-high": [ "SA-21" ], "emea-eu-nis2-annex-2024": [ "10.2.1" ], "emea-deu-c5-2020": [ "DEV-02" ] } }, { "control_id": "TDA-14", "title": "Developer Configuration Management", "family": "TDA", "description": "Mechanisms exist to require system developers and integrators to perform configuration management during system design, development, implementation and operation.", "scf_question": "Does the organization require system developers and integrators to perform configuration management during system design, development, implementation and operation?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-01", "E-TDA-02", "E-TDA-04", "E-TDA-08" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require system developers and integrators to perform configuration management during system design, development, implementation and operation.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "medium": "∙ Basic malware protection in development environments", "large": "∙ Enterprise malware protection for development environments\n∙ Code scanning for malicious patterns", "enterprise": "∙ Enterprise malware protection in DevSecOps pipelines\n∙ Automated malware scanning in CI/CD" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.11" ], "general-cis-csc-8-1-ig2": [ "16.11" ], "general-cis-csc-8-1-ig3": [ "16.11" ], "general-govramp": [ "SA-10" ], "general-govramp-mod": [ "SA-10" ], "general-govramp-high": [ "SA-10" ], "general-iso-27002-2022": [ "8.3", "8.32" ], "general-iso-27017-2015": [ "12.1.2", "14.2.4" ], "general-iso-27018-2025": [ "8.30", "8.32" ], "general-mitre-att&ck-16-1": [ "T1072", "T1078", "T1078.001", "T1078.003", "T1078.004", "T1195.001", "T1195.003", "T1213.003", "T1495", "T1505", "T1505.001", "T1505.002", "T1505.004", "T1542", "T1542.001", "T1542.003", "T1542.004", "T1542.005", "T1553", "T1553.006", "T1559.003", "T1564.009", "T1574.002", "T1601", "T1601.001", "T1601.002", "T1647" ], "general-nist-800-53-r4": [ "SA-10" ], "general-nist-800-53-r5-2": [ "SA-10" ], "general-nist-800-53-r5-2-mod": [ "SA-10" ], "general-nist-800-82-r3": [ "SA-10" ], "general-nist-800-82-r3-mod": [ "SA-10" ], "general-nist-800-82-r3-high": [ "SA-10" ], "general-nist-800-161-r1": [ "SA-10" ], "general-nist-800-161-r1-level-2": [ "SA-10" ], "general-nist-800-161-r1-level-3": [ "SA-10" ], "general-nist-800-171-r2": [ "NFO - SA-10" ], "general-nist-csf-2-0": [ "ID.RA-09" ], "usa-federal-fbi-cjis-6-0": [ "SA-10" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-10" ], "usa-federal-gsa-fedramp-5-high": [ "SA-10" ], "usa-federal-irs-1075-2021": [ "SA-10" ], "usa-federal-cms-marse-2-0": [ "SA-10", "SA-10.a", "SA-10.b", "SA-10.c", "SA-10.d", "SA-10.e" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-10" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-10" ], "emea-deu-c5-2020": [ "DEV-02" ], "apac-sgp-mas-trm-2021": [ "6.1.5" ] } }, { "control_id": "TDA-14.1", "title": "Software / Firmware Integrity Verification", "family": "TDA", "description": "Mechanisms exist to require developers of Technology Assets, Applications and/or Services (TAAS) to enable integrity verification of software and firmware components.", "scf_question": "Does the organization require developers of Technology Assets, Applications and/or Services (TAAS) to enable integrity verification of software and firmware components?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-01", "E-TDA-02", "E-TDA-04", "E-TDA-08" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require developers of Technology Assets, Applications and/or Services (TAAS) to enable integrity verification of software and firmware components.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "enterprise": "∙ Enterprise anti-malware protection in development environments\n∙ Automated malware scanning of build artifacts" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.5", "16.11" ], "general-cis-csc-8-1-ig2": [ "16.5", "16.11" ], "general-cis-csc-8-1-ig3": [ "16.5", "16.11" ], "general-csa-iot-2": [ "CCM-06" ], "general-govramp": [ "SA-10(01)" ], "general-govramp-mod": [ "SA-10(01)" ], "general-govramp-high": [ "SA-10(01)" ], "general-nist-800-53-r4": [ "SA-10(1)" ], "general-nist-800-53-r5-2": [ "SA-10(01)" ], "general-nist-800-82-r3": [ "SA-10(01)" ], "general-nist-800-172": [ "3.14.7e" ], "general-nist-csf-2-0": [ "ID.RA-09" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "2" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-4g" ], "usa-federal-eo-14028": [ "4e(iii)" ], "usa-federal-irs-1075-2021": [ "SA-10(CE-1)" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-10 (01)" ], "emea-eu-nis2-annex-2024": [ "6.6.1(c)" ], "emea-isr-cmo-1-0": [ "17.20" ] } }, { "control_id": "TDA-14.2", "title": "Hardware Integrity Verification", "family": "TDA", "description": "Mechanisms exist to require developers of Technology Assets, Applications and/or Services (TAAS) to enable integrity verification of hardware components.", "scf_question": "Does the organization require developers of Technology Assets, Applications and/or Services (TAAS) to enable integrity verification of hardware components?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-01", "E-TDA-02", "E-TDA-04", "E-TDA-08" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require developers of Technology Assets, Applications and/or Services (TAAS) to enable integrity verification of hardware components.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "enterprise": "∙ Enterprise malicious code protection across all development environments\n∙ SAST for malicious code detection" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-800-53-r4": [ "SA-10(3)" ], "general-nist-800-53-r5-2": [ "SA-10(03)" ], "general-nist-800-82-r3": [ "SA-10(03)" ], "general-nist-800-172": [ "3.14.7e" ], "general-nist-csf-2-0": [ "ID.RA-09" ], "usa-federal-irs-1075-2021": [ "SA-10(CE-3)" ] } }, { "control_id": "TDA-15", "title": "Developer Threat Analysis & Flaw Remediation", "family": "TDA", "description": "Mechanisms exist to require system developers and integrators to develop and implement an ongoing Security Testing and Evaluation (ST&E) plan, or similar process, to objectively identify and remediate vulnerabilities prior to release to production.", "scf_question": "Does the organization require system developers and integrators to create a Security Testing and Evaluation (ST&E) plan and implement the plan under the witness of an independent party?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require system developers and integrators to develop and implement an ongoing Security Testing and Evaluation (ST&E) plan, or similar process, to objectively identify and remediate vulnerabilities prior to release to production.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Security Testing and Evaluation (ST&E)", "small": "∙ Security Testing and Evaluation (ST&E)", "medium": "∙ Security Testing and Evaluation (ST&E)", "large": "∙ Security Testing and Evaluation (ST&E)", "enterprise": "∙ Security Testing and Evaluation (ST&E)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.2" ], "general-cis-csc-8-1": [ "16.2" ], "general-cis-csc-8-1-ig2": [ "16.2" ], "general-cis-csc-8-1-ig3": [ "16.2" ], "general-cobit-2019": [ "DSS06.04" ], "general-coso-2013": [ "17" ], "general-csa-cmm-4-1-0": [ "AIS-07" ], "general-csa-iot-2": [ "SET-06" ], "general-govramp": [ "SA-11(02)" ], "general-govramp-mod": [ "SA-11(02)" ], "general-govramp-high": [ "SA-11(02)" ], "general-iec-62443-4-1-2018": [ "DM-2", "DM-2(a)", "DM-2(b)", "DM-2(c)" ], "general-iso-42001-2023": [ "10.2", "10.2(a)", "10.2(a)(1)", "10.2(a)(2)", "10.2(b)", "10.2(b)(1)", "10.2(b)(2)", "10.2(b)(3)", "10.2(c)", "10.2(d)", "10.2(e)" ], "general-nist-800-53-r4": [ "SA-11(2)" ], "general-nist-800-53-r5-2": [ "SA-11(02)" ], "general-nist-800-53-r5-2-privacy": [ "SA-11(02)" ], "general-nist-800-82-r3": [ "SA-11(02)" ], "general-nist-800-160-vol-2-r1": [ "SA-11(02)" ], "general-pci-dss-4-0-1": [ "6.2.1", "6.2.2", "6.2.3", "6.2.3.1", "6.2.4", "6.3.1", "6.4.1", "6.4.2", "11.4.1", "11.4.4", "12.4.2.1", "A1.2.3" ], "general-pci-dss-4-0-1-saq-a": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.2.1", "6.2.2", "6.2.4", "6.3.1", "6.4.1", "6.4.2", "11.4.1", "11.4.4" ], "general-pci-dss-4-0-1-saq-b-ip": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.2.1", "6.2.2", "6.2.3.1", "6.2.4", "6.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.2.1", "6.2.2", "6.2.3", "6.2.3.1", "6.2.4", "6.3.1", "6.4.1", "6.4.2", "11.4.1", "11.4.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.2.1", "6.2.2", "6.2.3", "6.2.3.1", "6.2.4", "6.3.1", "6.4.1", "6.4.2", "11.4.1", "11.4.4", "12.4.2.1", "A1.2.3" ], "general-ul-2900-1-2017": [ "12.2", "12.2(a)", "12.2(b)" ], "general-un-155-2021": [ "7.2.2.3" ], "general-un-ece-wp-29-2020": [ "7.2.2.3" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "2", "4.a" ], "usa-federal-eo-14028": [ "4e(iii)", "4e(iv)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-11(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-11(02)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-11(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-11(02)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(68)", "3.6.2(69)", "3.6.2(70)" ], "emea-eu-nis2-2022": [ "Article 21.4" ], "emea-deu-c5-2020": [ "DEV-02" ], "emea-isr-cmo-1-0": [ "17.13" ], "emea-sau-cscc-1-2019": [ "1-3-2-1" ], "emea-sau-ecc-1-2018": [ "1-5-3-2", "1-5-3-4" ], "apac-sgp-mas-trm-2021": [ "6.1.6" ], "amaericas-can-osfi-self-assessment": [ "2.7" ] } }, { "control_id": "TDA-16", "title": "Developer-Provided Training", "family": "TDA", "description": "Mechanisms exist to require the developers of Technology Assets, Applications and/or Services (TAAS) to provide training on the correct use and operation of the Technology Asset, Application and/or Service (TAAS).", "scf_question": "Does the organization require the developers of Technology Assets, Applications and/or Services (TAAS) to provide training on the correct use and operation of the Technology Asset, Application and/or Service (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require the developers of Technology Assets, Applications and/or Services (TAAS) to provide training on the correct use and operation of the Technology Asset, Application and/or Service (TAAS).", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "large": "∙ Formal privacy engineering practices in development lifecycle", "enterprise": "∙ Enterprise privacy engineering program\n∙ Privacy-by-design in SDLC\n∙ Privacy design patterns" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "16.1" ], "general-cis-csc-8-1-ig2": [ "16.1" ], "general-cis-csc-8-1-ig3": [ "16.1" ], "general-govramp": [ "SA-16" ], "general-govramp-high": [ "SA-16" ], "general-mitre-att&ck-16-1": [ "T1078.001", "T1078.003", "T1574.002" ], "general-nist-800-53-r4": [ "SA-16" ], "general-nist-800-53-r5-2": [ "SA-16" ], "general-nist-800-53-r5-2-high": [ "SA-16" ], "general-nist-800-82-r3": [ "SA-16" ], "general-nist-800-82-r3-high": [ "SA-16" ], "general-nist-800-161-r1": [ "SA-16" ], "general-nist-800-161-r1-level-2": [ "SA-16" ], "general-nist-800-161-r1-level-3": [ "SA-16" ], "usa-federal-gsa-fedramp-5-high": [ "SA-16" ], "apac-sgp-mas-trm-2021": [ "6.1.5" ] } }, { "control_id": "TDA-17", "title": "Unsupported Technology Assets, Applications and/or Services (TAAS)", "family": "TDA", "description": "Mechanisms exist to prevent unsupported Technology Assets, Applications and/or Services (TAAS) by:\n(1) Removing and/or replacing TAAS when support for the components is no longer available from the developer, vendor or manufacturer; and\n(2) Requiring justification and documented approval for the continued use of unsupported TAAS required to satisfy mission/business needs.", "scf_question": "Does the organization prevent unsupported Technology Assets, Applications and/or Services (TAAS) by:\n(1) Removing and/or replacing TAAS when support for the components is no longer available from the developer, vendor or manufacturer; and\n(2) Requiring justification and documented approval for the continued use of unsupported TAAS required to satisfy mission/business needs?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-09" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.\n▪ An application development team, or similar function, provides in-house support or contract external providers for support with unsupported system components.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent unsupported Technology Assets, Applications and/or Services (TAAS) by:\n(1) Removing and/or replacing TAAS when support for the components is no longer available from the developer, vendor or manufacturer; and\n(2) Requiring justification and documented approval for the continued use of unsupported TAAS required to satisfy mission/business needs.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management\n∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Risk Management Program (RMP)", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management\n∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Risk Management Program (RMP)", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management\n∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Risk Management Program (RMP)", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management\n∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Risk Management Program (RMP)", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management\n∙ Computer Lifecycle Program (CLP)\n∙ IT Asset Management (ITAM) program\n∙ Risk Management Program (RMP)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cis-csc-8-1": [ "2.2" ], "general-cis-csc-8-1-ig1": [ "2.2" ], "general-cis-csc-8-1-ig2": [ "2.2" ], "general-cis-csc-8-1-ig3": [ "2.2" ], "general-mitre-att&ck-16-1": [ "T1189", "T1195", "T1195.001", "T1195.002", "T1543", "T1543.002" ], "general-mpa-csbp-5-3-1": [ "TS-4.2" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.7" ], "general-nist-800-53-r4": [ "SA-22" ], "general-nist-800-53-r5-2": [ "SA-22" ], "general-nist-800-53-r5-2-privacy": [ "SA-22" ], "general-nist-800-53-r5-2-low": [ "SA-22" ], "general-nist-800-82-r3": [ "SA-22" ], "general-nist-800-82-r3-low": [ "SA-22" ], "general-nist-800-82-r3-mod": [ "SA-22" ], "general-nist-800-82-r3-high": [ "SA-22" ], "general-nist-800-161-r1": [ "SA-22" ], "general-nist-800-161-r1-cscrm": [ "SA-22" ], "general-nist-800-161-r1-level-2": [ "SA-22" ], "general-nist-800-161-r1-level-3": [ "SA-22" ], "general-nist-800-171-r3": [ "03.16.02.a" ], "general-nist-800-171a-r3": [ "A.03.16.02.a" ], "general-nist-csf-2-0": [ "PR.PS-02", "PR.PS-03" ], "general-owasp-top-10-2025": [ "A06:2025" ], "general-scf-dpmp-2025": [ "7.5" ], "usa-federal-fbi-cjis-6-0": [ "SA-22" ], "usa-federal-doe-c2m2-2-1": [ "THIRD-PARTIES-2i" ], "usa-federal-gsa-fedramp-5-low": [ "SA-22" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-22" ], "usa-federal-gsa-fedramp-5-high": [ "SA-22" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-22" ], "usa-federal-irs-1075-2021": [ "SA-22" ], "usa-federal-cms-marse-2-0": [ "SA-22", "SA-22.a", "SA-22.b" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-22" ], "usa-state-tx-txramp-2-0-level-1": [ "SA-22" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-22" ], "emea-isr-cmo-1-0": [ "12.23" ], "apac-aus-essential-8-2024": [ "ML1-P1", "ML1-P2", "ML2-P1", "ML2-P2", "ML3-P1", "ML3-P2" ], "apac-aus-ism-2024-june": [ "ISM-0304", "ISM-1501", "ISM-1704", "ISM-1753" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP43", "HML43" ], "apac-nzl-ism-3-9": [ "12.4.7.C.01" ], "apac-sgp-mas-trm-2021": [ "7.3.1", "7.3.2", "7.3.3" ], "amaericas-can-osfi-self-assessment": [ "4.6", "4.9" ], "americas-can-osfi-b13-2022": [ "2.2.5" ], "americas-can-itsp-10-171-2025": [ "03.16.02.A" ] } }, { "control_id": "TDA-17.1", "title": "Alternate Sources for Continued Support", "family": "TDA", "description": "Mechanisms exist to provide in-house support or contract external providers for support with unsupported Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization provide in-house support or contract external providers for support with unsupported Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide in-house support or contract external providers for support with unsupported Technology Assets, Applications and/or Services (TAAS).", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-cr-cmm-2026": [ "CR5.3.2" ], "general-nist-800-53-r4": [ "SA-22(1)" ], "general-nist-800-53-r5-2": [ "SA-22" ], "general-nist-800-53-r5-2-privacy": [ "SA-22" ], "general-nist-800-53-r5-2-low": [ "SA-22" ], "general-nist-800-82-r3": [ "SA-22" ], "general-nist-800-82-r3-low": [ "SA-22" ], "general-nist-800-82-r3-mod": [ "SA-22" ], "general-nist-800-82-r3-high": [ "SA-22" ], "general-nist-800-161-r1": [ "SA-22" ], "general-nist-800-161-r1-cscrm": [ "SA-22" ], "general-nist-800-161-r1-level-2": [ "SA-22" ], "general-nist-800-161-r1-level-3": [ "SA-22" ], "general-nist-800-171-r3": [ "03.16.02.b" ], "general-nist-800-171a-r3": [ "A.03.16.02.b" ], "usa-federal-fbi-cjis-6-0": [ "SA-22" ], "usa-federal-doe-c2m2-2-1": [ "THIRD-PARTIES-2i" ], "usa-federal-gsa-fedramp-5-low": [ "SA-22" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-22" ], "usa-federal-gsa-fedramp-5-high": [ "SA-22" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-22" ], "usa-federal-irs-1075-2021": [ "SA-22" ], "usa-federal-cms-marse-2-0": [ "SA-22" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-22" ], "usa-state-tx-txramp-2-0-level-1": [ "SA-22" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-22" ], "emea-eu-dora-2023": [ "Article 28.8 (end)" ], "emea-esp-ccn-stic-825-2023": [ "7.4.3 [OP.EXT.3]" ], "americas-can-itsp-10-171-2025": [ "03.16.02.B" ] } }, { "control_id": "TDA-18", "title": "Input Data Validation", "family": "TDA", "description": "Mechanisms exist to check the validity of information inputs.", "scf_question": "Does the organization check the validity of information inputs?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to check the validity of information inputs.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "enterprise": "∙ Enterprise formal methods or model-based design for highest-assurance systems" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-aicpa-tsc-2017": [ "PI1.2-POF1", "PI1.2-POF2", "PI1.2-POF3" ], "general-govramp": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-govramp-core": [ "AC-02", "SI-03", "SI-04", "SI-07" ], "general-govramp-low": [ "AC-02", "AC-03", "SI-03", "SI-04", "SI-05" ], "general-govramp-low-plus": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-govramp-mod": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-govramp-high": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-iec-62443-3-3-2013": [ "SR 3.5" ], "general-iec-62443-4-2-2019": [ "CR 3.5" ], "general-mitre-att&ck-16-1": [ "T1021.002", "T1021.005", "T1027.010", "T1036", "T1036.005", "T1036.008", "T1048", "T1048.001", "T1048.002", "T1048.003", "T1059", "T1059.001", "T1059.002", "T1059.003", "T1059.004", "T1059.005", "T1059.006", "T1059.007", "T1059.008", "T1071.004", "T1080", "T1090", "T1090.003", "T1095", "T1127", "T1127.002", "T1129", "T1176", "T1187", "T1190", "T1197", "T1204", "T1204.002", "T1216", "T1216.001", "T1218", "T1218.001", "T1218.002", "T1218.003", "T1218.004", "T1218.005", "T1218.008", "T1218.009", "T1218.010", "T1218.011", "T1218.012", "T1218.013", "T1218.014", "T1218.015", "T1219", "T1220", "T1221", "T1498", "T1498.001", "T1498.002", "T1499", "T1499.001", "T1499.002", "T1499.003", "T1499.004", "T1530", "T1537", "T1546.002", "T1546.006", "T1546.008", "T1546.009", "T1546.010", "T1547.004", "T1547.006", "T1548.006", "T1552", "T1552.005", "T1553", "T1553.001", "T1553.003", "T1553.005", "T1557", "T1557.001", "T1557.002", "T1557.003", "T1564.003", "T1564.006", "T1564.009", "T1570", "T1572", "T1574", "T1574.001", "T1574.006", "T1574.007", "T1574.008", "T1574.009", "T1574.012", "T1574.013", "T1574.014", "T1599", "T1599.001", "T1602", "T1602.001", "T1602.002", "T1609", "T1622" ], "general-nist-800-53-r4": [ "SI-10" ], "general-nist-800-53-r5-2": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-nist-800-53-r5-2-privacy": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-nist-800-53-r5-2-low": [ "AC-02", "AC-03", "SI-03", "SI-04", "SI-05" ], "general-nist-800-53-r5-2-mod": [ "AC-05", "SI-07", "SI-10" ], "general-nist-800-82-r3": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-nist-800-82-r3-low": [ "AC-02", "AC-03", "SI-03", "SI-04", "SI-05" ], "general-nist-800-82-r3-mod": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-nist-800-82-r3-high": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "general-nist-800-160-vol-2-r1": [ "SI-07" ], "general-nist-800-161-r1": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7" ], "general-nist-800-161-r1-cscrm": [ "AC-2", "AC-3", "SI-3", "SI-4", "SI-5", "SI-7" ], "general-nist-800-161-r1-flowdown": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7" ], "general-nist-800-161-r1-level-1": [ "SI-4", "SI-5" ], "general-nist-800-161-r1-level-2": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7" ], "general-nist-800-161-r1-level-3": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7" ], "general-owasp-top-10-2025": [ "A08:2025" ], "usa-federal-fbi-cjis-6-0": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7", "SI-10" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10(h)" ], "usa-federal-gsa-fedramp-5-low": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "usa-federal-gsa-fedramp-5-high": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "usa-federal-irs-1075-2021": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7", "SI-10" ], "usa-federal-cms-marse-2-0": [ "AC-2", "AC-3", "AC-5", "SI-3", "SI-4", "SI-5", "SI-7", "SI-10" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-02", "AC-03", "AC-05", "SI-03", "SI-04", "SI-05", "SI-10" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-02", "AC-03", "SI-03", "SI-04", "SI-05" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-02", "AC-03", "SI-03", "SI-04", "SI-05", "SI-07", "SI-10" ], "emea-isr-cmo-1-0": [ "17.22" ], "emea-sau-sacs-002-2022": [ "TPC-60" ], "apac-jpn-ismap": [ "14.2.5.9" ] } }, { "control_id": "TDA-19", "title": "Error Handling", "family": "TDA", "description": "Mechanisms exist to handle error conditions by: \n(1) Identifying potentially security-relevant error conditions;\n(2) Generating error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages that could be exploited; and\n(3) Revealing error messages only to authorized personnel.", "scf_question": "Does the organization handle error conditions by: \n (1) Identifying potentially security-relevant error conditions;\n (2) Generating error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages that could be exploited; and\n (3) Revealing error messages only to authorized personnel?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to handle error conditions by: \n(1) Identifying potentially security-relevant error conditions;\n(2) Generating error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages that could be exploited; and\n(3) Revealing error messages only to authorized personnel.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "enterprise": "∙ Enterprise reverse engineering controls for high-assurance systems\n∙ Code obfuscation" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-govramp": [ "SI-11" ], "general-govramp-low-plus": [ "SI-11" ], "general-govramp-mod": [ "SI-11" ], "general-govramp-high": [ "SI-11" ], "general-iec-62443-3-3-2013": [ "SR 3.7" ], "general-iec-62443-4-2-2019": [ "CR 3.7" ], "general-mpa-csbp-5-3-1": [ "TS-8.0" ], "general-nist-800-53-r4": [ "SI-11" ], "general-nist-800-53-r5-2": [ "SI-11" ], "general-nist-800-53-r5-2-mod": [ "SI-11" ], "general-nist-800-82-r3": [ "SI-11" ], "general-nist-800-82-r3-mod": [ "SI-11" ], "general-nist-800-82-r3-high": [ "SI-11" ], "general-owasp-top-10-2025": [ "A08:2025", "A10:2025" ], "usa-federal-fbi-cjis-6-0": [ "SI-11" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-11" ], "usa-federal-gsa-fedramp-5-high": [ "SI-11" ], "usa-federal-irs-1075-2021": [ "SI-11" ], "usa-federal-cms-marse-2-0": [ "SI-11", "SI-11.a", "SI-11.b" ], "usa-state-tx-txramp-2-0-level-2": [ "SI-11" ], "emea-deu-c5-2020": [ "PSS-04" ], "emea-isr-cmo-1-0": [ "17.23" ], "emea-sau-sacs-002-2022": [ "TPC-61" ] } }, { "control_id": "TDA-20", "title": "Access to Program Source Code", "family": "TDA", "description": "Mechanisms exist to limit privileges to change software resident within software libraries.", "scf_question": "Does the organization limit privileges to change software resident within software libraries?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.\n▪ An application development team, or similar function, uses a Source Code Manager (SCM) solution to govern modifying, copying, deleting, moving and renaming items in the software library.\n▪ SCM supports integrity checking on the source code repository.\n▪ SCM uses Role-Based Access Controls (RBAC) to limit the logical access and permissions for users in the software library.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to limit privileges to change software resident within software libraries.", "4": "Technology Development & Acquisition (TDA) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "large": "∙ Enterprise managed development interfaces\n∙ API governance for development tools", "enterprise": "∙ Enterprise development interface management platform\n∙ API gateway for development tools\n∙ Automated interface governance" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-govramp": [ "SA-04(02)" ], "general-govramp-high": [ "SA-04(02)" ], "general-iso-27002-2022": [ "8.4", "8.3" ], "general-iso-27017-2015": [ "9.4.5", "14.2.4" ], "general-iso-27018-2025": [ "8.4", "8.30" ], "general-mpa-csbp-5-3-1": [ "TS-1.15" ], "general-nist-800-53-r5-2": [ "SA-04(02)" ], "general-nist-800-53-r5-2-privacy": [ "SA-04(02)" ], "general-nist-800-53-r5-2-mod": [ "SA-04(02)" ], "general-nist-800-82-r3": [ "SA-04(02)" ], "general-nist-800-82-r3-mod": [ "SA-04(02)" ], "general-nist-800-82-r3-high": [ "SA-04(02)" ], "general-nist-800-218": [ "PS.1.1" ], "general-ul-2900-1-2017": [ "4.1(d)" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "2", "3" ], "usa-federal-fbi-cjis-6-0": [ "SA-4(2)" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.3.1" ], "usa-federal-eo-14028": [ "4e(iii)", "4e(vi)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-04(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-04(02)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-04(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-04(02)" ], "usa-federal-irs-1075-2021": [ "SA-4(CE-2)" ], "usa-federal-cms-marse-2-0": [ "SA-4(2)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-04 (02)" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(73)" ], "emea-deu-bsrit-2017": [ "7.9" ], "emea-deu-c5-2020": [ "DEV-07" ], "apac-aus-ism-2024-june": [ "ISM-1422" ], "apac-jpn-ismap": [ "9.4.5", "9.4.5.1", "9.4.5.2", "9.4.5.3", "9.4.5.4", "9.4.5.5", "9.4.5.6", "9.4.5.7", "9.4.5.8", "9.4.5.9", "14.2.1.5" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP42", "HML42" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP37" ] } }, { "control_id": "TDA-20.1", "title": "Software Release Integrity Verification", "family": "TDA", "description": "Mechanisms exist to publish integrity verification information for software releases.", "scf_question": "Does the organization publish integrity verification information for software releases?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to publish integrity verification information for software releases.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "large": "∙ Enterprise developer access management\n∙ Approved development interface policies", "enterprise": "∙ Enterprise developer platform with access governance (e.g., GitHub Enterprise)\n∙ Role-based developer access" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-BC-4", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-11", "NT-12", "NT-13", "MT-1", "MT-2", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-mpa-csbp-5-3-1": [ "TS-1.15" ], "general-nist-800-218": [ "PS.2", "PS.2.1" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "3" ], "usa-federal-eo-14028": [ "4e(vi)" ], "apac-jpn-ismap": [ "14.2.1.6" ] } }, { "control_id": "TDA-20.2", "title": "Archiving Software Releases", "family": "TDA", "description": "Mechanisms exist to archive software releases and all of their components (e.g., code, package files, third-party libraries, documentation) to maintain integrity verification information.", "scf_question": "Does the organization archive software releases and all of their components (e.g., code, package files, third-party libraries, documentation) to maintain integrity verification information?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to archive software releases and all of their components (e.g., code, package files, third-party libraries, documentation) to maintain integrity verification information.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "large": "∙ Enterprise secure software portal for internal developers", "enterprise": "∙ Enterprise developer portal with security controls\n∙ Automated policy enforcement for developer tools" }, "risks": [ "R-AM-3", "R-BC-2", "R-BC-3", "R-BC-4", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-11", "NT-12", "NT-13", "MT-1", "MT-2", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-mpa-csbp-5-3-1": [ "TS-1.15" ], "general-nist-800-218": [ "PS.3", "PS.3.1" ] } }, { "control_id": "TDA-20.3", "title": "Software Escrow", "family": "TDA", "description": "Mechanisms exist to escrow source code and supporting documentation to ensure software availability in the event the software provider goes out of business or is unable to provide support.", "scf_question": "Does the organization escrow source code and supporting documentation to ensure software availability in the event the software provider goes out of business or is unable to provide support?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-13" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to escrow source code and supporting documentation to ensure software availability in the event the software provider goes out of business or is unable to provide support.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Source code escrow", "small": "∙ Source code escrow", "medium": "∙ Source code escrow", "large": "∙ Source code escrow", "enterprise": "∙ Source code escrow" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-GV-1", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-800-218": [ "PS.3.1" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "3" ], "usa-federal-eo-14028": [ "4e(vi)" ], "emea-sau-cscc-1-2019": [ "1-3-2-2" ], "apac-jpn-ismap": [ "14.2.7.8" ], "apac-sgp-mas-trm-2021": [ "5.3.4" ] } }, { "control_id": "TDA-20.4", "title": "Approved Code", "family": "TDA", "description": "Mechanisms exist to govern the approval of binaries and code for production use.", "scf_question": "Does the organization govern the approval of binaries and code for production use?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to govern the approval of binaries and code for production use.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "enterprise": "∙ Enterprise development interface security program\n∙ Formal access governance for all development interfaces" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-iec-62443-4-1-2018": [ "SM-8" ], "general-mpa-csbp-5-3-1": [ "TS-1.15" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.3.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ] } }, { "control_id": "TDA-21", "title": "Product Conformity Governance", "family": "TDA", "description": "Mechanisms exist to ensure developed Technology Assets, Applications and/or Services (TAAS) conform to applicable statutory and regulatory requirements, based on the product's and/or service's:\n(1) Use case(s); and\n(2) Geographic markets.", "scf_question": "Does the organization ensure developed Technology Assets, Applications and/or Services (TAAS) conform to applicable statutory and regulatory requirements, based on the product's and/or service's:\n(1) Use case(s); and\n(2) Geographic markets?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure developed Technology Assets, Applications and/or Services (TAAS) conform to applicable statutory and regulatory requirements, based on the product's and/or service's:\n(1) Use case(s); and\n(2) Geographic markets.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "large": "∙ Formal software release management process with security review", "enterprise": "∙ Enterprise software release management platform with security gates (e.g., JFrog Artifactory)\n∙ Release approval workflows" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "GV-3.2-003", "MS-1.1-008" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-ai-act-2024": [ "Article 8.1", "Article 8.2", "Article 10.1", "Article 23.1(c)", "Article 23.2", "Article 23.3", "Article 23.4", "Article 23.5", "Article 23.6", "Article 23.7", "Article 24.1", "Article 24.2", "Article 24.3", "Article 24.4", "Article 25.1", "Article 25.1(a)", "Article 25.1(b)", "Article 25.1(c)", "Article 25.2", "Article 25.4", "Article 48.1", "Article 48.2", "Article 48.3", "Article 48.4", "Article 48.5", "Article 53.1(b)(ii)", "Article 53.1(c)", "Article 111.3" ], "emea-eu-cyber-resilience-act-2022": [ "Article 10.12" ] } }, { "control_id": "TDA-22", "title": "Technical Documentation Artifacts", "family": "TDA", "description": "Mechanisms exist to generate appropriate technical documentation artifacts for Technology Assets, Applications and/or Services (TAAS) in sufficient detail to demonstrate conformity with applicable statutory, regulatory and contractual compliance requirements.", "scf_question": "Does the organization generate appropriate technical documentation artifacts for Technology Assets, Applications and/or Services (TAAS) in sufficient detail to demonstrate conformity with applicable statutory, regulatory and contractual compliance requirements?", "relative_weight": 7, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to generate appropriate technical documentation artifacts for Technology Assets, Applications and/or Services (TAAS) in sufficient detail to demonstrate conformity with applicable statutory, regulatory and contractual compliance requirements.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE AI Model Deployment" ], "possible_solutions": { "large": "∙ Formal hardware/firmware security review in acquisition", "enterprise": "∙ Enterprise hardware security program\n∙ Firmware security analysis\n∙ Hardware supply chain security" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-nist-600-1-gen-ai-profile": [ "MP-4.1-003", "MP-4.1-010", "MS-2.9-001" ], "general-scf-dpmp-2025": [ "7.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(14)" ], "emea-eu-ai-act-2024": [ "Article 11.1", "Article 11.2", "Article 17.1(k)", "Article 23.1(b)", "Article 53.1(a)" ], "emea-eu-cyber-resilience-act-2022": [ "Article 10.7", "Article 13.2(b)", "Article 23.1", "Article 23.2", "Article 23.3", "Article 23.4" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 5", "Annex 5.1", "Annex 5.1(a)", "Annex 5.1(b)", "Annex 5.1(c)", "Annex 5.1(d)", "Annex 5.2", "Annex 5.2(a)", "Annex 5.2(b)", "Annex 5.2(c)", "Annex 5.3", "Annex 5.4", "Annex 5.5", "Annex 5.6", "Annex 5.7", "Annex 6 Module A.2" ] } }, { "control_id": "TDA-22.1", "title": "Product-Specific Risk Assessment Artifacts", "family": "TDA", "description": "Mechanisms exist to include a detailed cybersecurity risk assessment in the technical documentation for Technology Assets, Applications and/or Services (TAAS) to demonstrate applicable risks in approved use cases.", "scf_question": "Does the organization include a detailed cybersecurity risk assessment in the technical documentation for Technology Assets, Applications and/or Services (TAAS) to demonstrate applicable risks in approved use cases?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Technology Development & Acquisition (TDA) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TDA domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Technology development & acquisition-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).", "2": "Technology Development & Acquisition (TDA) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Technology development and acquisition-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Technology development and acquisition management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Secure development practices mostly conform to industry-recognized standards for secure engineering of Technology Assets, Applications and/or Services (TAAS) (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).\n▪ An application development team, or similar function, uses a structured process to design, build and maintain secure configurations for test, development, staging and production environments.", "3": "Technology Development & Acquisition (TDA) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TDA domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TDA domain capabilities are well-documented and kept current by process owners.\n▪ A software development team, or similar function, is appropriately staffed and supported to implement and maintain TDA domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of technology development and acquisition management (e.g., project management software, software escrow solution, software testing tools, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TDA domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to include a detailed cybersecurity risk assessment in the technical documentation for Technology Assets, Applications and/or Services (TAAS) to demonstrate applicable risks in approved use cases.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "enterprise": "∙ Enterprise hardware security program\n∙ Anti-tamper controls\n∙ Firmware integrity verification" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Technology Development & Acquisition", "crosswalks": { "general-shared-assessments-sig-2025": [ "C.4" ], "emea-eu-cyber-resilience-act-2022": [ "Article 10.3" ] } }, { "control_id": "TPM-01", "title": "Third-Party Management", "family": "TPM", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "scf_question": "Does the organization facilitate the implementation of third-party management controls?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-03", "E-TPM-06" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Third-Party Management (TPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Third-party management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No centralized inventory of External Service Providers (ESP) is maintained.\n▪ ESP are not formally managed according to criticality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of third-party management controls.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Product / project management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1-POF5", "CC1.4-POF2", "CC1.4-POF3", "CC2.3-POF9", "CC2.3-POF10", "CC2.3-POF12", "CC3.3", "CC3.4-POF5", "CC9.1", "CC9.2", "CC9.2-POF1", "CC9.2-POF2", "CC9.2-POF3", "CC9.2-POF4", "CC9.2-POF5", "CC9.2-POF6", "CC9.2-POF7", "CC9.2-POF8", "CC9.2-POF9", "CC9.2-POF10", "CC9.2-POF11", "CC9.2-POF12" ], "general-cis-csc-8-1": [ "15.0", "15.2" ], "general-cis-csc-8-1-ig2": [ "15.2" ], "general-cis-csc-8-1-ig3": [ "15.2" ], "general-cobit-2019": [ "APO10.01", "APO10.02", "APO10.03", "APO10.04", "APO10.05", "DSS01.02" ], "general-coso-2013": [ "8" ], "general-csa-cmm-4-1-0": [ "IAM-11", "SEF-02", "STA-01" ], "general-csa-iot-2": [ "POL-01", "POL-02" ], "general-govramp": [ "SA-04" ], "general-govramp-mod": [ "SA-04" ], "general-govramp-high": [ "SA-04" ], "general-iec-62443-2-1-2024": [ "ORG 1.6" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.8" ], "general-iso-27002-2022": [ "5.19", "5.2", "8.3" ], "general-iso-27017-2015": [ "4.2", "4.3", "15.1.1" ], "general-iso-27018-2025": [ "5.19", "5.20", "8.30" ], "general-iso-27701-2025": [ "6.1.3(h)" ], "general-iso-31000-2018": [ "5.5" ], "general-iso-42001-2023": [ "A.10", "A.10.2", "A.10.3" ], "general-mpa-csbp-5-3-1": [ "OR-3.4", "PS-3.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.F(1)" ], "general-nist-100-1-ai-rmf": [ "MANAGE 3.0" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.1-009", "GV-6.2-007" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P4" ], "general-nist-800-53-r4": [ "SA-4" ], "general-nist-800-53-r5-2": [ "SA-04", "SR-01" ], "general-nist-800-53-r5-2-privacy": [ "SA-04", "SR-01" ], "general-nist-800-53-r5-2-low": [ "SA-04", "SR-01" ], "general-nist-800-66-r2": [ "164.308(b)(1)", "164.312(d)" ], "general-nist-800-82-r3": [ "SA-04", "SR-01" ], "general-nist-800-82-r3-low": [ "SA-04", "SR-01" ], "general-nist-800-82-r3-mod": [ "SA-04", "SR-01" ], "general-nist-800-82-r3-high": [ "SA-04", "SR-01" ], "general-nist-800-161-r1": [ "SA-4", "SR-1" ], "general-nist-800-161-r1-cscrm": [ "SA-4", "SR-1" ], "general-nist-800-161-r1-level-1": [ "SA-4", "SR-1" ], "general-nist-800-161-r1-level-2": [ "SA-4", "SR-1" ], "general-nist-800-161-r1-level-3": [ "SA-4", "SR-1" ], "general-nist-800-171-r2": [ "3.1.1", "NFO - SA-4" ], "general-nist-800-171-r3": [ "03.01.20.a", "03.01.20.b", "03.01.20.c.01", "03.07.06.a", "03.16.01", "03.16.03.a" ], "general-nist-800-171a-r3": [ "A.03.17.03.ODP[01]" ], "general-nist-csf-2-0": [ "GV.SC-04", "GV.SC-06", "GV.SC-07", "GV.SC-08", "GV.SC-10", "ID.AM" ], "general-owasp-top-10-2025": [ "A02:2025", "A03:2025", "A05:2025" ], "general-pci-dss-4-0-1": [ "8.2.3", "12.8", "12.8.1", "12.9", "12.9.1", "12.9.2", "A2.1.3" ], "general-pci-dss-4-0-1-saq-a": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-b": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.3", "12.8.1", "12.9.1", "12.9.2", "A2.1.3" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.8.1" ], "general-scf-dpmp-2025": [ "10.0", "11.0" ], "general-sparta": [ "CM0025" ], "general-swift-cscf-2025": [ "2.8" ], "general-tisax-6-0-3": [ "1.3.3" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dow-cert-rmm-1-2": [ "EXD:GG1.GP1", "EXD:GG2", "EXD:GG2.GP2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.G", "1.H" ], "usa-federal-fbi-cjis-6-0": [ "SA-4", "SR-1" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.I" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.1" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)(2)(ii)(D)" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(i)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)", "609.930(c)(5)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-04", "SR-01" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-04", "SR-01" ], "usa-federal-gsa-fedramp-5-high": [ "SA-04", "SR-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-04", "SR-01" ], "usa-federal-sro-finra": [ "248.30(a)(5)(i)", "248.30(a)(5)(i)(A)", "248.201(e)(4)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(a)", "314.4(a)(1)", "314.4(a)(2)", "314.4(a)(3)", "314.4(f)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(b)(1)", "164.312(d)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(b)(1)", "164.312(d)" ], "usa-federal-irs-1075-2021": [ "1.9.3", "SA-4", "SR-1" ], "usa-federal-cms-marse-2-0": [ "SA-4" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(iii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7024(l)", "7052(a)", "7123(c)(15)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(f)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.3(l)", "500.4(a)(1)", "500.4(a)(2)", "500.4(a)(3)", "500.11(a)", "500.11(a)(1)", "500.11(b)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-04", "SR-01" ], "usa-state-tx-txramp-2-0-level-1": [ "SA-04" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-04" ], "usa-state-vt-act-171-2018": [ "2447(b)(6)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.3(7)", "3.6.2(74)" ], "emea-eu-dora-2023": [ "Article 30.3 (end)", "Article 31.12" ], "emea-eu-nis2-2022": [ "Article 21.2(d)", "Article 21.2(e)", "Article 21.3" ], "emea-eu-nis2-annex-2024": [ "6.2.3" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "9.1" ], "emea-deu-c5-2020": [ "SSO-01", "SSO-03" ], "emea-isr-cmo-1-0": [ "11.3", "11.10", "16.1", "17.3" ], "emea-sau-cscc-1-2019": [ "4-1" ], "emea-sau-ecc-1-2018": [ "1-5-3-3", "4-1-1", "4-1-2", "4-1-3", "4-1-4" ], "emea-sau-otcc-1-2022": [ "4-1", "4-1-1", "4-1-1-1", "4-1-1-2", "4-1-1-3", "4-1-1-4", "4-1-2" ], "emea-sau-sama-csf-1-2017": [ "3.4.1", "3.4.2" ], "emea-zaf-popia-2013": [ "20", "21" ], "emea-esp-ccn-stic-825-2023": [ "7.4.1 [OP.EXT.1]" ], "emea-gbr-caf-4-0": [ "A4" ], "emea-gbr-cap-1850-2020": [ "A4" ], "emea-gbr-def-stan-05-138-2024": [ "1400" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1400" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1400" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1400" ], "apac-aus-ism-2024-june": [ "ISM-1073", "ISM-1785" ], "apac-aus-ps-cps-230-2023": [ "15", "47", "48(a)", "48(b)", "48(c)", "57" ], "apac-aus-ps-cps-234-2019": [ "16", "20", "22", "28" ], "apac-chn-pipl-2021": [ "20", "21", "38(3)", "42", "51", "51(1)", "51(2)", "51(3)", "51(4)", "51(5)", "51(6)" ], "apac-ind-sebi-2024": [ "GV.OC.S3", "GV.SC.S1", "PR.IP.S15" ], "apac-jpn-ppi-2020": [ "22", "23(1)(i)", "23(1)(ii)", "23(1)(iii)", "23(1)(iv)", "23(2)", "23(2)(i)", "23(2)(ii)", "23(2)(iii)", "23(2)(iv)", "23(2)(v)", "23(2)(vi)", "23(2)(vii)", "23(2)(viii)", "23(3)", "23(4)", "23(5)(i)", "23(5)(ii)", "23(5)(iii)", "23(6)", "23(1)", "24(3)" ], "apac-jpn-ismap": [ "4.5.3.1", "5.1.1.20", "5.1.1.31.P", "15", "15.1", "15.1.1", "15.1.1.1", "15.1.1.2", "15.1.1.3", "15.1.1.4", "15.1.1.5", "15.1.1.6", "15.1.1.7", "15.1.1.8", "15.1.1.9", "15.1.1.10", "15.1.1.11", "15.1.1.12", "15.1.1.13", "15.1.1.14.B" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP25", "HML25" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP67" ], "apac-nzl-ism-3-9": [ "2.2.6.C.01", "2.2.6.C.02", "23.2.19.C.01" ], "apac-sgp-mas-trm-2021": [ "3.4.1", "3.4.2", "3.4.3", "9.1.8" ], "americas-bmu-mba-coc-2020": [ "5.10" ], "amaericas-can-osfi-self-assessment": [ "2.3", "4.25" ], "americas-can-itsp-10-171-2025": [ "03.01.20.A", "03.01.20.B", "03.01.20.C.01", "03.07.06.A", "03.16.01", "03.16.03.A" ] } }, { "control_id": "TPM-01.1", "title": "Third-Party Inventories", "family": "TPM", "description": "Mechanisms exist to maintain a current, accurate and complete list of External Service Providers (ESPs) that can potentially impact the Confidentiality, Integrity, Availability and/or Safety (CIAS) of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "scf_question": "Does the organization maintain a current, accurate and complete list of External Service Providers (ESPs) that can potentially impact the Confidentiality, Integrity, Availability and/or Safety (CIAS) of its Technology Assets, Applications, Services and/or Data (TAASD)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-06", "E-DCH-06" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ A procurement function maintains a list of all active External Service Providers (ESPs), including pertinent contract information that will assist in a risk assessment.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain a current, accurate and complete list of External Service Providers (ESPs) that can potentially impact the Confidentiality, Integrity, Availability and/or Safety (CIAS) of the organization's TAASD.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF6" ], "general-cis-csc-8-1": [ "15.1" ], "general-cis-csc-8-1-ig1": [ "15.1" ], "general-cis-csc-8-1-ig2": [ "15.1" ], "general-cis-csc-8-1-ig3": [ "15.1" ], "general-csa-cmm-4-1-0": [ "STA-08" ], "general-cr-cmm-2026": [ "CR5.3.2" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.8" ], "general-iso-27002-2022": [ "5.19" ], "general-iso-27018-2025": [ "5.19" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.1-007" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P1" ], "general-nist-800-161-r1": [ "SR-13" ], "general-nist-800-161-r1-level-2": [ "SR-13" ], "general-nist-800-161-r1-level-3": [ "SR-13" ], "general-nist-800-171-r3": [ "03.07.06.a" ], "general-nist-800-207": [ "NIST Tenet 1" ], "general-nist-csf-2-0": [ "GV.SC-04", "GV.SC-07", "GV.SC-08", "ID.AM", "ID.AM-01", "ID.AM-02", "ID.AM-04", "ID.RA-10" ], "general-pci-dss-4-0-1": [ "12.8", "12.8.1" ], "general-pci-dss-4-0-1-saq-a": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-b": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.8.1" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dow-cert-rmm-1-2": [ "EXD:SG1", "EXD:SG1.SP1" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.A", "1.G", "1.H" ], "usa-federal-doe-c2m2-2-1": [ "THIRD-PARTIES-1b", "THIRD-PARTIES-1d" ], "usa-state-ca-ccpa-cpra-2026": [ "7024(l)", "7123(c)(15)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.11(a)(1)" ], "usa-state-va-cdpa-2023": [ "59.1-578.C.5" ], "emea-eu-dora-2023": [ "Article 28.1", "Article 28.1(a)", "Article 28.1(b)", "Article 28.1(b)(i)", "Article 28.1(b)(ii)", "Article 28.2", "Article 28.3", "Article 28.4(a)", "Article 28.4(b)", "Article 28.4(c)", "Article 28.4(d)", "Article 28.4(e)", "Article 28.5", "Article 28.6", "Article 28.7(a)", "Article 28.7(b)", "Article 28.7(c)", "Article 28.7(d)", "Article 28.8", "Article 28.8(a)", "Article 28.8(b)", "Article 28.8(c)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-eu-nis2-annex-2024": [ "5.2", "5.2(a)" ], "apac-aus-ism-2024-june": [ "ISM-1631", "ISM-1637", "ISM-1638", "ISM-1736", "ISM-1737", "ISM-1786" ], "apac-aus-ps-cps-230-2023": [ "49" ], "apac-ind-sebi-2024": [ "GV.OC.S3", "GV.SC.S1", "GV.SC.S2" ], "americas-can-itsp-10-171-2025": [ "03.07.06.A" ] } }, { "control_id": "TPM-02", "title": "Third-Party Criticality Assessments", "family": "TPM", "description": "Mechanisms exist to identify, prioritize and assess suppliers and partners of critical Technology Assets, Applications and/or Services (TAAS) using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services.", "scf_question": "Does the organization identify, prioritize and assess suppliers and partners of critical Technology Assets, Applications and/or Services (TAAS) using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-02" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify, prioritize and assess suppliers and partners of critical Technology Assets, Applications and/or Services (TAAS) using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2-POF8", "CC3.2-POF9", "CC9.1" ], "general-cis-csc-8-1": [ "15.3" ], "general-cis-csc-8-1-ig2": [ "15.3" ], "general-cis-csc-8-1-ig3": [ "15.3" ], "general-cobit-2019": [ "APO10.04" ], "general-cr-cmm-2026": [ "CR1.1.4" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.8" ], "general-iso-27002-2022": [ "5.19" ], "general-iso-27018-2025": [ "5.19" ], "general-nist-privacy-framework-1-0": [ "ID.BE-P3" ], "general-nist-800-53-r4": [ "SA-14" ], "general-nist-800-53-r5-2": [ "PM-30(01)", "RA-09", "SA-09(03)" ], "general-nist-800-53-r5-2-privacy": [ "PM-30(01)", "RA-09" ], "general-nist-800-53-r5-2-mod": [ "RA-09" ], "general-nist-800-66-r2": [ "164.308(a)(7)" ], "general-nist-800-82-r3": [ "PM-30(01)", "RA-09", "SA-09(03)" ], "general-nist-800-82-r3-low": [ "PM-30(01)" ], "general-nist-800-82-r3-mod": [ "PM-30(01)", "RA-09" ], "general-nist-800-82-r3-high": [ "PM-30(01)", "RA-09" ], "general-nist-800-160-vol-2-r1": [ "PM-30(01)", "RA-09" ], "general-nist-800-161-r1": [ "RA-9", "SA-9(3)" ], "general-nist-800-161-r1-flowdown": [ "RA-9" ], "general-nist-800-161-r1-level-1": [ "RA-9", "SA-9(3)" ], "general-nist-800-161-r1-level-2": [ "RA-9", "SA-9(3)" ], "general-nist-800-161-r1-level-3": [ "RA-9", "SA-9(3)" ], "general-nist-800-171-r3": [ "03.11.01.a", "03.17.03.a" ], "general-nist-csf-2-0": [ "GV.OC-04", "GV.OC-05", "GV.SC-04", "GV.SC-06", "GV.SC-07", "GV.SC-08", "ID.AM-05", "ID.RA-10" ], "general-scf-dpmp-2025": [ "11.7" ], "general-sparta": [ "CM0022" ], "general-swift-cscf-2025": [ "2.8" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dow-cert-rmm-1-2": [ "EXD:SG1.SP2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.G" ], "usa-federal-fbi-cjis-6-0": [ "RA-9" ], "usa-federal-doe-c2m2-2-1": [ "THIRD-PARTIES-1c", "THIRD-PARTIES-1d", "THIRD-PARTIES-1e", "THIRD-PARTIES-1f" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(5)(i)" ], "usa-federal-gsa-fedramp-5-low": [ "PM-30(01)", "RA-09" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-30(01)", "RA-09" ], "usa-federal-gsa-fedramp-5-high": [ "PM-30(01)", "RA-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-30(01)", "RA-09" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(f)(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(7)(ii)(E)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(7)(ii)(E)" ], "usa-federal-irs-1075-2021": [ "SA-9(CE-3)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(iii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(15)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.11(a)(1)", "500.11(a)(4)" ], "emea-eu-dora-2023": [ "Article 8.4" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-deu-c5-2020": [ "SSO-02", "SSO-03" ], "emea-isr-cmo-1-0": [ "16.1", "16.6" ], "emea-sau-cscc-1-2019": [ "4-1-1-1" ], "emea-sau-otcc-1-2022": [ "4-1-1-2" ], "emea-gbr-cap-1850-2020": [ "A4" ], "apac-aus-ism-2024-june": [ "ISM-1452" ], "apac-aus-ps-cps-230-2023": [ "50(a)", "50(b)", "50(c)", "50(d)", "52" ], "apac-aus-ps-cps-234-2019": [ "21(b)" ], "apac-ind-sebi-2024": [ "GV.OC.S3", "GV.SC.S1", "GV.SC.S2" ], "apac-nzl-ism-3-9": [ "12.7.17.C.01" ], "amaericas-can-osfi-self-assessment": [ "2.3", "4.27" ], "americas-can-itsp-10-171-2025": [ "03.11.01.A", "03.17.03.A" ] } }, { "control_id": "TPM-03", "title": "Supply Chain Risk Management (SCRM)", "family": "TPM", "description": "Mechanisms exist to:\n(1) Evaluate security risks and threats associated with Technology Assets, Applications and/or Services (TAAS) supply chains; and\n(2) Take appropriate remediation actions to minimize the organization's exposure to those risks and threats, as necessary.", "scf_question": "Does the organization:\n(1) Evaluate security risks and threats associated with Technology Assets, Applications and/or Services (TAAS) supply chains; and\n(2) Take appropriate remediation actions to minimize the organization's exposure to those risks and threats, as necessary?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-02" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to:\n(1) Evaluate security risks and threats associated with Technology Assets, Applications and/or Services (TAAS) supply chains; and\n(2) Take appropriate remediation actions to minimize the organization's exposure to those risks and threats, as necessary.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1-POF5", "CC3.2-POF7", "CC9.1", "CC9.2-POF1", "CC9.2-POF2", "CC9.2-POF3", "CC9.2-POF4", "CC9.2-POF7", "CC9.2-POF8", "CC9.2-POF9", "CC9.2-POF10", "CC9.2-POF12" ], "general-cobit-2019": [ "APO10.04" ], "general-csa-cmm-4-1-0": [ "IAM-11" ], "general-csa-iot-2": [ "POL-02" ], "general-iec-62443-2-1-2024": [ "ORG 2.1" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.3.8" ], "general-iso-27002-2022": [ "5.19", "5.21", "5.22", "8.3" ], "general-iso-27017-2015": [ "15.1.3" ], "general-iso-27018-2025": [ "5.19", "5.21", "5.22", "8.30" ], "general-iso-42001-2023": [ "A.10", "A.10.2", "A.10.3" ], "general-nist-800-53-r4": [ "SA-12" ], "general-nist-800-53-r5-2": [ "SA-09(03)", "SR-02", "SR-02(01)" ], "general-nist-800-53-r5-2-privacy": [ "SR-02" ], "general-nist-800-53-r5-2-low": [ "SR-02", "SR-02(01)" ], "general-nist-800-82-r3": [ "SA-09(03)", "SR-02", "SR-02(01)" ], "general-nist-800-82-r3-low": [ "SR-02", "SR-02(01)" ], "general-nist-800-82-r3-mod": [ "SR-02", "SR-02(01)" ], "general-nist-800-82-r3-high": [ "SR-02", "SR-02(01)" ], "general-nist-800-161-r1": [ "SA-9(3)", "SR-2" ], "general-nist-800-161-r1-cscrm": [ "SR-2" ], "general-nist-800-161-r1-level-1": [ "SA-9(3)" ], "general-nist-800-161-r1-level-2": [ "SA-9(3)" ], "general-nist-800-161-r1-level-3": [ "SA-9(3)", "SR-2" ], "general-nist-800-171-r3": [ "03.11.01.a", "03.17.01.a", "03.17.03.a", "03.17.03.b" ], "general-nist-csf-2-0": [ "GV.SC", "GV.SC-06", "GV.SC-07" ], "general-owasp-top-10-2025": [ "A02:2025", "A03:2025", "A05:2025" ], "general-scf-dpmp-2025": [ "10.1" ], "general-sparta": [ "CM0026", "CM0027" ], "general-swift-cscf-2025": [ "2.8" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dow-cert-rmm-1-2": [ "EXD:SG2", "EXD:SG2.SP1", "EXD:SG2.SP2", "EXD:SG3", "EXD:SG3.SP1", "EXD:SG3.SP2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.H", "1.I" ], "usa-federal-fbi-cjis-6-0": [ "SR-2", "SR-2(1)" ], "usa-federal-gsa-fedramp-5-low": [ "SR-02", "SR-02(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SR-02", "SR-02(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SR-02", "SR-02(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SR-02", "SR-02(01)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(f)(1)" ], "usa-federal-irs-1075-2021": [ "SA-9(CE-3)", "SR-2", "SR-2(CE-1)" ], "usa-federal-nerc-cip-2024": [ "CIP-013-2 1.2.5", "CIP-013-2 1.2.6" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(iii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(15)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SR-02" ], "emea-eu-cyber-resilience-act-2022": [ "Article 10.4" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(74)" ], "emea-eu-dora-2023": [ "Article 30.3(f)" ], "emea-eu-nis2-2022": [ "Article 21.2(d)", "Article 21.3" ], "emea-eu-nis2-annex-2024": [ "5.1.6" ], "emea-deu-c5-2020": [ "SSO-02", "SSO-03" ], "emea-isr-cmo-1-0": [ "11.3", "16.1", "16.3", "16.5", "17.3", "17.11" ], "emea-pol-act-29-1997": [ "31" ], "emea-sau-cscc-1-2019": [ "4-1-1-1", "4-1-1-2" ], "emea-sau-sama-csf-1-2017": [ "3.4.2" ], "emea-zaf-popia-2013": [ "20" ], "emea-esp-decree-1720-2007": [ "20", "21" ], "emea-esp-ccn-stic-825-2023": [ "7.4.1 [OP.EXT.1]", "7.4.3 [OP.EXT.3]" ], "emea-gbr-def-stan-05-138-2024": [ "1400" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1400" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1400" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1400" ], "apac-aus-ism-2024-june": [ "ISM-0731", "ISM-1452", "ISM-1632", "ISM-1789" ], "apac-aus-ps-cps-234-2019": [ "22", "28" ], "apac-ind-sebi-2024": [ "GV.OC.S3", "GV.SC.S1" ], "apac-nzl-ism-3-9": [ "12.7.14.C.01", "12.7.14.C.02", "12.7.14.C.03", "12.7.15.C.01", "12.7.15.C.02", "12.7.16.C.01", "12.7.16.C.02", "12.7.16.C.03", "12.7.17.C.01", "12.7.18.C.01", "12.7.18.C.02", "12.7.19.C.01", "12.7.19.C.02", "12.7.20.C.01", "12.7.20.C.02", "12.7.20.C.03", "12.7.20.C.04", "12.7.20.C.05", "12.7.21.C.01" ], "apac-phl-dpa-2012": [ "25", "43" ], "apac-sgp-mas-trm-2021": [ "3.4.1", "3.4.2" ], "amaericas-can-osfi-self-assessment": [ "2.3", "4.25" ], "americas-can-itsp-10-171-2025": [ "03.11.01.A", "03.17.01.A", "03.17.03.A", "03.17.03.B" ], "americas-mex-fdpa-2010": [ "21" ] } }, { "control_id": "TPM-03.1", "title": "Acquisition Strategies, Tools & Methods", "family": "TPM", "description": "Mechanisms exist to utilize tailored acquisition strategies, contract tools and procurement methods for the purchase of unique Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization utilize tailored acquisition strategies, contract tools and procurement methods for the purchase of unique Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize tailored acquisition strategies, contract tools and procurement methods for the purchase of unique Technology Assets, Applications and/or Services (TAAS).", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)" }, "risks": [ "R-AM-3", "R-BC-1", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-4", "R-GV-5" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.3", "CC9.1" ], "general-cobit-2019": [ "BAI03.04" ], "general-coso-2013": [ "8" ], "general-iso-27002-2022": [ "5.21", "5.22" ], "general-iso-27018-2025": [ "5.21", "5.22" ], "general-mitre-att&ck-16-1": [ "T1059.002", "T1195", "T1195.001", "T1195.002", "T1195.003", "T1204.003", "T1505", "T1505.001", "T1505.002", "T1505.004", "T1546.006", "T1554", "T1601", "T1601.001", "T1601.002" ], "general-nist-800-53-r4": [ "SA-12(1)" ], "general-nist-800-53-r5-2": [ "SR-03(01)", "SR-05" ], "general-nist-800-53-r5-2-privacy": [ "SR-03(01)" ], "general-nist-800-53-r5-2-low": [ "SR-05" ], "general-nist-800-82-r3": [ "SR-03(01)", "SR-05" ], "general-nist-800-82-r3-low": [ "SR-05" ], "general-nist-800-82-r3-mod": [ "SR-05" ], "general-nist-800-82-r3-high": [ "SR-05" ], "general-nist-800-160-vol-2-r1": [ "SR-03(01)", "SR-05" ], "general-nist-800-161-r1": [ "SR-3(1)", "SR-5" ], "general-nist-800-161-r1-cscrm": [ "SR-5" ], "general-nist-800-161-r1-level-1": [ "SR-5" ], "general-nist-800-161-r1-level-2": [ "SR-3(1)", "SR-5" ], "general-nist-800-161-r1-level-3": [ "SR-3(1)", "SR-5" ], "general-nist-800-171-r3": [ "03.17.01.a", "03.17.02", "03.17.03.a", "03.17.03.b" ], "general-nist-800-171a-r3": [ "A.03.17.02[01]", "A.03.17.02[02]", "A.03.17.02[03]" ], "general-owasp-top-10-2025": [ "A03:2025" ], "general-sparta": [ "CM0027" ], "general-swift-cscf-2025": [ "2.8" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.I" ], "usa-federal-fbi-cjis-6-0": [ "SR-5" ], "usa-federal-doe-c2m2-2-1": [ "THIRD-PARTIES-2j", "THIRD-PARTIES-2k", "THIRD-PARTIES-2l", "THIRD-PARTIES-2m" ], "usa-federal-gsa-fedramp-5-low": [ "SR-03(01)", "SR-05" ], "usa-federal-gsa-fedramp-5-mod": [ "SR-03(01)", "SR-05" ], "usa-federal-gsa-fedramp-5-high": [ "SR-03(01)", "SR-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SR-03(01)", "SR-05" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(A)(5)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SR-05" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(74)" ], "emea-eu-dora-2023": [ "Article 29.1 (end)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-deu-bsrit-2017": [ "9.3" ], "emea-deu-c5-2020": [ "SSO-05" ], "emea-isr-cmo-1-0": [ "16.1" ], "emea-sau-cscc-1-2019": [ "4-1-1-1", "4-1-1-2" ], "apac-aus-ism-2024-june": [ "ISM-1567", "ISM-1568", "ISM-1632", "ISM-1743", "ISM-1788", "ISM-1789" ], "americas-can-itsp-10-171-2025": [ "03.17.01.A", "03.17.02", "03.17.03.A", "03.17.03.B" ] } }, { "control_id": "TPM-03.2", "title": "Limit Potential Harm", "family": "TPM", "description": "Mechanisms exist to utilize security safeguards to limit harm from potential adversaries who identify and target the organization's supply chain.", "scf_question": "Does the organization utilize security safeguards to limit harm from potential adversaries who identify and target its supply chain?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-01", "E-TPM-02", "E-TPM-03", "E-TPM-05" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize security safeguards to limit harm from potential adversaries who identify and target the organization's supply chain.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Liability clause in contracts", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Liability clause in contracts", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Liability clause in contracts", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Liability clause in contracts", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Liability clause in contracts" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC9.1", "P6.4-POF2", "P6.5-POF1", "P6.5-POF2", "P6.6-POF1" ], "general-cis-csc-8-1": [ "15.4" ], "general-cis-csc-8-1-ig2": [ "15.4" ], "general-cis-csc-8-1-ig3": [ "15.4" ], "general-csa-iot-2": [ "RSM-03" ], "general-iso-27002-2022": [ "5.19", "5.2" ], "general-iso-27018-2025": [ "5.19", "5.20" ], "general-nist-800-53-r4": [ "SA-12(5)" ], "general-nist-800-53-r5-2": [ "SR-03(02)" ], "general-nist-800-82-r3": [ "SR-03(02)" ], "general-nist-800-160-vol-2-r1": [ "SR-03(02)" ], "general-nist-800-171-r3": [ "03.17.03.a", "03.17.03.b" ], "general-nist-csf-2-0": [ "GV.SC-06", "GV.SC-07" ], "general-owasp-top-10-2025": [ "A03:2025" ], "general-swift-cscf-2025": [ "2.8" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.I" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(5)(i)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(f)(1)" ], "usa-federal-irs-1075-2021": [ "SR-3(CE-2)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-deu-c5-2020": [ "SSO-02" ], "emea-isr-cmo-1-0": [ "11.3", "16.2" ], "emea-sau-cscc-1-2019": [ "4-1-1-1", "4-1-1-2" ], "apac-aus-ism-2024-june": [ "ISM-1567" ], "apac-aus-ps-cps-230-2023": [ "56(a)", "56(b)", "56(c)", "56(d)" ], "apac-aus-ps-cps-234-2019": [ "22" ], "apac-chn-pipl-2021": [ "20" ], "apac-sgp-mas-trm-2021": [ "3.4.1", "3.4.2" ], "amaericas-can-osfi-self-assessment": [ "2.3", "4.25" ], "americas-can-itsp-10-171-2025": [ "03.17.03.A", "03.17.03.B" ] } }, { "control_id": "TPM-03.3", "title": "Processes To Address Weaknesses or Deficiencies", "family": "TPM", "description": "Mechanisms exist to address identified weaknesses or deficiencies in the security of the supply chain", "scf_question": "Does the organization address identified weaknesses or deficiencies in the security of the supply chain", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-01", "E-TPM-02", "E-TPM-03", "E-TPM-05" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Third-Party Management (TPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Third-party management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No centralized inventory of External Service Providers (ESP) is maintained.\n▪ ESP are not formally managed according to criticality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to address identified weaknesses or deficiencies in the security of the supply chain", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Liability clause in contracts", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Liability clause in contracts", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Liability clause in contracts", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Liability clause in contracts", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Liability clause in contracts" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC9.1" ], "general-cobit-2019": [ "APO10.04" ], "general-iso-27002-2022": [ "5.19", "5.22" ], "general-iso-27018-2025": [ "5.19", "5.22" ], "general-nist-800-53-r4": [ "SA-12(15)" ], "general-nist-800-53-r5-2": [ "SR-03" ], "general-nist-800-53-r5-2-low": [ "SR-03" ], "general-nist-800-82-r3": [ "SR-03" ], "general-nist-800-82-r3-low": [ "SR-03" ], "general-nist-800-82-r3-mod": [ "SR-03" ], "general-nist-800-82-r3-high": [ "SR-03" ], "general-nist-800-161-r1": [ "SR-3" ], "general-nist-800-161-r1-cscrm": [ "SR-3" ], "general-nist-800-161-r1-level-1": [ "SR-3" ], "general-nist-800-161-r1-level-2": [ "SR-3" ], "general-nist-800-161-r1-level-3": [ "SR-3" ], "general-nist-800-171-r3": [ "03.17.03.a", "03.17.03.b" ], "general-nist-csf-2-0": [ "GV.SC-06", "GV.SC-07" ], "general-owasp-top-10-2025": [ "A03:2025" ], "general-swift-cscf-2025": [ "2.8" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.H" ], "usa-federal-gsa-fedramp-5-low": [ "SR-03" ], "usa-federal-gsa-fedramp-5-mod": [ "SR-03" ], "usa-federal-gsa-fedramp-5-high": [ "SR-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SR-03" ], "usa-federal-irs-1075-2021": [ "SR-3" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SR-03" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-deu-c5-2020": [ "SSO-02" ], "americas-can-itsp-10-171-2025": [ "03.17.03.A", "03.17.03.B" ] } }, { "control_id": "TPM-03.4", "title": "Adequate Supply", "family": "TPM", "description": "Mechanisms exist to develop and implement a spare parts strategy to ensure that an adequate supply of critical components is available to meet operational needs.", "scf_question": "Does the organization develop and implement a spare parts strategy to ensure that an adequate supply of critical components is available to meet operational needs?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop and implement a spare parts strategy to ensure that an adequate supply of critical components is available to meet operational needs.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Include security requirements in vendor contracts", "small": "∙ Security addendum in vendor contracts\n∙ Vendor security questionnaire", "medium": "∙ Formal vendor contract security requirements\n∙ Regular vendor compliance reviews", "large": "∙ Enterprise vendor contract security program\n∙ Standardized security SLAs", "enterprise": "∙ Enterprise TPRM platform (e.g., ProcessUnity, OneTrust)\n∙ Automated vendor contract compliance tracking" }, "risks": [ "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-nist-800-53-r5-2": [ "SR-05(01)" ], "general-nist-800-82-r3": [ "SR-05(01)" ], "general-nist-800-82-r3-mod": [ "SR-05(01)" ], "general-nist-800-82-r3-high": [ "SR-05(01)" ], "general-nist-800-160-vol-2-r1": [ "SR-05(01)" ] } }, { "control_id": "TPM-04", "title": "Third-Party Services", "family": "TPM", "description": "Mechanisms exist to mitigate the risks associated with third-party access to the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "scf_question": "Does the organization mitigate the risks associated with third-party access to its Technology Assets, Applications, Services and/or Data (TAASD)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-06" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel proactively control and monitor third-party accounts used to access, support, or maintain system components via remote access.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to mitigate the risks associated with third-party access to the organization's TAASD.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.3" ], "general-cis-csc-8-1": [ "15.4", "15.5" ], "general-cis-csc-8-1-ig2": [ "15.4" ], "general-cis-csc-8-1-ig3": [ "15.4", "15.5" ], "general-coso-2013": [ "8" ], "general-csa-cmm-4-1-0": [ "IAM-11" ], "general-csa-iot-2": [ "POL-01", "POL-02" ], "general-govramp": [ "SA-09" ], "general-govramp-low": [ "SA-09" ], "general-govramp-low-plus": [ "SA-09" ], "general-govramp-mod": [ "SA-09" ], "general-govramp-high": [ "SA-09" ], "general-iso-27002-2022": [ "5.19", "8.3" ], "general-iso-27017-2015": [ "14.2.7", "15.1.1" ], "general-iso-27018-2025": [ "5.19", "8.30" ], "general-iso-42001-2023": [ "A.10", "A.10.2", "A.10.3" ], "general-mitre-att&ck-16-1": [ "T1041", "T1048", "T1048.002", "T1048.003", "T1072", "T1567" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.2-002" ], "general-nist-800-53-r4": [ "SA-9" ], "general-nist-800-53-r5-2": [ "SA-09" ], "general-nist-800-53-r5-2-privacy": [ "SA-09" ], "general-nist-800-53-r5-2-low": [ "SA-09" ], "general-nist-800-66-r2": [ "164.308(b)(1)" ], "general-nist-800-82-r3": [ "SA-09" ], "general-nist-800-82-r3-low": [ "SA-09" ], "general-nist-800-82-r3-mod": [ "SA-09" ], "general-nist-800-82-r3-high": [ "SA-09" ], "general-nist-800-161-r1": [ "SA-9" ], "general-nist-800-171-r2": [ "NFO - SA-9" ], "general-nist-800-171-r3": [ "03.16.03.a", "03.16.03.c", "03.17.02", "03.17.03.a", "03.17.03.b" ], "general-nist-csf-2-0": [ "GV.SC-06", "GV.SC-07" ], "general-owasp-top-10-2025": [ "A02:2025", "A03:2025", "A05:2025" ], "general-pci-dss-4-0-1": [ "8.2.3", "12.8.2", "12.9", "12.9.1", "12.9.2" ], "general-pci-dss-4-0-1-saq-a": [ "12.8.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.8.2" ], "general-pci-dss-4-0-1-saq-b": [ "12.8.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.8.2" ], "general-pci-dss-4-0-1-saq-c": [ "12.8.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.8.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.8.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.3", "12.8.2", "12.9.1", "12.9.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.8.2" ], "general-scf-dpmp-2025": [ "10.0", "10.1", "10.4" ], "general-swift-cscf-2025": [ "2.8" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG2.SP1" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.H" ], "usa-federal-fbi-cjis-6-0": [ "SA-9" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-2a", "THIRD-PARTIES-1a" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(5)(i)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-09" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-09" ], "usa-federal-gsa-fedramp-5-high": [ "SA-09" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-09" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(f)(1)", "314.4(f)(2)", "314.4(f)(3)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(b)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(b)(1)" ], "usa-federal-irs-1075-2021": [ "2.C.9", "2.C.9-1", "2.C.9-2", "2.C.9-3", "2.C.9-4", "2.C.9-5", "2.C.9-6", "2.C.9-7", "2.C.9-7.1", "2.C.9-7.2", "2.C.9-8", "2.C.9-9", "2.C.9-10", "SA-4(IRS-Defined)-1", "SA-4(IRS-Defined)-2", "SA-9" ], "usa-federal-cms-marse-2-0": [ "SA-9", "SA-9.a", "SA-9.b", "SA-9.c", "SA-9.d", "SA-9.e", "SA-9-IS.1", "SA-9-IS.2", "SA-9-IS.3" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(15)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.11(a)(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-09" ], "usa-state-tx-txramp-2-0-level-1": [ "SA-09" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-09" ], "emea-eu-dora-2023": [ "Article 29.1" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-deu-bsrit-2017": [ "9.2" ], "emea-deu-c5-2020": [ "SSO-05" ], "emea-isr-cmo-1-0": [ "11.3", "16.1", "22.4" ], "emea-sau-cscc-1-2019": [ "4-1-1-1", "4-1-1-2" ], "emea-sau-otcc-1-2022": [ "4-1-1-3" ], "emea-zaf-popia-2013": [ "19" ], "emea-esp-boe-a-2022-7191": [ "Article 13.5" ], "emea-esp-decree-311-2022": [ "13.5" ], "emea-gbr-cap-1850-2020": [ "A4" ], "apac-aus-ism-2024-june": [ "ISM-1569" ], "apac-aus-ps-cps-234-2019": [ "16", "22", "28" ], "apac-chn-pipl-2021": [ "20", "21", "38(3)" ], "apac-jpn-ppi-2020": [ "22", "23(1)(i)", "23(1)(ii)", "23(1)(iii)", "23(1)(iv)", "23(2)", "23(2)(i)", "23(2)(ii)", "23(2)(iii)", "23(2)(iv)", "23(2)(v)", "23(2)(vi)", "23(2)(vii)", "23(2)(viii)", "23(3)", "23(4)", "23(5)(i)", "23(5)(ii)", "23(5)(iii)", "23(6)", "23(1)" ], "americas-arg-ppd-2018": [ "25.1" ], "amaericas-can-osfi-self-assessment": [ "2.3", "4.25" ], "americas-can-itsp-10-171-2025": [ "03.16.03.A", "03.16.03.C", "03.17.02", "03.17.03.A", "03.17.03.B" ] } }, { "control_id": "TPM-04.1", "title": "Third-Party Risk Assessments & Approvals", "family": "TPM", "description": "Mechanisms exist to conduct a risk assessment prior to the acquisition or outsourcing of technology-related Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization conduct a risk assessment prior to the acquisition or outsourcing of technology-related Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-01", "E-TPM-02", "E-TPM-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct a risk assessment prior to the acquisition or outsourcing of technology-related Technology Assets, Applications and/or Services (TAAS).", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-pmf-2020": [ "D6.4-POF1" ], "general-aicpa-tsc-2017": [ "CC3.2-POF8", "CC3.2-POF9", "CC3.4", "CC9.2", "CC9.2-POF2", "CC9.2-POF3", "CC9.2-POF8", "CC9.2-POF11" ], "general-cis-csc-8-1": [ "15.5" ], "general-cis-csc-8-1-ig3": [ "15.5" ], "general-cobit-2019": [ "APO10.04" ], "general-coso-2013": [ "9" ], "general-csa-cmm-4-1-0": [ "STA-16" ], "general-govramp": [ "SA-09(01)" ], "general-govramp-low-plus": [ "SA-09(01)" ], "general-govramp-mod": [ "SA-09(01)" ], "general-govramp-high": [ "SA-09(01)" ], "general-iso-21434-2021": [ "RQ-07-01" ], "general-iso-27002-2022": [ "5.19" ], "general-iso-27018-2025": [ "5.19" ], "general-nist-100-1-ai-rmf": [ "MANAGE 3.1" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.1-005", "GV-6.1-006", "GV-6.1-009" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P5" ], "general-nist-800-53-r4": [ "SA-9(1)" ], "general-nist-800-53-r5-2": [ "SA-09(01)" ], "general-nist-800-82-r3": [ "SA-09(01)" ], "general-nist-800-161-r1": [ "SA-9(1)" ], "general-nist-800-161-r1-level-2": [ "SA-9(1)" ], "general-nist-800-161-r1-level-3": [ "SA-9(1)" ], "general-nist-800-171-r3": [ "03.11.01.a", "03.17.02", "03.17.03.a", "03.17.03.b" ], "general-nist-800-171a-r3": [ "A.03.17.03.a[01]" ], "general-nist-csf-2-0": [ "GV.SC-06", "GV.SC-07", "ID.RA-10", "ID.IM-01", "ID.IM-02" ], "general-owasp-top-10-2025": [ "A02:2025", "A03:2025", "A05:2025" ], "general-pci-dss-4-0-1": [ "12.8.3" ], "general-pci-dss-4-0-1-saq-a": [ "12.8.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.8.3" ], "general-pci-dss-4-0-1-saq-b": [ "12.8.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.8.3" ], "general-pci-dss-4-0-1-saq-c": [ "12.8.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.8.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.8.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.8.3" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.8.3" ], "general-sparta": [ "CM0025" ], "general-swift-cscf-2025": [ "2.8" ], "general-tisax-6-0-3": [ "1.3.3", "6.1.1" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dow-cert-rmm-1-2": [ "EXD:SG3.SP3" ], "usa-federal-doe-c2m2-2-1": [ "THIRD-PARTIES-1c", "THIRD-PARTIES-2a", "THIRD-PARTIES-2b", "THIRD-PARTIES-2i", "ARCHITECTURE-4b", "ARCHITECTURE-4e" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(5)(i)", "609.930(c)(5)(iii)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-09(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-09(01)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(f)(1)", "314.4(f)(3)" ], "usa-federal-irs-1075-2021": [ "2.C.10", "SA-9(CE-1)", "SA-9(CE-1).a", "SA-9(CE-1).b" ], "usa-federal-cms-marse-2-0": [ "SA-9(1)", "SA-9(1)-IS.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(15)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(f)1" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.11(a)(1)", "500.11(a)(3)" ], "usa-state-vt-act-171-2018": [ "2447(b)(6)(A)" ], "emea-eu-eba-ict-srm-2025": [ "3.6.2(74)" ], "emea-eu-dora-2023": [ "Article 28.4(a)", "Article 28.4(b)", "Article 28.4(c)", "Article 28.4(d)", "Article 28.4(e)", "Article 29.1(a)", "Article 29.1(b)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-eu-nis2-annex-2024": [ "2.1.2(d)" ], "emea-deu-bsrit-2017": [ "9.2", "9.5" ], "emea-deu-c5-2020": [ "SSO-02", "SSO-04" ], "emea-isr-cmo-1-0": [ "16.3", "16.5", "17.3" ], "emea-sau-cscc-1-2019": [ "4-1-1-1", "4-1-1-2" ], "emea-sau-ecc-1-2018": [ "1-5-3-4", "4-1-3-1" ], "emea-sau-otcc-1-2022": [ "4-1-1-2", "4-1-1-4" ], "emea-sau-sama-csf-1-2017": [ "3.4.1", "3.4.2" ], "emea-zaf-popia-2013": [ "19" ], "emea-gbr-cap-1850-2020": [ "A4" ], "apac-aus-ism-2024-june": [ "ISM-1568", "ISM-1573", "ISM-1787" ], "apac-aus-ps-cps-230-2023": [ "15", "53(a)", "53(b)" ], "apac-aus-ps-cps-234-2019": [ "22", "28" ], "apac-jpn-ismap": [ "14.1.1.14", "15.1.1.16.B" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP25", "HML25" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP67" ], "amaericas-can-osfi-self-assessment": [ "2.3", "4.25", "4.27" ], "americas-can-itsp-10-171-2025": [ "03.11.01.A", "03.17.02", "03.17.03.A", "03.17.03.B" ] } }, { "control_id": "TPM-04.2", "title": "External Connectivity Requirements - Identification of Ports, Protocols & Services", "family": "TPM", "description": "Mechanisms exist to require External Service Providers (ESPs) to identify and document the business need for ports, protocols and other services it requires to operate its Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization require External Service Providers (ESPs) to identify and document the business need for ports, protocols and other services it requires to operate its Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-06", "E-TDA-07" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Third-Party Management (TPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Third-party management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No centralized inventory of External Service Providers (ESP) is maintained.\n▪ ESP are not formally managed according to criticality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require External Service Providers (ESPs) to identify and document the business need for ports, protocols and other services it requires to operate its Technology Assets, Applications and/or Services (TAAS).", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-cis-csc-8-1": [ "12.6" ], "general-cis-csc-8-1-ig2": [ "12.6" ], "general-cis-csc-8-1-ig3": [ "12.6" ], "general-govramp": [ "SA-09(02)" ], "general-govramp-low-plus": [ "SA-09(02)" ], "general-govramp-mod": [ "SA-09(02)" ], "general-govramp-high": [ "SA-09(02)" ], "general-nist-800-53-r4": [ "SA-9(2)" ], "general-nist-800-53-r5-2": [ "SA-09(02)" ], "general-nist-800-53-r5-2-mod": [ "SA-09(02)" ], "general-nist-800-82-r3": [ "SA-09(02)" ], "general-nist-800-82-r3-mod": [ "SA-09(02)" ], "general-nist-800-82-r3-high": [ "SA-09(02)" ], "general-nist-800-171-r2": [ "NFO - SA-9(2)" ], "general-owasp-top-10-2025": [ "A02:2025", "A03:2025", "A05:2025" ], "general-pci-dss-4-0-1": [ "1.2.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.2.5" ], "general-pci-dss-4-0-1-saq-b-ip": [ "1.2.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.2.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.2.5" ], "usa-federal-fbi-cjis-6-0": [ "SA-9(2)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-09(02)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-09(02)" ], "usa-federal-irs-1075-2021": [ "SA-9(CE-2)" ], "usa-federal-cms-marse-2-0": [ "SA-9(2)" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-09 (02)" ], "emea-isr-cmo-1-0": [ "16.3" ] } }, { "control_id": "TPM-04.3", "title": "Conflict of Interests", "family": "TPM", "description": "Mechanisms exist to ensure that the interests of external service providers are consistent with and reflect organizational interests.", "scf_question": "Does the organization ensure that the interests of external service providers are consistent with and reflect organizational interests?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-01" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that the interests of external service providers are consistent with and reflect organizational interests.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.3-POF6", "CC3.3" ], "general-coso-2013": [ "8" ], "general-govramp": [ "SA-09(04)" ], "general-govramp-high": [ "SA-09(04)" ], "general-iso-27002-2022": [ "5.19" ], "general-iso-27018-2025": [ "5.19" ], "general-nist-800-53-r4": [ "SA-9(4)" ], "general-nist-800-53-r5-2": [ "SA-09(03)", "SA-09(04)" ], "general-nist-800-82-r3": [ "SA-09(03)", "SA-09(04)" ], "general-nist-800-161-r1": [ "SA-9(4)" ], "general-nist-800-161-r1-level-3": [ "SA-9(4)" ], "general-nist-csf-2-0": [ "GV.SC-06" ], "general-owasp-top-10-2025": [ "A03:2025" ], "general-swift-cscf-2025": [ "2.8" ], "usa-federal-irs-1075-2021": [ "SA-9(CE-3)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(15)" ], "emea-isr-cmo-1-0": [ "16.3" ], "emea-zaf-popia-2013": [ "20", "21" ] } }, { "control_id": "TPM-04.4", "title": "Third-Party Processing, Storage and Service Locations", "family": "TPM", "description": "Mechanisms exist to restrict the location of information processing/storage based on business requirements.", "scf_question": "Does the organization restrict the location of information processing/storage based on business requirements?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-AST-23" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Third-Party Management (TPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Third-party management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to restrict the location of information processing/storage based on business requirements.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF9", "CC9.1" ], "general-cobit-2019": [ "APO10.03" ], "general-csa-iot-2": [ "POL-02" ], "general-govramp": [ "SA-09(05)" ], "general-govramp-high": [ "SA-09(05)" ], "general-iso-27002-2022": [ "5.21" ], "general-iso-27018-2025": [ "5.21" ], "general-nist-800-53-r4": [ "SA-9(5)" ], "general-nist-800-53-r5-2": [ "PE-23", "SA-09(05)" ], "general-nist-800-53-r5-2-privacy": [ "PE-23", "SA-09(05)" ], "general-nist-800-82-r3": [ "PE-23", "SA-09(05)" ], "general-nist-800-161-r1": [ "PE-23", "SA-9(5)" ], "general-nist-800-161-r1-flowdown": [ "PE-23" ], "general-nist-800-161-r1-level-2": [ "PE-23" ], "general-nist-800-161-r1-level-3": [ "PE-23", "SA-9(5)" ], "general-nist-800-171-r3": [ "03.16.03.a" ], "general-nist-csf-2-0": [ "GV.SC-06" ], "general-owasp-top-10-2025": [ "A02:2025", "A03:2025", "A05:2025" ], "general-pci-dss-4-0-1": [ "3.2.1", "12.5.2" ], "general-pci-dss-4-0-1-saq-a": [ "3.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "3.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "3.2.1", "12.5.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "3.2.1", "12.5.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "3.2.1" ], "general-scf-dpmp-2025": [ "5.6" ], "general-swift-cscf-2025": [ "2.8" ], "usa-federal-gsa-fedramp-5-low": [ "PE-23", "SA-09(05)" ], "usa-federal-gsa-fedramp-5-mod": [ "PE-23", "SA-09(05)" ], "usa-federal-gsa-fedramp-5-high": [ "PE-23", "SA-09(05)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PE-23", "SA-09(05)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(f)(1)" ], "usa-federal-irs-1075-2021": [ "SA-9(CE-5)" ], "usa-federal-cms-marse-2-0": [ "SA-9(5)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(15)" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-09 (05)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-aut-fappd-2000": [ "Sec 10" ], "emea-bel-act-8-1992": [ "Chapter 4 - 16" ], "emea-deu-c5-2020": [ "PI-02", "PSS-12" ], "emea-hun-isdfi-2011": [ "7" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-cmo-1-0": [ "16.3" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "31" ], "emea-nor-pda-2018": [ "13", "14" ], "emea-pol-act-29-1997": [ "1", "36" ], "emea-rus-federal-law-27-2006": [ "7" ], "emea-zaf-popia-2013": [ "19", "21" ], "apac-aus-ism-2024-june": [ "ISM-1572" ], "apac-chn-pipl-2021": [ "21", "38", "38(3)", "40" ], "apac-jpn-ppi-2020": [ "20" ], "apac-mys-pdpa-2010": [ "9" ], "apac-phl-dpa-2012": [ "25" ], "apac-sgp-pdpa-2012": [ "24", "26" ], "apac-kor-pipa-2011": [ "17", "27" ], "americas-can-itsp-10-171-2025": [ "03.16.03.A" ], "americas-can-pipeda-2000": [ "Sec 20" ], "americas-chl-act-19628-1999": [ "7" ], "americas-col-law-1581-2012": [ "26" ] } }, { "control_id": "TPM-05", "title": "Third-Party Contract Requirements", "family": "TPM", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "scf_question": "Does the organization require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-02", "E-TPM-01", "E-TPM-03", "E-TPM-06", "E-TPM-07" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Procurement practices contractually require ESP to follow secure engineering practices as part of a broader Cybersecurity Supply Chain Risk Management (C-SCRM) initiative.\n▪ A formal agreement exists between the organization and applicable third-parties that includes a Non-Disclosure Agreement (NDA) addressing shared sensitive data.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its TAASD.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls\n∙ Non-Disclosure Agreements (NDAs)", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls\n∙ Non-Disclosure Agreements (NDAs)", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls\n∙ Non-Disclosure Agreements (NDAs)", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls\n∙ Non-Disclosure Agreements (NDAs)", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls\n∙ Non-Disclosure Agreements (NDAs)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-pmf-2020": [ "D6.5", "D6.5-POF2" ], "general-aicpa-tsc-2017": [ "CC1.1-POF5", "CC2.3-POF2", "CC2.3-POF6", "CC2.3-POF7", "CC2.3-POF10", "CC2.3-POF11", "CC2.3-POF12", "CC9.1", "CC9.2-POF1", "CC9.2-POF5", "CC9.2-POF6", "CC9.2-POF9", "CC9.2-POF10", "P6.4-POF3" ], "general-cis-csc-8-1": [ "15.4" ], "general-cis-csc-8-1-ig2": [ "15.4" ], "general-cis-csc-8-1-ig3": [ "15.4" ], "general-cobit-2019": [ "APO10.03" ], "general-csa-cmm-4-1-0": [ "IPY-04", "STA-04", "STA-11" ], "general-csa-iot-2": [ "CLS-04", "IMT-01", "LGL-05", "LGL-06", "LGL-07", "LGL-08", "POL-01", "POL-02" ], "general-iso-21434-2021": [ "RQ-05-09", "RQ-05-10", "RQ-07-03(a)", "RQ-07-03(b)", "RQ-07-03(c)", "RQ-07-04", "RQ-07-04(a)", "RQ-07-04(b)", "RQ-07-04(c)", "RQ-07-04(d)", "RQ-07-04(e)", "RQ-07-04(f)", "RQ-07-05", "RQ-07-06", "RQ-07-07" ], "general-iso-27002-2022": [ "5.19", "5.2", "5.21", "5.31", "6.6", "8.21", "8.3" ], "general-iso-27017-2015": [ "13.1.2", "13.2.4", "15.1.2" ], "general-iso-27018-2025": [ "5.1(a)", "5.1(b)", "5.19", "5.20", "5.21", "5.31", "6.6", "8.21", "8.30" ], "general-iso-27701-2025": [ "6.1.3(h)" ], "general-iso-42001-2023": [ "A.10.2", "A.10.3" ], "general-mpa-csbp-5-3-1": [ "OR-3.4", "PS-3.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.F(2)" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.1-004", "GV-6.1-010", "GV-6.2-007" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P3", "GV.PO-P4", "GV.AT-P4" ], "general-nist-800-53-r4": [ "SA-9(3)" ], "general-nist-800-53-r5-2": [ "SR-03(03)" ], "general-nist-800-53-r5-2-privacy": [ "SR-03(03)" ], "general-nist-800-66-r2": [ "164.308(b)(1)", "164.314(a)", "164.314(b)" ], "general-nist-800-82-r3": [ "SR-03(03)" ], "general-nist-800-161-r1": [ "SA-9(3)", "SR-3(3)" ], "general-nist-800-161-r1-flowdown": [ "SR-3(3)" ], "general-nist-800-161-r1-level-1": [ "SA-9(3)" ], "general-nist-800-161-r1-level-2": [ "SA-9(3)", "SR-3(3)" ], "general-nist-800-161-r1-level-3": [ "SA-9(3)", "SR-3(3)" ], "general-nist-800-171-r2": [ "3.1.1", "NFO - SA-4" ], "general-nist-800-171-r3": [ "03.01.20.b", "03.01.20.c.01", "03.01.20.c.02", "03.07.06.a", "03.16.03.a", "03.16.03.b", "03.16.03.c", "03.17.02", "03.17.03.b" ], "general-nist-800-171a-r3": [ "A.03.16.03.ODP[01]", "A.03.16.03.a" ], "general-nist-800-218": [ "PO.1" ], "general-nist-csf-2-0": [ "GV.OC-02", "GV.OC-03", "GV.SC-02", "GV.SC-05", "GV.SC-06" ], "general-owasp-top-10-2025": [ "A03:2025" ], "general-pci-dss-4-0-1": [ "8.2.3", "12.4.2", "12.4.2.1", "12.8.2", "12.8.5", "12.9", "12.9.1", "12.9.2" ], "general-pci-dss-4-0-1-saq-a": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-b": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-c": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.3", "12.4.2", "12.4.2.1", "12.8.2", "12.8.5", "12.9.1", "12.9.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.8.2", "12.8.5" ], "general-scf-dpmp-2025": [ "10.3" ], "general-swift-cscf-2025": [ "2.8" ], "general-tisax-6-0-3": [ "1.2.4", "1.3.3", "6.1.1", "8.2.1", "8.2.2", "8.3.1" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dow-cert-rmm-1-2": [ "EXD:SG3.SP4" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.G", "1.H" ], "usa-federal-doe-c2m2-2-1": [ "THIRD-PARTIES-2c", "THIRD-PARTIES-2e", "THIRD-PARTIES-2f", "THIRD-PARTIES-2g", "THIRD-PARTIES-2h" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.I" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.1" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.3.a", "II.3.b", "II.7.d", "III.10.a.i", "III.10.a.ii.1", "III.10.a.ii.2", "III.10.a.ii.3", "III.10.a.iii" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)", "252.204-7012(m)(1)" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(i)" ], "usa-federal-far-52-204-27": [ "52.204-27(c)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)", "609.930(c)(5)(ii)" ], "usa-federal-gsa-fedramp-5-low": [ "SR-03(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "SR-03(03)" ], "usa-federal-gsa-fedramp-5-high": [ "SR-03(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SR-03(03)" ], "usa-federal-sro-finra": [ "248.30(a)(5)(ii)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(a)", "314.4(a)(1)", "314.4(a)(2)", "314.4(a)(3)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(b)(2)", "155.260(b)(2)(i)", "155.260(b)(2)(ii)", "155.260(b)(2)(iii)", "155.260(b)(2)(iv)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(b)(1)", "164.308(b)(2)", "164.308(b)(3)", "164.314(a)(2)(iii)", "164.314(b)(1)", "164.314(b)(2)(i)", "164.314(b)(2)(ii)", "164.314(b)(2)(iii)", "164.502(a)(4)(i)", "164.502(a)(4)(ii)", "164.502(e)(1)(i)", "164.502(e)(2)", "164.504(e)(2)(i)", "164.504(e)(2)(i)(A)", "164.504(e)(2)(i)(B)", "164.504(e)(2)(ii)(J)", "164.504(e)(4)(i)(B)(ii)(B)(1)", "164.504(e)(4)(i)(B)(ii)(B)(2)", "164.504(f)(1)(i)", "164.504(f)(2)(i)", "164.504(f)(2)(ii)", "164.504(f)(2)(ii)(A)", "164.504(f)(2)(ii)(B)", "164.504(f)(2)(ii)(C)", "164.504(f)(2)(ii)(D)", "164.504(f)(2)(ii)(E)", "164.504(f)(2)(ii)(F)", "164.504(f)(2)(ii)(G)", "164.504(f)(2)(ii)(H)", "164.504(f)(2)(ii)(I)", "164.504(f)(2)(ii)(J)", "164.504(f)(2)(iii)(A)", "164.504(f)(2)(iii)(B)", "164.504(f)(2)(iii)(C)", "164.504(f)(3)(i)", "164.504(f)(3)(ii)", "164.504(f)(3)(iii)", "164.504(f)(3)(iv)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(b)(1)", "164.308(b)(2)", "164.308(b)(3)", "164.314(a)(2)(iii)", "164.314(b)(1)", "164.314(b)(2)(i)", "164.314(b)(2)(ii)", "164.314(b)(2)(iii)" ], "usa-federal-irs-1075-2021": [ "3.3.1.g", "SA-4(CE-12).b", "SR-3(CE-3)" ], "usa-federal-cms-marse-2-0": [ "CM-3-IS.4" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "7-2", "7-3", "7-4", "7-5" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(iii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7012(g)(2)", "7051(a)", "7052(b)", "7053(a)", "7053(a)(6)", "7123(c)(3)(A)(ii)", "7123(c)(3)(A)(iii)", "7123(c)(15)", "7153(a)" ], "usa-state-co-privacy-act-2021": [ "6-1-1305(5)", "6-1-1305(5)(a)", "6-1-1305(5)(b)", "6-1-1305(5)(c)", "6-1-1305(5)(d)", "6-1-1305(5)(d)(I)", "6-1-1305(5)(d)(II)(A)", "6-1-1305(5)(d)(II)(B)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(f)2" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(d)", "500.10(a)(1)", "500.10(b)", "500.11(a)(1)", "500.11(a)(2)", "500.11(b)", "500.11(b)(1)", "500.11(b)(2)", "500.11(b)(3)", "500.11(b)(4)" ], "usa-state-or-ors-646a-2025": [ "646A.581(2)", "646A.581(2)(a)", "646A.581(2)(b)", "646A.581(2)(c)", "646A.581(2)(d)", "646A.581(2)(e)", "646A.581(2)(f)", "646A.581(2)(g)", "646A.581(2)(h)" ], "usa-state-or-cpa-2023": [ "Section 6(2)(a)", "Section 6(2)(b)", "Section 6(2)(c)", "Section 6(2)(d)", "Section 6(2)(e)", "Section 6(2)(f)", "Section 6(2)(g)", "Section 6(2)(h)" ], "usa-state-tx-cdpa-2025": [ "541.104(a)", "541.104(b)" ], "usa-state-va-cdpa-2023": [ "59.1-579.B.5" ], "usa-state-vt-act-171-2018": [ "2447(b)(6)(B)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.3(8)", "3.2.3(8)(a)", "3.2.3(8)(b)" ], "emea-eu-dora-2023": [ "Article 28.1(a)", "Article 29.2", "Article 30.1", "Article 30.2", "Article 30.2(a)", "Article 30.2(b)", "Article 30.2(c)", "Article 30.2(d)", "Article 30.2(e)", "Article 30.2(f)", "Article 30.2(g)", "Article 30.2(h)", "Article 30.2(i)", "Article 30.3", "Article 30.3(a)", "Article 30.3(b)", "Article 30.3(c)", "Article 30.3(d)", "Article 30.3(e)(i)", "Article 30.3(e)(ii)", "Article 30.3(e)(iii)", "Article 30.3(e)(iv)", "Article 30.3(f)(i)", "Article 30.4" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-eu-nis2-annex-2024": [ "1.2.2", "3.3.2", "4.3.2(a)", "5.1.2", "5.1.2(a)", "5.1.2(b)", "5.1.2(c)", "5.1.2(d)", "5.1.4", "5.1.4(a)", "5.1.4(b)", "5.1.4(c)", "5.1.4(d)", "5.1.4(e)", "5.1.4(f)", "5.1.4(g)", "5.1.4(h)", "5.1.5", "6.2.3", "8.1.1", "13.1.2(e)" ], "emea-deu-bsrit-2017": [ "9.4" ], "emea-deu-c5-2020": [ "HR-06", "PI-02", "SSO-02", "SSO-05" ], "emea-isr-cmo-1-0": [ "11.1", "11.3", "11.10", "16.2", "19.5", "22.4", "25.17" ], "emea-pol-act-29-1997": [ "31" ], "emea-qat-pdppl-2020": [ "12" ], "emea-sau-cscc-1-2019": [ "4-1-1", "4-1-1-1", "4-1-1-2" ], "emea-sau-cgiot-2024": [ "4-1-1", "4-2-5" ], "emea-sau-ecc-1-2018": [ "4-1-2", "4-1-2-1", "4-1-2-2", "4-1-2-3" ], "emea-sau-otcc-1-2022": [ "4-1-1-1", "4-1-1-3" ], "emea-sau-pdpl-2023": [ "Article 8" ], "emea-sau-sacs-002-2022": [ "TPC-25" ], "emea-srb-act-9-2018": [ "5", "11" ], "emea-zaf-popia-2013": [ "20" ], "emea-esp-decree-1720-2007": [ "20", "21" ], "emea-esp-ccn-stic-825-2023": [ "7.4.1 [OP.EXT.1]" ], "emea-gbr-def-stan-05-138-2024": [ "1401", "2323" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1401", "2323" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1401", "2323" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1401", "2323" ], "apac-aus-ism-2024-june": [ "ISM-0072", "ISM-1395", "ISM-1451", "ISM-1569", "ISM-1571", "ISM-1572", "ISM-1573", "ISM-1574", "ISM-1575", "ISM-1738" ], "apac-aus-ps-cps-230-2023": [ "15", "54(a)", "54(b)", "54(c)", "54(d)", "54(e)", "54(f)", "54(g)", "55(a)", "55(b)", "55(c)" ], "apac-aus-ps-cps-234-2019": [ "16", "20", "28" ], "apac-chn-cybersecurity-law-2017": [ "Article 36" ], "apac-chn-pipl-2021": [ "20", "21", "38(3)", "42" ], "apac-ind-dpdpa-2023": [ "8(7)(b)" ], "apac-ind-sebi-2024": [ "GV.OC.S3", "GV.SC.S3", "GV.SC.S8", "PR.AT.S3" ], "apac-jpn-ppi-2020": [ "22", "23(1)(i)", "23(1)(ii)", "23(1)(iii)", "23(1)(iv)", "23(2)", "23(2)(i)", "23(2)(ii)", "23(2)(iii)", "23(2)(iv)", "23(2)(v)", "23(2)(vi)", "23(2)(vii)", "23(2)(viii)", "23(3)", "23(4)", "23(5)(i)", "23(5)(ii)", "23(5)(iii)", "23(6)", "23(1)" ], "apac-jpn-ismap": [ "6.3.P", "7.1.1.11", "8.2.3.7", "13.1.2", "13.1.2.2", "14.1.1.13", "14.2.1.12", "14.2.7.1", "14.2.7.2", "14.2.7.9", "15.1.2", "15.1.2.1", "15.1.2.2", "15.1.2.3", "15.1.2.4", "15.1.2.5", "15.1.2.6", "15.1.2.7", "15.1.2.8", "15.1.2.9", "15.1.2.10", "15.1.2.11", "15.1.2.12", "15.1.2.13", "15.1.2.14", "15.1.2.15", "15.1.2.16", "15.1.2.17", "15.1.2.18.PB", "15.1.3", "15.1.3.1", "15.1.3.2", "15.1.3.3", "15.1.3.4", "15.1.3.5", "15.1.3.6", "15.1.3.7", "15.1.3.8", "15.1.3.9", "15.1.3.10.P", "15.1.3.11.P", "15.2" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP09", "HHSP36", "HHSP72", "HML09", "HML36", "HML72" ], "apac-nzl-hisf-microsmall-2023": [ "HMS06" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP63", "HSUP68" ], "apac-nzl-ism-3-9": [ "2.3.30.C.01", "23.2.19.C.01" ], "apac-phl-dpa-2012": [ "25", "43" ], "apac-sgp-mas-trm-2021": [ "3.4.1", "3.4.2", "3.4.3" ], "amaericas-can-osfi-self-assessment": [ "2.3", "4.26", "4.28" ], "americas-can-itsp-10-171-2025": [ "03.01.20.B", "03.01.20.C.01", "03.01.20.C.02", "03.07.06.A", "03.16.03.A", "03.16.03.B", "03.16.03.C", "03.17.02", "03.17.03.B" ], "americas-mex-fdpa-2010": [ "21" ] } }, { "control_id": "TPM-05.1", "title": "Security Compromise Notification Agreements", "family": "TPM", "description": "Mechanisms exist to compel External Service Providers (ESPs) to provide notification of actual or potential compromises in the supply chain that can potentially affect or have adversely affected Technology Assets, Applications and/or Services (TAAS) that the organization utilizes.", "scf_question": "Does the organization compel External Service Providers (ESPs) to provide notification of actual or potential compromises in the supply chain that can potentially affect or have adversely affected Technology Assets, Applications and/or Services (TAAS) that the organization utilizes?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to compel External Service Providers (ESPs) to provide notification of actual or potential compromises in the supply chain that can potentially affect or have adversely affected Technology Assets, Applications and/or Services (TAAS) that the organization utilizes.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.3-POF12", "CC9.2-POF13" ], "general-csa-iot-2": [ "POL-01" ], "general-iso-27002-2022": [ "5.21" ], "general-iso-27018-2025": [ "5.21" ], "general-nist-800-53-r5-2": [ "SR-08" ], "general-nist-800-53-r5-2-low": [ "SR-08" ], "general-nist-800-66-r2": [ "164.314(a)", "164.314(b)" ], "general-nist-800-82-r3": [ "SR-08" ], "general-nist-800-82-r3-low": [ "SR-08" ], "general-nist-800-82-r3-mod": [ "SR-08" ], "general-nist-800-82-r3-high": [ "SR-08" ], "general-nist-800-161-r1": [ "SR-8" ], "general-nist-800-161-r1-cscrm": [ "SR-8" ], "general-nist-800-161-r1-level-2": [ "SR-8" ], "general-nist-800-161-r1-level-3": [ "SR-8" ], "general-nist-800-171-r3": [ "03.17.02" ], "general-shared-assessments-sig-2025": [ "P.8" ], "general-tisax-6-0-3": [ "8.3.1" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.G" ], "usa-federal-fbi-cjis-6-0": [ "SR-8" ], "usa-federal-gsa-fedramp-5-low": [ "SR-08" ], "usa-federal-gsa-fedramp-5-mod": [ "SR-08" ], "usa-federal-gsa-fedramp-5-high": [ "SR-08" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SR-08" ], "usa-federal-law-hipaa-simplification-2013": [ "164.314(a)(2)(i)(C)", "164.314(b)(2)(iv)", "164.410(a)(1)", "164.410(a)(2)", "164.410(b)", "164.410(c)(2)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.314(a)(2)(i)(C)", "164.314(b)(2)(iv)" ], "usa-federal-nerc-cip-2024": [ "CIP-013-2 1.2.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(15)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(a)(1)", "500.4(a)(2)", "500.4(a)(3)", "500.11(b)(3)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SR-08" ], "apac-aus-ism-2024-june": [ "ISM-1576" ], "apac-nzl-ism-3-9": [ "7.2.22.C.01", "7.2.23.C.01" ], "americas-can-itsp-10-171-2025": [ "03.17.02" ] } }, { "control_id": "TPM-05.2", "title": "Contract Flow-Down Requirements", "family": "TPM", "description": "Mechanisms exist to ensure applicable security, compliance and resilience requirements are included in contracts that flow-down to applicable sub-contractors and suppliers.", "scf_question": "Does the organization ensure applicable security, compliance and resilience requirements are included in contracts that flow-down to applicable sub-contractors and suppliers?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-02" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Procurement practices contractually require ESP to follow secure engineering practices as part of a broader Cybersecurity Supply Chain Risk Management (C-SCRM) initiative.\n▪ A formal agreement exists between the organization and applicable third-parties that includes a Non-Disclosure Agreement (NDA) addressing shared sensitive data.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure applicable security, compliance and resilience requirements are included in contracts that flow-down to applicable sub-contractors and suppliers.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-pmf-2020": [ "D6.5-POF2" ], "general-aicpa-tsc-2017": [ "CC2.3-POF12", "CC9.2-POF1", "CC9.2-POF9", "CC9.2-POF10", "P6.4-POF3" ], "general-csa-cmm-4-1-0": [ "STA-11" ], "general-iso-27701-2025": [ "6.1.3(h)" ], "general-nist-800-53-r5-2": [ "SR-03(03)" ], "general-nist-800-53-r5-2-privacy": [ "SR-03(03)" ], "general-nist-800-66-r2": [ "164.308(b)(1)", "164.314(a)" ], "general-nist-800-82-r3": [ "SR-03(03)" ], "general-nist-800-161-r1": [ "SR-3(3)" ], "general-nist-800-161-r1-flowdown": [ "SR-3(3)" ], "general-nist-800-161-r1-level-2": [ "SR-3(3)" ], "general-nist-800-161-r1-level-3": [ "SR-3(3)" ], "general-nist-800-171-r2": [ "3.1.1" ], "general-nist-800-171-r3": [ "03.16.03.a", "03.16.03.b", "03.16.03.c", "03.17.02", "03.17.03.b" ], "general-nist-800-171a-r3": [ "A.03.16.03.ODP[01]" ], "general-nist-csf-2-0": [ "GV.OC-03", "GV.SC-02", "GV.SC-05", "GV.SC-06", "GV.SC-10" ], "general-scf-dpmp-2025": [ "10.3" ], "general-swift-cscf-2025": [ "2.8" ], "general-tisax-6-0-3": [ "6.1.1" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.I" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.1" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.7.d", "III.10.a.ii.1", "III.10.a.ii.2", "III.10.a.ii.3", "III.10.a.iii" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)", "252.204-7012(m)(2)(i)" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(i)" ], "usa-federal-far-52-204-27": [ "52.204-27(c)" ], "usa-federal-gsa-fedramp-5-low": [ "SR-03(03)" ], "usa-federal-gsa-fedramp-5-mod": [ "SR-03(03)" ], "usa-federal-gsa-fedramp-5-high": [ "SR-03(03)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SR-03(03)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(b)(2)(v)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(b)(1)", "164.308(b)(2)", "164.314(a)(2)(i)(B)", "164.314(a)(2)(iii)", "164.502(e)(1)(ii)", "164.504(e)(2)(ii)(D)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(b)(1)", "164.308(b)(2)", "164.314(a)(2)(i)(B)", "164.314(a)(2)(iii)" ], "usa-federal-irs-1075-2021": [ "SR-3(CE-3)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "7-2", "7-4", "7-5" ], "usa-state-ca-ccpa-cpra-2026": [ "7051(b)", "7052(b)", "7053(a)", "7123(c)(15)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(1)", "500.11(a)(1)", "500.11(a)(2)", "500.11(b)", "500.11(b)(1)", "500.11(b)(2)", "500.11(b)(3)", "500.11(b)(4)" ], "usa-state-va-cdpa-2023": [ "59.1-579.B.5" ], "emea-eu-eba-ict-srm-2025": [ "3.2.3(8)", "3.2.3(8)(a)", "3.2.3(8)(b)" ], "emea-eu-dora-2023": [ "Article 29.2" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-eu-nis2-annex-2024": [ "5.1.4(g)" ], "emea-qat-pdppl-2020": [ "12" ], "emea-sau-sacs-002-2022": [ "TPC-25" ], "emea-srb-act-9-2018": [ "5", "11" ], "emea-gbr-def-stan-05-138-2024": [ "1401" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1401" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1401" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1401" ], "apac-ind-dpdpa-2023": [ "8(7)(b)" ], "apac-ind-sebi-2024": [ "GV.SC.S3", "GV.SC.S8" ], "americas-can-itsp-10-171-2025": [ "03.16.03.A", "03.16.03.B", "03.16.03.C", "03.17.02", "03.17.03.B" ] } }, { "control_id": "TPM-05.3", "title": "Third-Party Authentication Practices", "family": "TPM", "description": "Mechanisms exist to ensure External Service Providers (ESPs) use unique authentication factors for each of its customers.", "scf_question": "Does the organization ensure External Service Providers (ESPs) use unique authentication factors for each of its customers?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-01" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure External Service Providers (ESPs) use unique authentication factors for each of its customers.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-nist-csf-2-0": [ "GV.SC-06", "GV.SC-10" ], "general-pci-dss-4-0-1": [ "8.2.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.2.3" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.11(b)(1)" ] } }, { "control_id": "TPM-05.4", "title": "Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix", "family": "TPM", "description": "Mechanisms exist to document and maintain a Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to delineate assignment for security, compliance and resilience controls between internal stakeholders and External Service Providers (ESPs).", "scf_question": "Does the organization document and maintain a Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to delineate assignment for security, compliance and resilience controls between internal stakeholders and External Service Providers (ESPs)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel govern third-party cybersecurity and data protection roles and responsibilities through a Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar shared responsibilities tracking tool.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to document and maintain a Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to delineate assignment for security, compliance and resilience controls between internal stakeholders and External Service Providers (ESPs).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls\n∙ Customer Responsibility Matrix (CRM)\n∙ Shared Responsibility Matrix (SRM)\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls\n∙ Customer Responsibility Matrix (CRM)\n∙ Shared Responsibility Matrix (SRM)\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls\n∙ Customer Responsibility Matrix (CRM)\n∙ Shared Responsibility Matrix (SRM)\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls\n∙ Customer Responsibility Matrix (CRM)\n∙ Shared Responsibility Matrix (SRM)\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls\n∙ Customer Responsibility Matrix (CRM)\n∙ Shared Responsibility Matrix (SRM)\n∙ Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1-POF5", "CC1.3-POF3", "CC1.3-POF4", "CC1.3-POF5", "CC2.2-POF5", "CC2.2-POF9", "CC2.3-POF6", "CC2.3-POF9", "CC2.3-POF11", "CC9.2-POF4", "CC9.2-POF12" ], "general-cis-csc-8-1": [ "15.0" ], "general-coso-2013": [ "12" ], "general-csa-cmm-4-1-0": [ "GRC-06", "STA-02", "STA-03", "STA-04", "STA-05", "STA-06", "STA-07" ], "general-iso-21434-2021": [ "RQ-06-01", "RQ-07-08" ], "general-iso-27001-2022": [ "4.3(c)" ], "general-iso-27002-2022": [ "5.2", "5.23" ], "general-iso-27017-2015": [ "6.1.1" ], "general-iso-27018-2025": [ "5.2", "5.23" ], "general-iso-42001-2023": [ "5.3", "A.10", "A.10.2", "A.10.3", "A.10.4" ], "general-mpa-csbp-5-3-1": [ "OR-3.4", "TS-1.11" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P2", "GV.PO-P3", "GV.PO-P4", "GV.AT-P4" ], "general-nist-800-37-r2": [ "TASK P-1" ], "general-nist-800-53-r5-2": [ "SA-09(03)" ], "general-nist-800-66-r2": [ "164.308(b)(1)" ], "general-nist-800-82-r3": [ "SA-09(03)" ], "general-nist-800-161-r1": [ "SA-9(3)" ], "general-nist-800-161-r1-level-1": [ "SA-9(3)" ], "general-nist-800-161-r1-level-2": [ "SA-9(3)" ], "general-nist-800-161-r1-level-3": [ "SA-9(3)" ], "general-nist-800-171-r3": [ "03.07.06.a", "03.16.03.b" ], "general-nist-800-171a-r3": [ "A.03.16.03.b" ], "general-nist-csf-2-0": [ "GV.OC", "GV.OC-02", "GV.RM-05", "GV.RR", "GV.RR-02", "GV.SC-02", "GV.SC-06", "ID.AM" ], "general-pci-dss-4-0-1": [ "12.4.1", "12.8.2", "12.8.5", "12.9", "12.9.1", "12.9.2" ], "general-pci-dss-4-0-1-saq-a": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-b": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-c": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.8.2", "12.8.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.4.1", "12.8.2", "12.8.5", "12.9.1", "12.9.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.8.2", "12.8.5" ], "general-scf-dpmp-2025": [ "10.4" ], "general-swift-cscf-2025": [ "2.8" ], "general-tisax-6-0-3": [ "1.2.4", "1.3.3" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-2a", "THIRD-PARTIES-1a" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(b)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(b)(1)" ], "usa-federal-irs-1075-2021": [ "SA-9(CE-3)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(ii)" ], "usa-state-ca-ccpa-cpra-2026": [ "7052(a)", "7123(c)(3)(A)(ii)", "7123(c)(15)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(d)", "500.4(a)(1)", "500.4(a)(2)", "500.4(a)(3)", "500.10(a)(1)", "500.10(b)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.3(8)", "3.2.3(8)(a)", "3.2.3(8)(b)", "3.3.2(16)", "3.5(55)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-eu-nis2-annex-2024": [ "4.3.2(a)", "8.1.1", "10.1.2(a)" ], "emea-sau-otcc-1-2022": [ "1-2-1-1" ], "emea-esp-boe-a-2022-7191": [ "Article 13.2", "Article 13.5" ], "emea-esp-decree-311-2022": [ "13.2", "13.5" ], "emea-gbr-cap-1850-2020": [ "A4" ], "apac-ind-sebi-2024": [ "GV.OC.S3", "GV.SC.S3", "PR.AT.S3" ], "apac-jpn-ismap": [ "6.1.1.8", "6.1.1.9", "6.1.1.10", "6.1.1.11", "6.1.1.12", "6.1.5.6", "6.3.1.P" ], "americas-can-itsp-10-171-2025": [ "03.07.06.A", "03.16.03.B" ] } }, { "control_id": "TPM-05.5", "title": "Third-Party Scope Review", "family": "TPM", "description": "Mechanisms exist to perform recurring validation of the Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to ensure security, compliance and resilience control assignments accurately reflect current:\n(1) Contractual obligations for the External Service Provider (ESP);\n(2) Business practices;\n(3) Applicable stakeholders; and\n(4) Deployed Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization perform recurring validation of the Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to ensure security, compliance and resilience control assignments accurately reflect current:\n(1) Contractual obligations for the External Service Provider (ESP);\n(2) Business practices;\n(3) Applicable stakeholders; and\n(4) Deployed Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform recurring validation of the Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to ensure security, compliance and resilience control assignments accurately reflect current:\n(1) Contractual obligations for the External Service Provider (ESP);\n(2) Business practices;\n(3) Applicable stakeholders; and\n(4) Deployed Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF9", "CC3.4-POF5", "CC9.2-POF7", "CC9.2-POF12" ], "general-cis-csc-8-1": [ "15.0" ], "general-iso-42001-2023": [ "4.3" ], "general-nist-800-171-r3": [ "03.16.03.c", "03.17.02", "03.17.03.a", "03.17.03.b" ], "general-nist-800-171a-r3": [ "A.03.16.03.c" ], "general-nist-csf-2-0": [ "GV.SC-06" ], "general-pci-dss-4-0-1": [ "12.5.2.1", "12.5.3", "12.8", "12.8.1", "A3.2.1", "A3.2.3" ], "general-pci-dss-4-0-1-saq-a": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-b": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-c": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.8.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.5.2.1", "12.5.3", "12.8.1" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.8.1" ], "general-scf-dpmp-2025": [ "10.4" ], "general-swift-cscf-2025": [ "2.8" ], "usa-federal-doe-c2m2-2-1": [ "THIRD-PARTIES-2d" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(15)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.11(a)(3)", "500.11(a)(4)" ], "emea-eu-eba-ict-srm-2025": [ "3.5(55)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "apac-aus-ism-2024-june": [ "ISM-1793" ], "americas-can-itsp-10-171-2025": [ "03.16.03.C", "03.17.02", "03.17.03.A", "03.17.03.B" ] } }, { "control_id": "TPM-05.6", "title": "First-Party Declaration (1PD)", "family": "TPM", "description": "Mechanisms exist to obtain a First-Party Declaration(1PD) from applicable External Service Providers (ESPs) that provides assurance of compliance with specified statutory, regulatory and contractual obligations for security, compliance and resilience controls, including any flow-down requirements to subcontractors.", "scf_question": "Does the organization obtain a First-Party Declaration(1PD) from applicable External Service Providers (ESPs) that provides assurance of compliance with specified statutory, regulatory and contractual obligations for security, compliance and resilience controls, including any flow-down requirements to subcontractors?", "relative_weight": 7, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-TPM-01" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to obtain a First-Party Declaration(1PD) from applicable External Service Providers (ESPs) that provides assurance of compliance with specified statutory, regulatory and contractual obligations for security, compliance and resilience controls, including any flow-down requirements to subcontractors.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2-POF8", "CC9.2-POF9", "CC9.2-POF10", "CC9.2-POF11", "CC9.2-POF12" ], "general-iso-21434-2021": [ "RC-07-02" ], "general-mpa-csbp-5-3-1": [ "OR-3.4", "PS-3.2" ], "general-nist-800-171-r3": [ "03.01.20.c.01", "03.16.03.c" ], "general-nist-800-171a-r3": [ "A.03.16.03.c" ], "general-nist-csf-2-0": [ "GV.SC-06" ], "general-swift-cscf-2025": [ "2.8" ], "general-tisax-6-0-3": [ "8.2.2" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(b)(2)", "164.502(e)(1)(i)", "164.502(e)(1)(ii)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(b)(2)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(15)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)(1)", "500.4(b)(2)", "500.4(b)(3)", "500.4(b)(4)", "500.4(b)(5)", "500.11(a)(3)", "500.11(b)(4)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.3(9)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-sau-cgiot-2024": [ "4-1-2" ], "apac-ind-sebi-2024": [ "PR.IP.S5" ], "americas-can-itsp-10-171-2025": [ "03.01.20.C.01", "03.16.03.C" ] } }, { "control_id": "TPM-05.7", "title": "Break Clauses", "family": "TPM", "description": "Mechanisms exist to include \"break clauses\" within contracts for failure to meet contract criteria for security, compliance and/or resilience controls.", "scf_question": "Does the organization include \"break clauses\" within contracts for failure to meet contract criteria for security, compliance and/or resilience controls?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-05" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Contracts with ESP contain break clauses to enable penalty-free, early termination of a contract for cause, based on ESP cybersecurity and/or data protection practices deficiency(ies).", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to include \"break clauses\" within contracts for failure to meet contract criteria for security, compliance and/or resilience controls.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-pmf-2020": [ "D6.5-POF1", "D6.6-POF1" ], "general-aicpa-tsc-2017": [ "CC9.2-POF8", "CC9.2-POF9", "P6.4-POF2", "P6.5-POF1", "P6.5-POF2", "P6.6-POF1" ], "general-nist-800-53-r5-2": [ "SA-09(03)" ], "general-nist-800-82-r3": [ "SA-09(03)" ], "general-nist-800-161-r1": [ "SA-9(3)" ], "general-nist-800-161-r1-level-1": [ "SA-9(3)" ], "general-nist-800-161-r1-level-2": [ "SA-9(3)" ], "general-nist-800-161-r1-level-3": [ "SA-9(3)" ], "general-nist-800-171-r3": [ "03.17.01.a", "03.17.02", "03.17.03.b" ], "general-nist-csf-2-0": [ "GV.SC-06" ], "general-swift-cscf-2025": [ "2.8" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.H" ], "usa-federal-law-hipaa-simplification-2013": [ "164.504(e)(2)(iii)" ], "usa-federal-irs-1075-2021": [ "SA-9(CE-3)" ], "usa-state-ca-ccpa-cpra-2026": [ "7053(a)(5)", "7123(c)(15)" ], "emea-eu-dora-2023": [ "Article 28.7", "Article 28.7(a)", "Article 28.7(b)", "Article 28.7(c)", "Article 28.7(d)", "Article 28.8", "Article 28.8(a)", "Article 28.8(b)", "Article 28.8(c)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "apac-aus-ism-2024-june": [ "ISM-1804" ], "apac-aus-ps-cps-230-2023": [ "50(g)" ], "apac-ind-sebi-2024": [ "GV.SC.S3" ], "americas-can-itsp-10-171-2025": [ "03.17.01.A", "03.17.02", "03.17.03.B" ] } }, { "control_id": "TPM-05.8", "title": "Third-Party Attestation (3PA)", "family": "TPM", "description": "Mechanisms exist to obtain an attestation from an independent Third-Party Assessment Organization (3PAO) that provides assurance of conformity with specified statutory, regulatory and contractual obligations for security, compliance and resilience controls, including any flow-down requirements to contractors and subcontractors.", "scf_question": "Does the organization obtain an attestation from an independent Third-Party Assessment Organization (3PAO) that provides assurance of conformity with specified statutory, regulatory and contractual obligations for security, compliance and resilience controls, including any flow-down requirements to contractors and subcontractors?", "relative_weight": 5, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Third-Party Management (TPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Third-party management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to obtain an attestation from an independent Third-Party Assessment Organization (3PAO) that provides assurance of conformity with specified statutory, regulatory and contractual obligations for security, compliance and resilience controls, including any flow-down requirements to contractors and subcontractors.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Third-Party Management", "crosswalks": { "general-iso-21434-2021": [ "RC-07-02" ], "general-mpa-csbp-5-3-1": [ "OR-3.4", "PS-3.2" ], "general-nist-800-171-r3": [ "03.01.20.a", "03.01.20.b", "03.01.20.c.01", "03.16.03.a", "03.16.03.c" ], "general-nist-800-171a-r3": [ "A.03.16.03.c" ], "general-tisax-6-0-3": [ "8.2.2" ], "usa-state-nv-regulation-5-2024": [ "5.260.5(c)" ], "apac-ind-sebi-2024": [ "PR.IP.S15", "PR.IP.S16" ], "americas-can-itsp-10-171-2025": [ "03.01.20.A", "03.01.20.B", "03.01.20.C.01", "03.16.03.A", "03.16.03.C" ] } }, { "control_id": "TPM-06", "title": "Third-Party Personnel Security", "family": "TPM", "description": "Mechanisms exist to control personnel security requirements including security roles and responsibilities for third-party providers.", "scf_question": "Does the organization control personnel security requirements including security roles and responsibilities for third-party providers?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-01" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to control personnel security requirements including security roles and responsibilities for third-party providers.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1-POF5", "CC9.1" ], "general-cobit-2019": [ "APO10.03" ], "general-csa-iot-2": [ "POL-02" ], "general-iso-27002-2022": [ "5.2", "5.19", "8.3" ], "general-iso-27017-2015": [ "6.1", "6.1.1" ], "general-iso-27018-2025": [ "5.2", "5.19", "8.30" ], "general-mpa-csbp-5-3-1": [ "OR-3.4" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P3", "GV.PO-P4", "GV.AT-P4" ], "general-nist-csf-2-0": [ "GV.SC-06", "ID.AM" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(4)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(15)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(b)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-eu-nis2-annex-2024": [ "5.1.4(c)", "10.2.1" ], "emea-isr-cmo-1-0": [ "11.1", "11.3", "18.10", "19.5" ], "apac-aus-ism-2024-june": [ "ISM-1569" ], "apac-chn-pipl-2021": [ "52" ], "apac-ind-sebi-2024": [ "PR.AT.S3" ], "amaericas-can-osfi-self-assessment": [ "2.3" ] } }, { "control_id": "TPM-07", "title": "Monitoring for Third-Party Information Disclosure", "family": "TPM", "description": "Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of organizational information.", "scf_question": "Does the organization monitor for evidence of unauthorized exfiltration or disclosure of organizational information?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to monitor for evidence of unauthorized exfiltration or disclosure of organizational information.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC9.1", "CC9.2-POF13" ], "general-shared-assessments-sig-2025": [ "P.8" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(15)" ], "emea-deu-c5-2020": [ "SSO-04" ], "emea-isr-cmo-1-0": [ "11.5", "11.11" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP73", "HML73" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP64" ], "amaericas-can-osfi-self-assessment": [ "4.27" ] } }, { "control_id": "TPM-08", "title": "Review of Third-Party Services", "family": "TPM", "description": "Mechanisms exist to monitor, regularly review and assess External Service Providers (ESPs) for compliance with established contractual requirements for security, compliance and resilience controls.", "scf_question": "Does the organization monitor, regularly review and assess External Service Providers (ESPs) for compliance with established contractual requirements for security, compliance and resilience controls?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-TPM-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to monitor, regularly review and assess External Service Providers (ESPs) for compliance with established contractual requirements for security, compliance and resilience controls.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.4-POF2", "CC1.4-POF3", "CC3.4", "CC3.4-POF5", "CC9.1", "CC9.2-POF6", "CC9.2-POF7", "CC9.2-POF8", "CC9.2-POF12", "CC9.2-POF13" ], "general-cis-csc-8-1": [ "15.0", "15.6" ], "general-cis-csc-8-1-ig3": [ "15.6" ], "general-cobit-2019": [ "APO09.03", "APO09.04", "APO09.05", "APO10.05" ], "general-coso-2013": [ "9" ], "general-csa-cmm-4-1-0": [ "STA-10", "STA-12", "STA-13", "STA-14", "STA-15" ], "general-csa-iot-2": [ "POL-02" ], "general-iso-27002-2022": [ "5.19", "5.2", "5.22", "8.21" ], "general-iso-27017-2015": [ "13.1.2", "15.2.1" ], "general-iso-27018-2025": [ "5.19", "5.20", "5.22", "8.21" ], "general-mpa-csbp-5-3-1": [ "OR-3.4" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.G" ], "general-nist-100-1-ai-rmf": [ "MANAGE 3.0", "MANAGE 3.1" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P5" ], "general-nist-800-53-r4": [ "SA-12(2)" ], "general-nist-800-53-r5-2": [ "SR-06", "SR-06(01)" ], "general-nist-800-53-r5-2-mod": [ "SR-06" ], "general-nist-800-82-r3": [ "SR-06", "SR-06(01)" ], "general-nist-800-82-r3-mod": [ "SR-06" ], "general-nist-800-82-r3-high": [ "SR-06" ], "general-nist-800-160-vol-2-r1": [ "SR-06(01)" ], "general-nist-800-161-r1": [ "SR-6" ], "general-nist-800-161-r1-level-2": [ "SR-6" ], "general-nist-800-161-r1-level-3": [ "SR-6" ], "general-nist-800-171-r3": [ "03.16.03.c", "03.17.02" ], "general-nist-800-171a-r3": [ "A.03.16.03.c" ], "general-nist-csf-2-0": [ "GV.SC-07", "ID.IM-01", "ID.IM-02" ], "general-owasp-top-10-2025": [ "A02:2025", "A05:2025" ], "general-pci-dss-4-0-1": [ "12.4.2", "12.4.2.1", "12.8.4" ], "general-pci-dss-4-0-1-saq-a": [ "12.8.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.8.4" ], "general-pci-dss-4-0-1-saq-b": [ "12.8.4" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.8.4" ], "general-pci-dss-4-0-1-saq-c": [ "12.8.4" ], "general-pci-dss-4-0-1-saq-c-vt": [ "12.8.4" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "12.8.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "12.4.2", "12.4.2.1", "12.8.4" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.8.4" ], "general-scf-dpmp-2025": [ "10.0", "10.4" ], "general-swift-cscf-2025": [ "2.8" ], "general-tisax-6-0-3": [ "6.1.1" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dow-cert-rmm-1-2": [ "EXD:SG4", "EXD:SG4.SP1" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.H" ], "usa-federal-doe-c2m2-2-1": [ "THIRD-PARTIES-2d" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(5)(ii)", "609.930(c)(5)(iv)" ], "usa-federal-gsa-fedramp-5-mod": [ "SR-06" ], "usa-federal-gsa-fedramp-5-high": [ "SR-06" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(f)(3)" ], "usa-federal-irs-1075-2021": [ "SR-6" ], "usa-federal-cms-marse-2-0": [ "CM-2(1)-IS", "CM-2(1)-IS.1", "CM-2(1)-IS.2", "CM-2(1)-IS.3" ], "usa-state-ca-ccpa-cpra-2026": [ "7051(c)", "7053(b)", "7123(c)(15)" ], "usa-state-co-privacy-act-2021": [ "6-1-1305(5)(d)(II)(B)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.11(a)(3)", "500.11(a)(4)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.3(9)" ], "emea-eu-dora-2023": [ "Article 28.6", "Article 30.3(e)" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-eu-nis2-annex-2024": [ "5.1.7(a)", "5.1.7(b)", "5.1.7(c)" ], "emea-deu-c5-2020": [ "SSO-04", "SSO-05" ], "emea-isr-cmo-1-0": [ "11.4", "11.5" ], "emea-sau-cgiot-2024": [ "4-1-6" ], "emea-sau-otcc-1-2022": [ "4-1-1-4" ], "emea-sau-pdpl-2023": [ "Article 8" ], "apac-aus-ism-2024-june": [ "ISM-1793" ], "apac-aus-ps-cps-230-2023": [ "58(a)", "58(b)", "58(c)" ], "apac-aus-ps-cps-234-2019": [ "28" ], "apac-ind-sebi-2024": [ "GV.SC.S4" ], "apac-jpn-ppi-2020": [ "24(3)" ], "apac-jpn-ismap": [ "13.1.2.1", "15.2.1", "15.2.1.1", "15.2.1.2", "15.2.1.3", "15.2.1.4", "15.2.1.5", "15.2.1.6", "15.2.1.7", "15.2.1.8", "15.2.1.9", "15.2.1.10", "15.2.1.11", "15.2.1.12", "15.2.1.13" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP25", "HHSP73", "HML25", "HML73" ], "apac-nzl-hisf-microsmall-2023": [ "HMS04" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP64", "HSUP67" ], "apac-sgp-mas-trm-2021": [ "3.4.3" ], "amaericas-can-osfi-self-assessment": [ "4.27" ], "americas-can-itsp-10-171-2025": [ "03.16.03.C", "03.17.02" ] } }, { "control_id": "TPM-09", "title": "Third-Party Deficiency Remediation", "family": "TPM", "description": "Mechanisms exist to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.", "scf_question": "Does the organization address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-pmf-2020": [ "D6.5-POF1", "D6.6-POF1" ], "general-aicpa-tsc-2017": [ "CC4.2", "CC9.1", "CC9.2-POF8", "P6.4-POF2", "P6.5-POF1", "P6.5-POF2", "P6.6-POF1" ], "general-cobit-2019": [ "APO10.04" ], "general-coso-2013": [ "17" ], "general-csa-iot-2": [ "POL-01" ], "general-iso-27002-2022": [ "5.19" ], "general-iso-27018-2025": [ "5.19" ], "general-nist-800-171-r3": [ "03.17.02" ], "general-nist-csf-2-0": [ "GV.SC-06", "GV.SC-07", "GV.SC-08" ], "general-owasp-top-10-2025": [ "A02:2025", "A05:2025" ], "general-pci-dss-4-0-1": [ "A3.3.1.2" ], "general-scf-dpmp-2025": [ "10.0", "10.4" ], "general-swift-cscf-2025": [ "2.8" ], "general-un-155-2021": [ "7.2.2.5" ], "general-un-ece-wp-29-2020": [ "7.2.2.5" ], "usa-federal-dow-cert-rmm-1-2": [ "EXD:SG4.SP2" ], "usa-state-ca-ccpa-cpra-2026": [ "7053(a)(5)", "7123(c)(15)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)(6)" ], "emea-eu-nis2-2022": [ "Article 21.3", "Article 21.4" ], "emea-deu-c5-2020": [ "SSO-04" ], "emea-sau-cgiot-2024": [ "4-1-6" ], "emea-sau-ecc-1-2018": [ "4-1-2-3" ], "apac-ind-sebi-2024": [ "GV.SC.S4" ], "amaericas-can-osfi-self-assessment": [ "2.7", "4.27" ], "americas-can-itsp-10-171-2025": [ "03.17.02" ] } }, { "control_id": "TPM-10", "title": "Managing Changes To Third-Party Services", "family": "TPM", "description": "Mechanisms exist to control changes to services by suppliers, taking into account the criticality of business Technology Assets, Applications, Services and/or Data (TAASD) that are in scope by the third-party.", "scf_question": "Does the organization control changes to services by suppliers, taking into account the criticality of business Technology Assets, Applications, Services and/or Data (TAASD) that are in scope by the third-party?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-01" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to control changes to services by suppliers, taking into account the criticality of business TAASD that are in scope by the third-party.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Data Protection Impact Assessment (DPIA)\n∙ Third-party contract requirements for cybersecurity controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.4", "CC3.4-POF5", "CC9.1", "CC9.2-POF8" ], "general-cis-csc-8-1": [ "15.7" ], "general-cis-csc-8-1-ig3": [ "15.7" ], "general-cobit-2019": [ "APO10.04" ], "general-coso-2013": [ "9" ], "general-csa-cmm-4-1-0": [ "STA-10" ], "general-govramp": [ "SA-04" ], "general-govramp-mod": [ "SA-04" ], "general-govramp-high": [ "SA-04" ], "general-iso-27002-2022": [ "5.2", "5.22" ], "general-iso-27017-2015": [ "15.2.2" ], "general-iso-27018-2025": [ "5.20", "5.22" ], "general-nist-800-53-r4": [ "SA-4" ], "general-nist-800-53-r5-2": [ "SA-04" ], "general-nist-800-53-r5-2-privacy": [ "SA-04" ], "general-nist-800-53-r5-2-low": [ "SA-04" ], "general-nist-800-82-r3": [ "SA-04" ], "general-nist-800-82-r3-low": [ "SA-04" ], "general-nist-800-82-r3-mod": [ "SA-04" ], "general-nist-800-82-r3-high": [ "SA-04" ], "general-nist-800-161-r1": [ "SA-4" ], "general-nist-800-161-r1-cscrm": [ "SA-4" ], "general-nist-800-161-r1-level-1": [ "SA-4" ], "general-nist-800-161-r1-level-2": [ "SA-4" ], "general-nist-800-161-r1-level-3": [ "SA-4" ], "general-nist-800-171-r3": [ "03.16.01", "03.17.02" ], "general-nist-csf-2-0": [ "GV.SC-08" ], "general-scf-dpmp-2025": [ "10.0", "10.4" ], "general-shared-assessments-sig-2025": [ "K.6" ], "general-swift-cscf-2025": [ "2.8" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.I" ], "usa-federal-fbi-cjis-6-0": [ "SA-4" ], "usa-federal-gsa-fedramp-5-low": [ "SA-04" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-04" ], "usa-federal-gsa-fedramp-5-high": [ "SA-04" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-04" ], "usa-federal-irs-1075-2021": [ "SA-4" ], "usa-federal-cms-marse-2-0": [ "SA-4" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(15)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SA-04" ], "usa-state-tx-txramp-2-0-level-1": [ "SA-04" ], "usa-state-tx-txramp-2-0-level-2": [ "SA-04" ], "emea-eu-nis2-2022": [ "Article 21.3" ], "emea-eu-nis2-annex-2024": [ "5.1.7(d)" ], "emea-deu-c5-2020": [ "SSO-04", "SSO-05" ], "emea-esp-ccn-stic-825-2023": [ "7.4.2 [OP.EXT.2]" ], "apac-aus-ism-2024-june": [ "ISM-1794" ], "apac-ind-sebi-2024": [ "GV.SC.S4" ], "apac-jpn-ppi-2020": [ "24(3)" ], "apac-jpn-ismap": [ "15.2.1.14", "15.2.1.15", "15.2.2", "15.2.2.1", "15.2.2.2", "15.2.2.3" ], "amaericas-can-osfi-self-assessment": [ "4.27" ], "americas-can-itsp-10-171-2025": [ "03.16.01", "03.17.02" ] } }, { "control_id": "TPM-11", "title": "Third-Party Incident Response & Recovery Capabilities", "family": "TPM", "description": "Mechanisms exist to ensure response/recovery planning and testing are conducted with critical suppliers/providers.", "scf_question": "Does the organization ensure response/recovery planning and testing are conducted with critical suppliers/providers?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-TPM-01" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Third-Party Management (TPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with TPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Third-party management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Third-Party Management (TPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Third-party management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Asset management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure response/recovery planning and testing are conducted with critical suppliers/providers.", "4": "Third-Party Management (TPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls", "small": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls", "medium": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls", "large": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls", "enterprise": "∙ Cybersecurity Supply Chain Risk Management (C-SCRM) program\n∙ Third-party contract requirements for cybersecurity controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Third-Party Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC7.3", "P6.5", "P6.6" ], "general-csa-iot-2": [ "IMT-01", "OPA-05", "POL-01" ], "general-cr-cmm-2026": [ "CR7.3.6" ], "general-iso-27002-2022": [ "5.19" ], "general-iso-27018-2025": [ "5.19" ], "general-nist-600-1-gen-ai-profile": [ "GV-6.2-003" ], "general-nist-800-53-r5-2": [ "IR-04(10)" ], "general-nist-800-53-r5-2-privacy": [ "IR-04(10)" ], "general-nist-800-82-r3": [ "IR-04(10)" ], "general-nist-800-160-vol-2-r1": [ "IR-04(10)" ], "general-nist-800-161-r1": [ "IR-4(10)" ], "general-nist-800-161-r1-flowdown": [ "IR-4(10)" ], "general-nist-800-161-r1-level-2": [ "IR-4(10)" ], "general-nist-csf-2-0": [ "GV.SC-08" ], "general-pci-dss-4-0-1": [ "10.7", "10.7.1", "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "10.7.2", "10.7.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "10.7.1", "10.7.2", "10.7.3" ], "usa-federal-gsa-fedramp-5-low": [ "IR-04(10)" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-04(10)" ], "usa-federal-gsa-fedramp-5-high": [ "IR-04(10)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-04(10)" ], "usa-federal-nerc-cip-2024": [ "CIP-013-2 1.2.1", "CIP-013-2 1.2.2" ], "emea-eu-eba-ict-srm-2025": [ "3.2.3(8)(b)" ], "emea-isr-cmo-1-0": [ "25.17" ], "emea-sau-ecc-1-2018": [ "4-1-2-2" ], "amaericas-can-osfi-self-assessment": [ "4.28" ] } }, { "control_id": "TPM-12", "title": "Foreign Ownership, Control or Influence (FOCI)", "family": "TPM", "description": "Mechanisms exist to minimize risk associated with Foreign Ownership, Control or Influence (FOCI) through Supply Chain Risk Management (SCRM) practices.", "scf_question": "Does the organization minimize risk associate with Foreign Ownership, Control or Influence (FOCI) through Supply Chain Risk Management (SCRM) practices?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to minimize risk associated with Foreign Ownership, Control or Influence (FOCI) through Supply Chain Risk Management (SCRM) practices.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Vendor criticality assessment\n∙ Identify and document critical suppliers", "small": "∙ Vendor criticality assessment\n∙ Identify and document critical suppliers", "medium": "∙ Formal critical supplier identification and management process", "large": "∙ Enterprise critical supplier management program\n∙ C-SCRM program", "enterprise": "∙ Enterprise supply chain risk management (C-SCRM) program\n∙ Automated critical supplier monitoring" }, "risks": [ "R-GV-5", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-2", "MT-8", "MT-9", "MT-11", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-24", "MT-25", "MT-27" ], "errata": "- new control (SCF)", "family_name": "Third-Party Management", "crosswalks": {} }, { "control_id": "TPM-12.1", "title": "Ownership Change Monitoring", "family": "TPM", "description": "Mechanisms exist to periodically review External Service Providers (ESP) for changes that affect Foreign Ownership, Control or Influence (FOCI).", "scf_question": "Does the organization periodically review External Service Providers (ESP) for changes that affect Foreign Ownership, Control or Influence (FOCI)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to periodically review External Service Providers (ESP) for changes that affect Foreign Ownership, Control or Influence (FOCI).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "medium": "∙ Supplier contingency planning for critical vendors", "large": "∙ Enterprise critical supplier contingency plans\n∙ Alternate supplier identification", "enterprise": "∙ Enterprise supply chain resilience program\n∙ Alternate supplier qualification\n∙ Automated supply chain risk monitoring" }, "risks": [ "R-GV-5", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-2", "MT-8", "MT-9", "MT-11", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-24", "MT-25", "MT-27" ], "errata": "- new control (SCF)", "family_name": "Third-Party Management", "crosswalks": {} }, { "control_id": "TPM-12.2", "title": "Ownership Change Provisions", "family": "TPM", "description": "Mechanisms exist to contractually impose safeguards (e.g., additional controls, access modification, contract termination, etc.) from Foreign Ownership, Control or Influence (FOCI) concerns to ensure that:\n(1) Unauthorized access to sensitive and/or regulated data is prevented; and \n(2) Performance of contracts is not adversely affected.", "scf_question": "Does the organization contractually impose safeguards (e.g., additional controls, access modification, contract termination, etc.) from Foreign Ownership, Control or Influence (FOCI) concerns to ensure that:\n(1) Unauthorized access to sensitive and/or regulated data is prevented; and \n(2) Performance of contracts is not adversely affected?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Third-Party Management (TPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with TPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with TPM domain capabilities are well-documented and kept current by process owners.\n▪ A procurement team, or similar function, is appropriately staffed and supported to implement and maintain TPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of third-party management operations (e.g., TPRM risk management solution, vendor management solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with TPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to contractually impose safeguards (e.g., additional controls, access modification, contract termination, etc.) from Foreign Ownership, Control or Influence (FOCI) concerns to ensure that:\n(1) Unauthorized access to sensitive and/or regulated data is prevented; and \n(2) Performance of contracts is not adversely affected.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "large": "∙ Supply chain penetration testing for critical systems", "enterprise": "∙ Enterprise supply chain security testing program (e.g., hardware/firmware analysis)" }, "risks": [ "R-AM-2", "R-BC-2", "R-EX-5", "R-EX-7", "R-GV-2", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-2", "MT-8", "MT-9", "MT-11", "MT-14", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-24", "MT-25", "MT-27" ], "errata": "- new control (SCF)", "family_name": "Third-Party Management", "crosswalks": {} }, { "control_id": "THR-01", "title": "Threat Intelligence Program", "family": "THR", "description": "Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.", "scf_question": "Does the organization implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-THR-04" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Threat Management (THR) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with THR domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Threat management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel subscribe to threat feeds to maintain situational awareness of emerging threats.", "2": "Threat Management (THR) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Threat management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Threat management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Threat Management (THR) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are well-documented and kept current by process owners.\n▪ A threat management team, or similar function, is appropriately staffed and supported to implement and maintain THR domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of threat management operations (e.g., threat intelligence solution, bug bounty solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.", "4": "Threat Management (THR) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Subscribe to free threat intelligence feeds (e.g., CISA alerts)", "small": "∙ CISA alerts subscription\n∙ Basic threat awareness program", "medium": "∙ Threat intelligence program", "large": "∙ Threat intelligence program", "enterprise": "∙ Threat intelligence program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Threat Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2-POF6", "CC3.2-POF7", "CC3.3", "CC3.3-POF1", "CC3.3-POF2", "CC3.3-POF3", "CC3.3-POF4", "CC3.3-POF5", "CC3.4-POF6", "CC9.1", "CC9.2-POF13" ], "general-coso-2013": [ "8" ], "general-csa-cmm-4-1-0": [ "TVM-04" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.4.1" ], "general-iso-27002-2022": [ "5.7" ], "general-iso-27018-2025": [ "5.7" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(5)", "4.D(4)" ], "general-nist-800-53-r4": [ "PM-16" ], "general-nist-800-53-r5-2": [ "PM-15", "PM-16" ], "general-nist-800-53-r5-2-privacy": [ "PM-15" ], "general-nist-800-82-r3": [ "PM-15", "PM-16" ], "general-nist-800-82-r3-low": [ "PM-15", "PM-16" ], "general-nist-800-82-r3-mod": [ "PM-15", "PM-16" ], "general-nist-800-82-r3-high": [ "PM-15", "PM-16" ], "general-nist-800-160-vol-2-r1": [ "PM-16" ], "general-nist-800-161-r1": [ "AT-3(6)", "PM-15", "PM-16" ], "general-nist-800-161-r1-level-1": [ "PM-15", "PM-16" ], "general-nist-800-161-r1-level-2": [ "AT-3(6)", "PM-15", "PM-16" ], "general-nist-800-171-r2": [ "3.12.3", "3.14.3" ], "general-nist-800-171-r3": [ "03.11.02.a", "03.14.03.a" ], "general-nist-800-207": [ "NIST Tenet 7" ], "general-nist-csf-2-0": [ "ID.RA-03", "ID.RA-08", "DE", "DE.AE-07" ], "general-pci-dss-4-0-1": [ "6.3", "A3.5.1" ], "general-sparta": [ "CM0009" ], "general-un-155-2021": [ "7.2.2.2(g)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(g)" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.ETINT" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.G", "1.H", "3.A" ], "usa-federal-dow-cmmc-2-level-2": [ "CAL2.-3.12.3", "SIL2.-3.14.3" ], "usa-federal-law-facta-fcra-2023": [ "615(e)(2)(A)" ], "usa-federal-gsa-fedramp-5-low": [ "PM-15" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-15" ], "usa-federal-gsa-fedramp-5-high": [ "PM-15" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-15" ], "usa-federal-cms-marse-2-0": [ "PM-15", "PM-16" ], "usa-federal-nispom-2020": [ "§117.18(b)(5)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.10(a)(2)", "500.10(a)(3)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-15", "PM-16" ], "usa-state-vt-act-171-2018": [ "2447(b)(2)" ], "emea-eu-dora-2023": [ "Article 13.1", "Article 45.1", "Article 45.1(a)", "Article 45.1(b)", "Article 45.1(c)", "Article 45.2", "Article 45.3" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "3.10", "5.3" ], "emea-isr-cmo-1-0": [ "23.1", "23.4" ], "emea-sau-cgiot-2024": [ "2-12-4" ], "emea-sau-ecc-1-2018": [ "2-10-4", "2-13-1", "2-13-2", "2-13-3", "2-13-4" ], "emea-sau-sama-csf-1-2017": [ "3.3.16" ], "emea-gbr-caf-4-0": [ "A2.b" ], "emea-gbr-def-stan-05-138-2024": [ "1204" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1204" ], "apac-aus-ps-cps-234-2019": [ "17" ], "apac-ind-sebi-2024": [ "EV.ST.S1" ], "apac-jpn-ismap": [ "5.1.1.4" ], "apac-sgp-mas-trm-2021": [ "4.2.1", "13.5.1", "13.5.2", "14.3.1", "14.3.2", "14.3.3" ], "americas-bmu-mba-coc-2020": [ "6.2" ], "amaericas-can-osfi-self-assessment": [ "1.3" ], "americas-can-osfi-b13-2022": [ "3.0", "3.1", "3.1.1", "3.1.6" ], "americas-can-itsp-10-171-2025": [ "03.11.02.A", "03.14.03.A" ] } }, { "control_id": "THR-02", "title": "Indicators of Exposure (IOE)", "family": "THR", "description": "Mechanisms exist to develop Indicators of Exposure (IOE) to understand the potential attack vectors that attackers could use to attack the organization.", "scf_question": "Does the organization develop Indicators of Exposure (IOE) to understand the potential attack vectors that attackers could use to attack the organization?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-THR-01" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Threat Management (THR) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with THR domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Threat management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Threat Management (THR) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Threat management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Threat management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Threat Management (THR) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are well-documented and kept current by process owners.\n▪ A threat management team, or similar function, is appropriately staffed and supported to implement and maintain THR domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of threat management operations (e.g., threat intelligence solution, bug bounty solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop Indicators of Exposure (IOE) to understand the potential attack vectors that attackers could use to attack the organization.", "4": "Threat Management (THR) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Threat Management (THR) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Indicators of Exposure (IoE)", "small": "∙ Indicators of Exposure (IoE)", "medium": "∙ Indicators of Exposure (IoE)", "large": "∙ Indicators of Exposure (IoE)", "enterprise": "∙ Indicators of Exposure (IoE)" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Threat Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2-POF6", "CC3.2-POF7", "CC3.3", "CC9.2-POF13" ], "general-coso-2013": [ "8" ], "general-cr-cmm-2026": [ "CR3.3.2" ], "general-iso-27002-2022": [ "5.7" ], "general-iso-27018-2025": [ "5.7" ], "general-nist-csf-2-0": [ "ID.RA-03", "ID.RA-05", "ID.RA-08", "DE", "DE.CM" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.DTDIS" ], "usa-federal-dhs-cisa-cpg-2-0": [ "3.A" ], "emea-isr-cmo-1-0": [ "23.3" ], "emea-sau-otcc-1-2022": [ "2-12-2-8" ], "apac-sgp-mas-trm-2021": [ "14.3.1", "14.3.2", "14.3.3" ], "americas-can-osfi-b13-2022": [ "3.1" ] } }, { "control_id": "THR-03", "title": "Threat Intelligence Feeds", "family": "THR", "description": "Mechanisms exist to maintain situational awareness of vulnerabilities and evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.", "scf_question": "Does the organization maintain situational awareness of vulnerabilities and evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-THR-03" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Threat Management (THR) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with THR domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Threat management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel subscribe to threat feeds to maintain situational awareness of emerging threats.", "2": "Threat Management (THR) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Threat management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Threat management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel in supervisory positions subscribe to news feeds from groups and associations to facilitate ongoing education and training.", "3": "Threat Management (THR) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are well-documented and kept current by process owners.\n▪ A threat management team, or similar function, is appropriately staffed and supported to implement and maintain THR domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of threat management operations (e.g., threat intelligence solution, bug bounty solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to maintain situational awareness of vulnerabilities and evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.", "4": "Threat Management (THR) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters", "small": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters", "medium": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters\n∙ InfraGard (https://infragard.org)", "large": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters\n∙ InfraGard (https://infragard.org)", "enterprise": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters\n∙ InfraGard (https://infragard.org)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Threat Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2-POF6", "CC3.2-POF7", "CC9.2-POF13" ], "general-csa-cmm-4-1-0": [ "TVM-05", "TVM-06" ], "general-csa-iot-2": [ "MON-11" ], "general-govramp": [ "SI-05", "SI-05(01)" ], "general-govramp-low": [ "SI-05" ], "general-govramp-low-plus": [ "SI-05" ], "general-govramp-mod": [ "SI-05" ], "general-govramp-high": [ "SI-05", "SI-05(01)" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.4.1" ], "general-iso-27001-2022": [ "7.4", "7.4(a)", "7.4(b)", "7.4(c)", "7.4(d)" ], "general-iso-27002-2022": [ "5.7" ], "general-iso-27018-2025": [ "5.7" ], "general-mitre-att&ck-16-1": [ "T1068", "T1210", "T1211", "T1212" ], "general-mpa-csbp-5-3-1": [ "TS-4.2" ], "general-nist-800-53-r4": [ "SI-5", "SI-5(1)" ], "general-nist-800-53-r5-2": [ "PM-16(01)", "SI-05", "SI-05(01)" ], "general-nist-800-53-r5-2-privacy": [ "SI-05" ], "general-nist-800-53-r5-2-low": [ "SI-05" ], "general-nist-800-53-r5-2-high": [ "SI-05(01)" ], "general-nist-800-82-r3": [ "PM-16(01)", "SI-05", "SI-05(01)" ], "general-nist-800-82-r3-low": [ "SI-05" ], "general-nist-800-82-r3-mod": [ "SI-05" ], "general-nist-800-82-r3-high": [ "SI-05" ], "general-nist-800-160-vol-2-r1": [ "PM-16(01)" ], "general-nist-800-161-r1": [ "AT-3(6)", "SI-5" ], "general-nist-800-161-r1-cscrm": [ "SI-5" ], "general-nist-800-161-r1-flowdown": [ "SI-5" ], "general-nist-800-161-r1-level-1": [ "SI-5" ], "general-nist-800-161-r1-level-2": [ "AT-3(6)", "SI-5" ], "general-nist-800-161-r1-level-3": [ "SI-5" ], "general-nist-800-171-r2": [ "3.12.3", "3.14.3" ], "general-nist-800-171-r3": [ "03.02.01.a.02", "03.02.01.a.03", "03.02.01.b", "03.02.02.b", "03.11.02.a", "03.14.03.a" ], "general-nist-800-171a-r3": [ "A.03.14.03.a" ], "general-nist-800-172": [ "3.11.1e", "3.14.6e" ], "general-nist-800-207": [ "NIST Tenet 7" ], "general-nist-csf-2-0": [ "ID.RA-02", "ID.RA-03", "ID.RA-08", "DE", "DE.AE-07" ], "general-pci-dss-4-0-1": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-a": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.1" ], "general-swift-cscf-2025": [ "7.4A" ], "general-tisax-6-0-3": [ "5.2.5" ], "general-un-155-2021": [ "7.2.2.2(g)", "7.2.2.2(h)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(g)", "7.2.2.2(h)" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.ETINT", "3.UNI.VMANG" ], "usa-federal-dhs-cisa-cpg-2-0": [ "3.A" ], "usa-federal-fbi-cjis-6-0": [ "SI-5" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-1a", "THREAT-1b", "THREAT-1e", "THREAT-2f", "THREAT-2j", "THREAT-2k", "RISK-2k", "SITUATION-3e" ], "usa-federal-dow-cmmc-2-level-2": [ "CAL2.-3.12.3", "SIL2.-3.14.3" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.1E", "SI.L3-3.14.6E" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.3.3", "6.7.3" ], "usa-federal-gsa-fedramp-5-low": [ "SI-05" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-05" ], "usa-federal-gsa-fedramp-5-high": [ "SI-05", "SI-05(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-05" ], "usa-federal-irs-1075-2021": [ "SI-5" ], "usa-federal-cms-marse-2-0": [ "SI-5", "SI-5.a", "SI-5.b", "SI-5.c", "SI-5.d" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SI-05" ], "usa-state-tx-txramp-2-0-level-1": [ "SI-05" ], "usa-state-tx-txramp-2-0-level-2": [ "SI-05" ], "emea-eu-eba-ict-srm-2025": [ "3.3.3(21)" ], "emea-eu-dora-2023": [ "Article 13.1" ], "emea-eu-nis2-annex-2024": [ "6.10.2(a)" ], "emea-deu-bsrit-2017": [ "5.3" ], "emea-isr-cmo-1-0": [ "23.2" ], "emea-sau-cgiot-2024": [ "2-12-4" ], "emea-sau-ecc-1-2018": [ "2-10-3-5", "2-13-3-5" ], "emea-sau-otcc-1-2022": [ "1-8-3", "2-12-2-8" ], "emea-gbr-def-stan-05-138-2024": [ "1204", "3110" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3110" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1204", "3110" ], "apac-ind-sebi-2024": [ "EV.ST.S1", "EV.ST.S4", "ID.RA.S3", "RS.AN.S1" ], "apac-jpn-ismap": [ "4.9", "4.9.2.2", "6.1.4.3", "12.2.1.12", "12.2.1.13" ], "apac-sgp-mas-trm-2021": [ "12.1.1", "12.1.2", "12.1.3" ], "amaericas-can-osfi-self-assessment": [ "3.7" ], "americas-can-osfi-b13-2022": [ "3.0", "3.1", "3.1.1", "3.1.5" ], "americas-can-itsp-10-171-2025": [ "03.02.01.A.02", "03.02.01.A.03", "03.02.01.B", "03.02.02.B", "03.11.02.A", "03.14.03.A" ] } }, { "control_id": "THR-03.1", "title": "Threat Intelligence Reporting", "family": "THR", "description": "Mechanisms exist to utilize external threat intelligence feeds to generate and disseminate organization-specific security alerts, advisories and/or directives.", "scf_question": "Does the organization utilize external threat intelligence feeds to generate and disseminate organization-specific security alerts, advisories and/or directives?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Threat Management (THR) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with THR domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Threat management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel subscribe to threat feeds to maintain situational awareness of emerging threats.\n▪ IT and/or cybersecurity personnel provide limited threat intelligence feeds to employees for situational awareness of evolving threats.", "2": "Threat Management (THR) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Threat management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Threat management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ Threat feeds are utilized to maintain situational awareness of emerging threats.", "3": "Threat Management (THR) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are well-documented and kept current by process owners.\n▪ A threat management team, or similar function, is appropriately staffed and supported to implement and maintain THR domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of threat management operations (e.g., threat intelligence solution, bug bounty solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize external threat intelligence feeds to generate and disseminate organization-specific security alerts, advisories and/or directives.", "4": "Threat Management (THR) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters", "small": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters", "medium": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters\n∙ InfraGard (https://infragard.org)", "large": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters\n∙ InfraGard (https://infragard.org)", "enterprise": "∙ US-CERT mailing lists & feeds\n∙ Internal newsletters\n∙ InfraGard (https://infragard.org)" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Threat Management", "crosswalks": { "general-bsi-200-1-1-0": [ "4.2" ], "general-iso-27002-2022": [ "5.7" ], "general-iso-27018-2025": [ "5.7" ], "general-nist-800-171-r3": [ "03.14.03.b" ], "general-nist-800-171a-r3": [ "A.03.14.03.b[01]", "A.03.14.03.b[02]" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-1i", "THREAT-2b", "THREAT-2h", "THREAT-2k" ], "usa-federal-dow-zt-roadmap-1-1": [ "7.5", "7.5.1", "7.5.2" ], "emea-sau-cgiot-2024": [ "2-12-4" ], "emea-gbr-def-stan-05-138-2024": [ "1204", "3110" ], "emea-gbr-def-stan-05-138-l2-2024": [ "3110" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1204", "3110" ], "apac-ind-sebi-2024": [ "RS.AN.S1" ], "apac-jpn-ismap": [ "4.9", "4.9.1.1", "4.9.2.1", "4.9.2.2" ], "americas-can-itsp-10-171-2025": [ "03.14.03.B" ] } }, { "control_id": "THR-04", "title": "Insider Threat Program", "family": "THR", "description": "Mechanisms exist to implement an insider threat program that includes a cross-discipline insider threat incident handling team.", "scf_question": "Does the organization implement an insider threat program that includes a cross-discipline insider threat incident handling team?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-THR-04" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Threat Management (THR) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with THR domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Threat management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Threat Management (THR) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Threat management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Threat management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Threat Management (THR) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are well-documented and kept current by process owners.\n▪ A threat management team, or similar function, is appropriately staffed and supported to implement and maintain THR domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of threat management operations (e.g., threat intelligence solution, bug bounty solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement an insider threat program that includes a cross-discipline insider threat incident handling team.", "4": "Threat Management (THR) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Subscribe to free threat intelligence feeds (e.g., CISA alerts)", "small": "∙ CISA alerts subscription\n∙ Basic threat awareness program", "medium": "∙ Insider threat program", "large": "∙ Insider threat program", "enterprise": "∙ Insider threat program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Threat Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.3", "CC3.3-POF1", "CC3.3-POF2", "CC3.3-POF3", "CC3.3-POF4", "CC3.3-POF5" ], "general-coso-2013": [ "8" ], "general-nist-800-53-r4": [ "PM-12" ], "general-nist-800-53-r5-2": [ "PM-12" ], "general-nist-800-82-r3": [ "PM-12" ], "general-nist-800-82-r3-low": [ "PM-12" ], "general-nist-800-82-r3-mod": [ "PM-12" ], "general-nist-800-82-r3-high": [ "PM-12" ], "general-nist-800-161-r1": [ "PM-12" ], "general-nist-800-161-r1-level-1": [ "PM-12" ], "general-nist-800-161-r1-level-2": [ "PM-12" ], "general-nist-800-161-r1-level-3": [ "PM-12" ], "general-nist-csf-2-0": [ "ID.RA-03" ], "general-sparta": [ "CM0052" ], "usa-federal-irs-1075-2021": [ "PM-12" ], "usa-federal-cms-marse-2-0": [ "PM-12" ], "usa-federal-nispom-2020": [ "§117.18(b)(4)", "§117.18(b)(4)(i)", "§117.18(b)(4)(ii)", "§117.18(b)(4)(iii)", "§117.18(b)(4)(iv)" ], "apac-aus-ism-2024-june": [ "ISM-1625", "ISM-1626" ], "americas-can-osfi-b13-2022": [ "3.0" ] } }, { "control_id": "THR-05", "title": "Insider Threat Awareness", "family": "THR", "description": "Mechanisms exist to utilize security awareness training on recognizing and reporting potential indicators of insider threat.", "scf_question": "Does the organization utilize security awareness training on recognizing and reporting potential indicators of insider threat?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-SAT-04", "E-SAT-05", "E-THR-04" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Threat Management (THR) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Threat management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Threat management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Threat Management (THR) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are well-documented and kept current by process owners.\n▪ A threat management team, or similar function, is appropriately staffed and supported to implement and maintain THR domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of threat management operations (e.g., threat intelligence solution, bug bounty solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize security awareness training on recognizing and reporting potential indicators of insider threat.", "4": "Threat Management (THR) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Basic insider threat awareness for all employees", "small": "∙ Insider threat awareness training\n∙ Reporting procedure for suspicious behavior", "medium": "∙ Formal insider threat awareness program\n∙ Reporting hotline or mechanism", "large": "∙ Enterprise insider threat program\n∙ Behavioral monitoring\n∙ UEBA integration", "enterprise": "∙ Enterprise insider threat program (NITTF-aligned)\n∙ Dedicated insider threat team\n∙ UEBA platform (e.g., Varonis, Securonix)\n∙ Anonymous reporting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Threat Management", "crosswalks": { "general-govramp": [ "AT-02(02)" ], "general-govramp-low-plus": [ "AT-02(02)" ], "general-govramp-mod": [ "AT-02(02)" ], "general-govramp-high": [ "AT-02(02)" ], "general-nist-800-53-r4": [ "AT-2(2)" ], "general-nist-800-53-r5-2": [ "AT-02(02)" ], "general-nist-800-53-r5-2-low": [ "AT-02(02)" ], "general-nist-800-82-r3": [ "AT-02(02)" ], "general-nist-800-82-r3-low": [ "AT-02(02)" ], "general-nist-800-82-r3-mod": [ "AT-02(02)" ], "general-nist-800-82-r3-high": [ "AT-02(02)" ], "general-nist-800-161-r1": [ "AT-2(2)" ], "general-nist-800-161-r1-cscrm": [ "AT-2(2)" ], "general-nist-800-161-r1-flowdown": [ "AT-2(2)" ], "general-nist-800-161-r1-level-2": [ "AT-2(2)" ], "general-nist-800-171-r2": [ "3.2.3" ], "general-nist-800-171-r3": [ "03.02.01.a.03" ], "general-nist-800-171a": [ "3.2.3[a]", "3.2.3[b]" ], "general-nist-800-171a-r3": [ "A.03.02.01.a.03[01]", "A.03.02.01.a.03[02]" ], "general-nist-csf-2-0": [ "ID.RA-03" ], "general-sparta": [ "CM0052" ], "usa-federal-fbi-cjis-6-0": [ "AT-2(2)" ], "usa-federal-dow-cmmc-2-level-2": [ "ATL2.-3.2.3" ], "usa-federal-gsa-fedramp-5-low": [ "AT-02(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "AT-02(02)" ], "usa-federal-gsa-fedramp-5-high": [ "AT-02(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AT-02(02)" ], "usa-federal-irs-1075-2021": [ "AT-2(CE-2)" ], "usa-federal-cms-marse-2-0": [ "AT-2(2)" ], "usa-federal-nispom-2020": [ "§117.12(g)", "§117.12(g)(1)", "§117.12(g)(1)(i)", "§117.12(g)(1)(ii)", "§117.12(g)(1)(iii)", "§117.12(g)(1)(iv)", "§117.12(g)(2)", "§117.12(g)(2)(i)", "§117.12(g)(2)(ii)", "§117.12(g)(2)(iii)", "§117.12(g)(2)(iv)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AT-02(2)" ], "usa-state-tx-txramp-2-0-level-2": [ "AT-02 (02)" ], "apac-aus-ism-2024-june": [ "ISM-1625", "ISM-1626" ], "americas-can-itsp-10-171-2025": [ "03.02.01.A.03" ] } }, { "control_id": "THR-06", "title": "Vulnerability Disclosure Program (VDP)", "family": "THR", "description": "Mechanisms exist to establish a Vulnerability Disclosure Program (VDP) to assist with the secure development and maintenance of Technology Assets, Applications and/or Services (TAAS) that receives unsolicited input from the public about vulnerabilities in organizational TAAS.", "scf_question": "Does the organization establish a Vulnerability Disclosure Program (VDP) to assist with the secure development and maintenance of Technology Assets, Applications and/or Services (TAAS) that receives unsolicited input from the public about vulnerabilities in organizational TAAS?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-TDA-16" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Threat Management (THR) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Threat management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Threat management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Threat Management (THR) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are well-documented and kept current by process owners.\n▪ A threat management team, or similar function, is appropriately staffed and supported to implement and maintain THR domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of threat management operations (e.g., threat intelligence solution, bug bounty solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to establish a Vulnerability Disclosure Program (VDP) to assist with the secure development and maintenance of Technology Assets, Applications and/or Services (TAAS) that receives unsolicited input from the public about vulnerabilities in organizational TAAS.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Subscribe to free threat intelligence feeds (e.g., CISA alerts)", "small": "∙ CISA alerts subscription\n∙ Basic threat awareness program", "medium": "∙ Vulnerability Disclosure Program (VDP)\n∙ \"bug bounty\" program", "large": "∙ Vulnerability Disclosure Program (VDP)\n∙ \"bug bounty\" program", "enterprise": "∙ Vulnerability Disclosure Program (VDP)\n∙ \"bug bounty\" program" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Threat Management", "crosswalks": { "general-cis-csc-8-1": [ "16.2" ], "general-cis-csc-8-1-ig2": [ "16.2" ], "general-cis-csc-8-1-ig3": [ "16.2" ], "general-csa-iot-2": [ "TRN-03", "SET-05" ], "general-nist-800-53-r5-2": [ "RA-05(11)" ], "general-nist-800-53-r5-2-low": [ "RA-05(11)" ], "general-nist-800-82-r3": [ "RA-05(11)" ], "general-nist-800-82-r3-low": [ "RA-05(11)" ], "general-nist-800-82-r3-mod": [ "RA-05(11)" ], "general-nist-800-82-r3-high": [ "RA-05(11)" ], "general-nist-800-218": [ "RV.1.3" ], "general-pci-dss-4-0-1": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-a": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.1" ], "general-scf-dpmp-2025": [ "5.15" ], "general-shared-assessments-sig-2025": [ "T.2" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "4.c" ], "usa-federal-dhs-cisa-cpg-2-0": [ "4.B" ], "usa-federal-fbi-cjis-6-0": [ "RA-5(11)" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-1m" ], "usa-federal-eo-14028": [ "4e(iv)", "4e(viii)" ], "usa-federal-gsa-fedramp-5-low": [ "RA-05(11)" ], "usa-federal-gsa-fedramp-5-mod": [ "RA-05(11)" ], "usa-federal-gsa-fedramp-5-high": [ "RA-05(11)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "RA-05(11)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(6)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "RA-05(11)" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 1.2(5)" ], "apac-aus-ism-2024-june": [ "ISM-1616", "ISM-1717", "ISM-1755", "ISM-1756" ], "apac-aus-cop-sitc-2020": [ "Principle 2" ], "apac-nzl-ism-3-9": [ "5.9.23.C.01", "5.9.24.C.01", "5.9.24.C.02", "5.9.25.C.01", "5.9.26.C.01", "5.9.26.C.02", "5.9.27.C.01" ], "apac-sgp-mas-trm-2021": [ "13.2.2" ] } }, { "control_id": "THR-06.1", "title": "Security Disclosure Contact Information", "family": "THR", "description": "Mechanisms exist to enable public submissions of discovered or potential security vulnerabilities.", "scf_question": "Does the organization enable public submissions of discovered or potential security vulnerabilities?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Threat Management (THR) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Threat management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Threat management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Threat Management (THR) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are well-documented and kept current by process owners.\n▪ A threat management team, or similar function, is appropriately staffed and supported to implement and maintain THR domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of threat management operations (e.g., threat intelligence solution, bug bounty solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to enable public submissions of discovered or potential security vulnerabilities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Subscribe to free threat intelligence feeds (e.g., CISA alerts)", "small": "∙ CISA alerts subscription\n∙ Basic threat awareness program", "medium": "∙ Vulnerability Disclosure Program (VDP)\n∙ \"bug bounty\" program", "large": "∙ Vulnerability Disclosure Program (VDP)\n∙ \"bug bounty\" program", "enterprise": "∙ Vulnerability Disclosure Program (VDP)\n∙ \"bug bounty\" program" }, "risks": [ "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Threat Management", "crosswalks": { "usa-federal-dhs-cisa-cpg-2-0": [ "4.B", "4.C" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(6)" ], "emea-eu-cyber-resilience-act-annexes-2022": [ "Annex 2.2" ] } }, { "control_id": "THR-07", "title": "Threat Hunting", "family": "THR", "description": "Mechanisms exist to perform cyber threat hunting that uses Indicators of Compromise (IoC) to detect, track and disrupt threats that evade existing security controls.", "scf_question": "Does the organization perform cyber threat hunting that uses Indicators of Compromise (IoC) to detect, track and disrupt threats that evade existing security controls?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [ "E-THR-05" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Threat Management (THR) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Threat management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Threat management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Threat Management (THR) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are well-documented and kept current by process owners.\n▪ A threat management team, or similar function, is appropriately staffed and supported to implement and maintain THR domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of threat management operations (e.g., threat intelligence solution, bug bounty solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform cyber threat hunting that uses Indicators of Compromise (IoC) to detect, track and disrupt threats that evade existing security controls.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Subscribe to free threat intelligence feeds (e.g., CISA alerts)", "small": "∙ CISA alerts subscription\n∙ Basic threat awareness program", "medium": "∙ Threat hunting capability", "large": "∙ Threat hunting capability", "enterprise": "∙ Threat hunting capability" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Threat Management", "crosswalks": { "general-cr-cmm-2026": [ "CR2.2.4" ], "general-mitre-att&ck-16-1": [ "T1068", "T1190", "T1195", "T1195.001", "T1195.002", "T1210", "T1211", "T1212" ], "general-nist-800-53-r5-2": [ "RA-10", "SC-48" ], "general-nist-800-53-r5-2-privacy": [ "SC-48" ], "general-nist-800-82-r3": [ "RA-10", "SC-48" ], "general-nist-800-160-vol-2-r1": [ "RA-10", "SC-48" ], "general-nist-800-161-r1": [ "RA-10" ], "general-nist-800-161-r1-level-1": [ "RA-10" ], "general-nist-800-161-r1-level-2": [ "RA-10" ], "general-nist-800-161-r1-level-3": [ "RA-10" ], "general-nist-800-172": [ "3.11.1e", "3.11.2e", "3.14.6e" ], "general-nist-csf-2-0": [ "ID.RA-03", "DE" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.1E", "RA.L3-3.11.2E", "SI.L3-3.14.6E" ], "usa-federal-gsa-fedramp-5-low": [ "SC-48" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-48" ], "usa-federal-gsa-fedramp-5-high": [ "SC-48" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-48" ], "emea-gbr-caf-4-0": [ "C2", "C2.a (point 1)", "C2.a (point 2)", "C2.a (point 3)", "C2.a (point 4)", "C2.a (point 5)", "C2.a (point 6)", "C2.a (point 7)", "C2.a (point 8)" ], "apac-ind-sebi-2024": [ "DE.DP.S5" ], "americas-can-osfi-b13-2022": [ "3.0" ] } }, { "control_id": "THR-08", "title": "Tainting", "family": "THR", "description": "Mechanisms exist to embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved.", "scf_question": "Does the organization embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Threat Management (THR) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are well-documented and kept current by process owners.\n▪ A threat management team, or similar function, is appropriately staffed and supported to implement and maintain THR domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of threat management operations (e.g., threat intelligence solution, bug bounty solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Use honeypots or canary tokens to detect attackers", "large": "∙ Deception technology (honeypots, canary tokens) for threat detection", "enterprise": "∙ Enterprise deception platform (e.g., Thinkst Canary, Attivo)\n∙ Integrated with SIEM/SOAR for automated response" }, "risks": [ "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-1", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Threat Management", "crosswalks": { "general-nist-800-53-r5-2": [ "SI-20" ], "general-nist-800-82-r3": [ "SI-20" ], "general-nist-800-160-vol-2-r1": [ "SI-20" ], "general-nist-800-161-r1": [ "SI-20" ], "general-nist-800-161-r1-flowdown": [ "SI-20" ], "general-nist-800-161-r1-level-2": [ "SI-20" ], "general-nist-800-161-r1-level-3": [ "SI-20" ] } }, { "control_id": "THR-09", "title": "Threat Catalog", "family": "THR", "description": "Mechanisms exist to develop and keep current a catalog of applicable internal and external threats to the organization, both natural and manmade.", "scf_question": "Does the organization develop and keep current a catalog of applicable internal and external threats to the organization, both natural and manmade?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-THR-06" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Threat Management (THR) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Threat management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Threat management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Threat Management (THR) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are well-documented and kept current by process owners.\n▪ A threat management team, or similar function, is appropriately staffed and supported to implement and maintain THR domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of threat management operations (e.g., threat intelligence solution, bug bounty solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to develop and keep current a catalog of applicable internal and external threats to the organization, both natural and manmade.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Documented threat catalog", "small": "∙ Documented threat catalog", "medium": "∙ Documented threat catalog", "large": "∙ Documented threat catalog", "enterprise": "∙ Documented threat catalog" }, "risks": [ "R-BC-1", "R-BC-2", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Threat Management", "crosswalks": { "general-aicpa-pmf-2020": [ "S7.2-POF6" ], "general-aicpa-tsc-2017": [ "A1.2-POF11", "CC3.2-POF6", "CC9.1" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.4.1" ], "general-iso-21434-2021": [ "RQ-15-01" ], "general-iso-22301-2019": [ "6.1.1" ], "general-mpa-csbp-5-3-1": [ "OR-1.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(2)", "4.C(5)" ], "general-nist-800-39": [ "TASK 2-1" ], "general-nist-800-171-r3": [ "03.15.02.a.03" ], "general-nist-800-172": [ "3.11.5e" ], "general-nist-csf-2-0": [ "ID.RA-03", "ID.RA-04", "ID.RA-05", "PR.IR-02", "DE" ], "general-swift-cscf-2025": [ "7.4A" ], "general-ul-2900-1-2017": [ "12.1(b)" ], "general-un-155-2021": [ "7.2.2.2(b)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(b)" ], "usa-federal-dhs-cisa-cpg-2-0": [ "3.A" ], "usa-federal-doe-c2m2-2-1": [ "RISK-2j" ], "usa-federal-dow-cmmc-2-level-3": [ "RA.L3-3.11.5E" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(2)(iv)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(2)(iv)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(1)" ], "emea-eu-nis2-annex-2024": [ "13.2.1" ], "emea-deu-bsrit-2017": [ "3.3", "5.3" ], "emea-sau-cgiot-2024": [ "1-4-4" ], "emea-gbr-caf-4-0": [ "A2.b", "C1.f" ], "americas-can-osfi-b13-2022": [ "3.0", "3.1.6" ], "americas-can-itsp-10-171-2025": [ "03.15.02.A.03" ] } }, { "control_id": "THR-10", "title": "Threat Analysis", "family": "THR", "description": "Mechanisms exist to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats.", "scf_question": "Does the organization identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-THR-07" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Threat Management (THR) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with THR domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Threat management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Threat Management (THR) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Threat management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Threat management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Threat Management (THR) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are well-documented and kept current by process owners.\n▪ A threat management team, or similar function, is appropriately staffed and supported to implement and maintain THR domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of threat management operations (e.g., threat intelligence solution, bug bounty solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Documented threat analysis", "small": "∙ Documented threat analysis", "medium": "∙ Documented threat analysis", "large": "∙ Documented threat analysis", "enterprise": "∙ Documented threat analysis" }, "risks": [ "R-BC-1", "R-BC-2", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Threat Management", "crosswalks": { "general-aicpa-tsc-2017": [ "A1.2-POF11", "CC3.2-POF6", "CC3.2-POF9", "CC3.4-POF6" ], "general-coso-2013": [ "8" ], "general-csa-cmm-4-1-0": [ "TVM-10" ], "general-iec-tr-60601-4-5-2021": [ "4.6.2" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.2.3" ], "general-mpa-csbp-5-3-1": [ "OR-1.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(2)", "4.C(3)", "4.C(5)" ], "general-nist-800-39": [ "TASK 2-1" ], "general-nist-800-171-r3": [ "03.14.03.b" ], "general-nist-csf-2-0": [ "ID.RA-04", "ID.RA-05", "DE", "DE.AE-07" ], "general-swift-cscf-2025": [ "7.4A" ], "general-ul-2900-1-2017": [ "12.1(c)" ], "general-un-155-2021": [ "7.2.2.2(b)", "7.2.2.2(g)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(b)", "7.2.2.2(g)" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-2c", "THREAT-2e", "THREAT-2g", "THREAT-2i" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(2)(iv)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(2)(iv)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(a)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(1)" ], "emea-deu-bsrit-2017": [ "3.10", "5.3" ], "emea-sau-cgiot-2024": [ "1-4-4" ], "apac-ind-sebi-2024": [ "ID.RA.S4" ], "americas-can-osfi-b13-2022": [ "3.1", "3.1.1", "3.1.2", "3.1.6" ], "americas-can-itsp-10-171-2025": [ "03.14.03.B" ] } }, { "control_id": "THR-11", "title": "Behavioral Baselining", "family": "THR", "description": "Automated mechanisms exist to establish behavioral baselines that capture information about user and entity behavior to enable dynamic threat discovery.", "scf_question": "Does the organization use automated mechanisms to establish behavioral baselines that capture information about user and entity behavior to enable dynamic threat discovery?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-THR-08" ], "pptdf": "Technology", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Threat Management (THR) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with THR domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Threat management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Threat Management (THR) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Threat management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Threat management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Threat Management (THR) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with THR domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with THR domain capabilities are well-documented and kept current by process owners.\n▪ A threat management team, or similar function, is appropriately staffed and supported to implement and maintain THR domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of threat management operations (e.g., threat intelligence solution, bug bounty solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with THR domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically establish behavioral baselines that capture information about user and entity behavior to enable dynamic threat discovery.", "4": "Threat Management (THR) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Threat Management (THR) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Monitor for deviations from normal user/system behavior", "small": "∙ Baseline user and system behavior\n∙ Alert on significant deviations", "medium": "∙ Formal behavioral baselining program\n∙ SIEM-based anomaly detection", "large": "∙ Enterprise UEBA platform (e.g., Exabeam, Securonix)\n∙ Behavioral analytics for threat detection", "enterprise": "∙ Enterprise UEBA/XDR platform (e.g., Microsoft Sentinel, Exabeam, Securonix)\n∙ ML-based behavioral analytics\n∙ Automated threat response" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Threat Management", "crosswalks": { "general-coso-2013": [ "8" ], "general-cr-cmm-2026": [ "CR2.2.6" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.ID.BBASE", "3.UNI.DTDIS" ], "usa-federal-dow-zt-roadmap-1-1": [ "3.4.5", "3.4.6", "7.2.5", "7.3.2", "7.4", "7.4.2" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "1.2" ] } }, { "control_id": "VPM-01", "title": "Vulnerability & Patch Management Program (VPMP)", "family": "VPM", "description": "Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.", "scf_question": "Does the organization facilitate the implementation and monitoring of vulnerability management controls?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-MNT-03", "E-THR-05", "E-VPM-01" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel apply software patches through an informal process.\n▪ Occasional vulnerability scanning is conducted on High Value Assets (HVAs).\n▪ Vulnerability scanning services may not be internal competencies and have to be outsourced.\n▪ Penetration testing services may not be internal competencies and have to be outsourced.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define the breadth and depth of coverage for vulnerability scanning that covers system components scanned and types of vulnerabilities that are checked for.\n▪ IT and/or cybersecurity personnel maintain a structured process to apply software patches and other vulnerability remediation efforts.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation and monitoring of vulnerability management controls.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Third-party advisors (e.g., virtual CISO, Managed Security Services Provider (MSSP), etc.)", "small": "∙ Third-party advisors (e.g., virtual CISO, Managed Security Services Provider (MSSP), etc.)", "medium": "∙ Vulnerability & Patch Management Program", "large": "∙ Vulnerability & Patch Management Program", "enterprise": "∙ Vulnerability & Patch Management Program" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2-POF7", "CC3.2-POF9", "CC3.4-POF6", "CC8.1-POF14", "CC8.1-POF16", "CC9.2-POF13" ], "general-cis-csc-8-1": [ "7.0", "7.1", "18.0" ], "general-cis-csc-8-1-ig1": [ "7.1" ], "general-cis-csc-8-1-ig2": [ "7.1" ], "general-cis-csc-8-1-ig3": [ "7.1" ], "general-cobit-2019": [ "DSS05.07" ], "general-csa-cmm-4-1-0": [ "TVM-01" ], "general-csa-iot-2": [ "CLS-06", "VLN-01", "VLN-04" ], "general-govramp": [ "SI-02", "SI-03" ], "general-govramp-core": [ "SI-02", "SI-03" ], "general-govramp-low": [ "SI-02", "SI-03" ], "general-govramp-low-plus": [ "SI-02", "SI-03" ], "general-govramp-mod": [ "SI-02", "SI-03" ], "general-govramp-high": [ "SI-02", "SI-03" ], "general-iso-27002-2022": [ "8.8" ], "general-iso-27017-2015": [ "12.6.1" ], "general-iso-27018-2025": [ "8.8" ], "general-mpa-csbp-5-3-1": [ "TS-4.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(4)" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P10" ], "general-nist-800-39": [ "TASK 2-1" ], "general-nist-800-53-r4": [ "SI-2", "SI-3(2)" ], "general-nist-800-53-r5-2": [ "SI-02", "SI-03" ], "general-nist-800-53-r5-2-privacy": [ "SI-02", "SI-03" ], "general-nist-800-53-r5-2-low": [ "SI-02", "SI-03" ], "general-nist-800-82-r3": [ "SI-02", "SI-03" ], "general-nist-800-82-r3-low": [ "SI-02", "SI-03" ], "general-nist-800-82-r3-mod": [ "SI-02", "SI-03" ], "general-nist-800-82-r3-high": [ "SI-02", "SI-03" ], "general-nist-800-161-r1": [ "SI-2", "SI-3" ], "general-nist-800-161-r1-cscrm": [ "SI-2", "SI-3" ], "general-nist-800-161-r1-flowdown": [ "SI-2", "SI-3" ], "general-nist-800-161-r1-level-2": [ "SI-2", "SI-3" ], "general-nist-800-161-r1-level-3": [ "SI-2", "SI-3" ], "general-nist-800-171-r2": [ "3.14.1" ], "general-nist-800-171-r3": [ "03.11.02.a", "03.14.01.a" ], "general-nist-800-171a": [ "3.14.1[a]", "3.14.1[b]", "3.14.1[c]", "3.14.1[d]", "3.14.1[e]", "3.14.1[f]" ], "general-nist-800-171a-r3": [ "A.03.11.02.ODP[03]" ], "general-nist-csf-2-0": [ "ID.RA-01", "ID.RA-08", "PR.PS-02" ], "general-owasp-top-10-2025": [ "A05:2025" ], "general-pci-dss-4-0-1": [ "6.3", "6.3.1", "6.3.3", "11.3" ], "general-pci-dss-4-0-1-saq-a": [ "6.3.1", "6.3.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.1", "6.3.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "6.3.1", "6.3.3" ], "general-pci-dss-4-0-1-saq-c": [ "6.3.1", "6.3.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "6.3.1", "6.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.1", "6.3.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.1", "6.3.3" ], "general-scf-dpmp-2025": [ "5.15" ], "general-shared-assessments-sig-2025": [ "T.2" ], "general-sparta": [ "CM0007", "CM0016" ], "general-swift-cscf-2025": [ "2.2", "2.7" ], "general-un-155-2021": [ "7.2.2.2(g)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(g)" ], "usa-federal-dow-cert-rmm-1-2": [ "VAR:SG1", "VAR:SG1.SP1", "VAR:SG1.SP2", "VAR:SG2", "VAR:SG2.SP1", "VAR:SG2.SP2", "VAR:SG2.SP3", "VAR:SG3", "VAR:SG3.SP1", "VAR:SG4", "VAR:SG4.SP1", "VAR:GG1.GP1", "VAR:GG2", "VAR:GG2.GP2" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "4.b" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.VMANG" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.F" ], "usa-federal-fbi-cjis-6-0": [ "SI-2", "SI-3" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-1j" ], "usa-federal-dow-cmmc-2-level-1": [ "SI.L1-B.1.XII" ], "usa-federal-dow-cmmc-2-level-1-aos": [ "SI.L1-B.1.XII[a]", "SI.L1-B.1.XII[b]", "SI.L1-B.1.XII[c]", "SI.L1-B.1.XII[d]", "SI.L1-B.1.XII[e]", "SI.L1-B.1.XII[f]" ], "usa-federal-dow-cmmc-2-level-2": [ "SIL2.-3.14.1" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.5", "3.3.2" ], "usa-federal-eo-14028": [ "4e(iv)" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(xii)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(2)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-02", "SI-03" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-02", "SI-03" ], "usa-federal-gsa-fedramp-5-high": [ "SI-02", "SI-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-02", "SI-03" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(d)(2)" ], "usa-federal-irs-1075-2021": [ "RA-5(IRS-Defined)", "SI-2", "SI-3" ], "usa-federal-cms-marse-2-0": [ "SI-2", "SI-2.a", "SI-2.b", "SI-2.c", "SI-2.d", "SI-3" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.7", "CIP-007-6 1.3", "CIP-007-6 2.1" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.E", "III.E.1", "III.E.2.a", "III.E.2.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(D)", "7123(c)(6)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.3(o)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SI-02", "SI-03" ], "usa-state-tx-txramp-2-0-level-1": [ "SI-02", "SI-03" ], "usa-state-tx-txramp-2-0-level-2": [ "SI-02", "SI-03" ], "emea-eu-eba-ict-srm-2025": [ "3.3.3(21)", "3.4.4(36)(a)" ], "emea-eu-dora-2023": [ "Article 9.4(f)", "Article 25.1", "Article 25.2", "Article 25.3" ], "emea-eu-nis2-2022": [ "Article 21.2(e)" ], "emea-eu-nis2-annex-2024": [ "6.6.1", "6.10.1", "6.10.2(a)", "6.10.2(d)" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "5.6" ], "emea-deu-c5-2020": [ "OPS-18", "PSS-02" ], "emea-isr-cmo-1-0": [ "22.1", "22.2" ], "emea-sau-cscc-1-2019": [ "2-3-1-3", "2-9", "2-9-2" ], "emea-sau-cgiot-2024": [ "2-9-1" ], "emea-sau-ecc-1-2018": [ "2-3-4", "2-10-1", "2-10-2", "2-10-3", "2-10-4", "2-11-1", "2-11-2", "2-11-3", "2-11-4", "5-1-3-8" ], "emea-sau-otcc-1-2022": [ "2-9", "2-9-1", "2-9-2" ], "emea-sau-sacs-002-2022": [ "TPC-11" ], "emea-sau-sama-csf-1-2017": [ "3.3.17" ], "emea-zaf-popia-2013": [ "19" ], "emea-gbr-caf-4-0": [ "B4.d" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "5" ], "emea-gbr-def-stan-05-138-2024": [ "2402", "2405" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2402", "2405" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2402", "2405" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2402", "2405" ], "apac-aus-ism-2024-june": [ "ISM-1143", "ISM-1163", "ISM-1460", "ISM-1493" ], "apac-aus-ps-cps-234-2019": [ "17" ], "apac-ind-sebi-2024": [ "PR.IP.S12" ], "apac-jpn-ismap": [ "5.1.1.16", "12.6", "12.6.1", "12.6.1.1", "12.6.1.2", "12.6.1.3", "12.6.1.4", "12.6.1.5", "12.6.1.6", "12.6.1.7", "12.6.1.8", "12.6.1.9", "12.6.1.11", "12.6.1.12", "12.6.1.13", "12.6.1.15", "12.6.1.16", "12.6.1.17", "12.6.1.18.PB" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP19", "HHSP26", "HML19", "HML26" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP17" ], "apac-nzl-ism-3-9": [ "6.2.4.C.01" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.2(a)", "4.2(b)" ], "apac-sgp-mas-trm-2021": [ "4.2.1", "7.4.1", "7.4.2" ], "americas-bmu-mba-coc-2020": [ "6.16" ], "americas-can-osfi-b13-2022": [ "2.6", "3.1" ], "americas-can-itsp-10-171-2025": [ "03.11.02.A", "03.14.01.A" ] } }, { "control_id": "VPM-01.1", "title": "Attack Surface Scope", "family": "VPM", "description": "Mechanisms exist to define and manage the scope for its attack surface management activities.", "scf_question": "Does the organization define and manage the scope for its attack surface management activities?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-VPM-06" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define the breadth and depth of coverage for vulnerability scanning that covers system components scanned and types of vulnerabilities that are checked for.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define and manage the scope for its attack surface management activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Identify what systems and software are in scope for security testing", "small": "∙ Attack surface inventory\n∙ Define scope for vulnerability management", "medium": "∙ Formal attack surface scoping process\n∙ Asset-driven attack surface management", "large": "∙ Enterprise attack surface management (ASM) program\n∙ Automated attack surface discovery", "enterprise": "∙ Enterprise ASM platform (e.g., CyCognito, Mandiant ASM)\n∙ Automated continuous attack surface monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF9", "CC3.2-POF7", "CC3.2-POF9", "CC3.4-POF6", "CC9.2-POF13" ], "general-csa-cmm-4-1-0": [ "TVM-03" ], "general-csa-iot-2": [ "CLS-06", "VLN-02" ], "general-iso-27002-2022": [ "8.8" ], "general-iso-27018-2025": [ "8.8" ], "general-iso-42001-2023": [ "4.3" ], "general-mpa-csbp-5-3-1": [ "TS-4.0" ], "general-nist-800-53-r5-2": [ "SA-11(06)", "SA-11(07)" ], "general-nist-800-53-r5-2-privacy": [ "SA-11(06)", "SA-11(07)" ], "general-nist-800-82-r3": [ "SA-11(06)", "SA-11(07)" ], "general-nist-800-160-vol-2-r1": [ "SA-11(06)" ], "general-nist-800-171-r3": [ "03.11.02.a", "03.14.01.a" ], "general-nist-800-171a-r3": [ "A.03.11.02.a[01]" ], "general-nist-csf-2-0": [ "PR.PS-02" ], "general-pci-dss-4-0-1": [ "6.3.1", "6.3.2", "11.3.1", "11.3.1.1", "11.3.1.2", "11.3.1.3", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-a": [ "6.3.1", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.1", "6.3.2", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "6.3.1", "11.3.2" ], "general-pci-dss-4-0-1-saq-c": [ "6.3.1", "11.3.1", "11.3.1.3", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.1", "6.3.2", "11.3.1", "11.3.1.1", "11.3.1.2", "11.3.1.3", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.1", "6.3.2", "11.3.1", "11.3.1.1", "11.3.1.2", "11.3.1.3", "11.3.2", "11.3.2.1" ], "general-scf-dpmp-2025": [ "5.15" ], "general-swift-cscf-2025": [ "2.2", "2.7" ], "general-tisax-6-0-3": [ "5.2.5" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.E", "1.F" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-1e" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(2)" ], "usa-federal-gsa-fedramp-5-low": [ "SA-11(06)", "SA-11(07)" ], "usa-federal-gsa-fedramp-5-mod": [ "SA-11(06)", "SA-11(07)" ], "usa-federal-gsa-fedramp-5-high": [ "SA-11(06)", "SA-11(07)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SA-11(06)", "SA-11(07)" ], "usa-federal-irs-1075-2021": [ "SA-11(CE-6)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(D)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.5(a)(1)" ], "emea-deu-c5-2020": [ "PSS-02" ], "emea-sau-cscc-1-2019": [ "2-10-1-1" ], "emea-sau-ecc-1-2018": [ "2-11-3-1", "5-1-3-8" ], "emea-sau-otcc-1-2022": [ "2-9-1-1" ], "emea-sau-sacs-002-2022": [ "TPC-27", "TPC-28", "TPC-29" ], "apac-nzl-ism-3-9": [ "6.2.4.C.01" ], "apac-sgp-mas-trm-2021": [ "13.1.2" ], "americas-can-itsp-10-171-2025": [ "03.11.02.A", "03.14.01.A" ] } }, { "control_id": "VPM-02", "title": "Vulnerability Remediation Process", "family": "VPM", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "scf_question": "Does the organization ensure that vulnerabilities are properly identified, tracked and remediated?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-03", "E-RSK-04", "E-VPM-01", "E-VPM-09" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure that vulnerabilities are properly identified, tracked and remediated.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Patch software when updates are released", "small": "∙ Vulnerability remediation policy\n∙ Prioritized patching schedule", "medium": "∙ Formal vulnerability remediation process\n∙ Risk-based prioritization\n∙ Remediation SLAs", "large": "∙ Enterprise vulnerability remediation program\n∙ Defined SLAs by severity\n∙ Tracking and reporting", "enterprise": "∙ Enterprise vulnerability management platform (e.g., Tenable.io, Qualys)\n∙ Automated remediation tracking\n∙ SIEM integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.2", "CC5.3-POF4", "CC7.4-POF8" ], "general-cis-csc-8-1": [ "7.2", "7.7" ], "general-cis-csc-8-1-ig1": [ "7.2" ], "general-cis-csc-8-1-ig2": [ "7.2", "7.7" ], "general-cis-csc-8-1-ig3": [ "7.2", "7.7" ], "general-cobit-2019": [ "DSS06.04" ], "general-coso-2013": [ "17" ], "general-csa-iot-2": [ "CLS-06", "VLN-04" ], "general-iec-62443-2-1-2024": [ "EVENT 1.9" ], "general-iso-27002-2022": [ "8.8" ], "general-iso-27017-2015": [ "12.6.1" ], "general-iso-27018-2025": [ "8.8" ], "general-iso-42001-2023": [ "10.2", "10.2(a)", "10.2(a)(1)", "10.2(a)(2)", "10.2(b)", "10.2(b)(1)", "10.2(b)(2)", "10.2(b)(3)", "10.2(c)", "10.2(d)", "10.2(e)" ], "general-mpa-csbp-5-3-1": [ "TS-4.0" ], "general-nist-800-53-r4": [ "PM-4", "SC-18(1)" ], "general-nist-800-53-r5-2": [ "PM-04", "SC-18(01)" ], "general-nist-800-53-r5-2-privacy": [ "PM-04", "SC-18(01)" ], "general-nist-800-82-r3": [ "PM-04", "SC-18(01)" ], "general-nist-800-82-r3-low": [ "PM-04" ], "general-nist-800-82-r3-mod": [ "PM-04" ], "general-nist-800-82-r3-high": [ "PM-04" ], "general-nist-800-161-r1": [ "PM-4" ], "general-nist-800-161-r1-level-2": [ "PM-4" ], "general-nist-800-161-r1-level-3": [ "PM-4" ], "general-nist-800-171-r2": [ "3.14.1" ], "general-nist-800-171-r3": [ "03.11.02.b", "03.12.02.a.02", "03.14.01.a" ], "general-nist-800-171a": [ "3.11.3[a]", "3.11.3[b]" ], "general-nist-800-171a-r3": [ "A.03.11.02.ODP[03]" ], "general-nist-800-218": [ "RV.2.2" ], "general-nist-csf-2-0": [ "ID.RA-08", "PR.PS-02" ], "general-owasp-top-10-2025": [ "A05:2025" ], "general-pci-dss-4-0-1": [ "11.3", "11.3.1", "11.3.1.1", "11.3.1.2", "11.3.1.3", "11.3.2", "11.3.2.1", "A3.3.1.2" ], "general-pci-dss-4-0-1-saq-a": [ "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "11.3.2" ], "general-pci-dss-4-0-1-saq-c": [ "11.3.1", "11.3.1.3", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "11.3.1", "11.3.1.1", "11.3.1.2", "11.3.1.3", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "11.3.1", "11.3.1.1", "11.3.1.2", "11.3.1.3", "11.3.2", "11.3.2.1" ], "general-scf-dpmp-2025": [ "5.15" ], "general-swift-cscf-2025": [ "2.2", "2.7" ], "general-tisax-6-0-3": [ "5.2.5" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "4.b", "4.c" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.E", "1.F" ], "usa-federal-dow-cmmc-2-level-1": [ "SI.L1-B.1.XII" ], "usa-federal-dow-cmmc-2-level-2": [ "SIL2.-3.14.1" ], "usa-federal-eo-14028": [ "4e(iv)" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(xii)" ], "usa-federal-gsa-fedramp-5-low": [ "PM-04", "SC-18(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-04", "SC-18(01)" ], "usa-federal-gsa-fedramp-5-high": [ "PM-04", "SC-18(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-04", "SC-18(01)" ], "usa-federal-irs-1075-2021": [ "PM-4", "SC-18(CE-1)" ], "usa-federal-cms-marse-2-0": [ "PM-4" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 2.2", "CIP-007-6 2.3", "CIP-007-6 2.4" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.E.2.a", "III.E.2.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(D)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)(6)", "500.5(c)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-04" ], "emea-eu-nis2-2022": [ "Article 21.4" ], "emea-eu-nis2-annex-2024": [ "6.10.1", "6.10.2(c)", "6.10.3" ], "emea-deu-c5-2020": [ "OPS-18", "PSS-02" ], "emea-isr-cmo-1-0": [ "22.8", "22.11", "22.13" ], "emea-sau-cscc-1-2019": [ "2-9-1-2" ], "emea-sau-cgiot-2024": [ "2-9-1" ], "emea-sau-ecc-1-2018": [ "2-10-3-3", "5-1-3-8" ], "emea-sau-otcc-1-2022": [ "2-9-1-2" ], "emea-sau-sacs-002-2022": [ "TPC-11", "TPC-91" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "5" ], "emea-gbr-def-stan-05-138-2024": [ "2402" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2402" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2402" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2402" ], "apac-aus-ps-cps-234-2019": [ "21" ], "apac-ind-sebi-2024": [ "PR.MA.S3" ], "apac-jpn-ismap": [ "12.6.1.14" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP19", "HHSP59", "HML19", "HML59" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP17", "HSUP51" ], "apac-nzl-ism-3-9": [ "6.2.6.C.01", "23.2.19.C.01" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.2(a)", "4.2(b)" ], "apac-sgp-mas-trm-2021": [ "13.6.1(a)", "13.6.1(b)", "13.6.1(c)" ], "amaericas-can-osfi-self-assessment": [ "2.7" ], "americas-can-osfi-b13-2022": [ "2.6" ], "americas-can-itsp-10-171-2025": [ "03.11.02.B", "03.12.02.A.02", "03.14.01.A" ] } }, { "control_id": "VPM-03", "title": "Vulnerability Ranking", "family": "VPM", "description": "Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities using reputable outside sources for security vulnerability information.", "scf_question": "Does the organization identify and assign a risk ranking to newly discovered security vulnerabilities using reputable outside sources for security vulnerability information?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-RSK-03", "E-RSK-04", "E-VPM-01", "E-VPM-10" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and assign a risk ranking to newly discovered security vulnerabilities using reputable outside sources for security vulnerability information.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Patch critical vulnerabilities first", "small": "∙ Risk-based vulnerability ranking policy (critical, high, medium, low)", "medium": "∙ Formal vulnerability ranking methodology (CVSS + business context)", "large": "∙ Enterprise vulnerability ranking program\n∙ Risk-based prioritization with business impact", "enterprise": "∙ Enterprise vulnerability management platform with risk-based ranking (e.g., Tenable.io, Qualys)\n∙ Threat intelligence integration for prioritization" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.4-POF6" ], "general-csa-cmm-4-1-0": [ "TVM-03", "TVM-09" ], "general-csa-iot-2": [ "VLN-04" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.2.3" ], "general-iso-27002-2022": [ "8.8" ], "general-iso-27018-2025": [ "8.8" ], "general-nist-800-171-r3": [ "03.11.02.a" ], "general-nist-csf-2-0": [ "ID.RA-08" ], "general-owasp-top-10-2025": [ "A05:2025" ], "general-pci-dss-4-0-1": [ "6.3.1", "11.3" ], "general-pci-dss-4-0-1-saq-a": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.1" ], "general-scf-dpmp-2025": [ "5.15" ], "general-sparta": [ "CM0016" ], "general-swift-cscf-2025": [ "2.2" ], "general-tisax-6-0-3": [ "5.2.5" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-1b", "THREAT-1g", "THREAT-1h", "THREAT-2b", "THREAT-2d" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(2)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.E.2.b" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(D)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.5(c)" ], "emea-deu-c5-2020": [ "OPS-18", "OPS-22", "PSS-02" ], "emea-isr-cmo-1-0": [ "22.8" ], "emea-sau-cscc-1-2019": [ "2-9-1-2" ], "emea-sau-ecc-1-2018": [ "2-10-3-2" ], "emea-sau-otcc-1-2022": [ "2-9-1-2", "2-9-1-3" ], "apac-aus-ism-2024-june": [ "ISM-1163" ], "apac-ind-sebi-2024": [ "PR.MA.S3" ], "americas-can-osfi-b13-2022": [ "3.1.3" ], "americas-can-itsp-10-171-2025": [ "03.11.02.A" ] } }, { "control_id": "VPM-03.1", "title": "Vulnerability Exploitation Analysis", "family": "VPM", "description": "Mechanisms exist to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats exploiting known vulnerabilities.", "scf_question": "Does the organization identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats exploiting known vulnerabilities?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats exploiting known vulnerabilities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Review vulnerabilities for evidence of active exploitation", "small": "∙ Check CVEs for known exploits before prioritizing patches", "medium": "∙ Formal vulnerability exploitation analysis process\n∙ CISA KEV catalog review", "large": "∙ Enterprise vulnerability exploitation analysis\n∙ Threat intelligence integration for exploit data", "enterprise": "∙ Enterprise vulnerability management with threat intel integration (e.g., Tenable, Qualys)\n∙ CISA KEV, EPSS scoring\n∙ Automated exploit prioritization" }, "risks": [ "R-BC-1", "R-BC-2", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2-POF9", "CC3.4-POF6" ], "general-iso-21434-2021": [ "RQ-08-05", "RQ-08-06" ], "general-sparta": [ "CM0016" ], "general-tisax-6-0-3": [ "5.2.5" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-1b", "THREAT-1g", "THREAT-1h", "THREAT-2b" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.5(c)" ] } }, { "control_id": "VPM-04", "title": "Continuous Vulnerability Remediation Activities", "family": "VPM", "description": "Mechanisms exist to address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks.", "scf_question": "Does the organization address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-MNT-03", "E-THR-05" ], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Continuously monitor for new vulnerabilities in used software", "small": "∙ Continuous vulnerability scanning and remediation cycle", "medium": "∙ Formal continuous vulnerability management program\n∙ Regular scan cadence", "large": "∙ Enterprise continuous vulnerability management (e.g., Tenable.io, Qualys)\n∙ Automated remediation workflows", "enterprise": "∙ Enterprise continuous vulnerability management platform\n∙ Real-time scanning\n∙ Automated patching integration\n∙ SIEM/SOAR integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.2" ], "general-cis-csc-8-1": [ "7.0", "7.7", "12.1", "18.3" ], "general-cis-csc-8-1-ig1": [ "12.1" ], "general-cis-csc-8-1-ig2": [ "7.7", "12.1", "18.3" ], "general-cis-csc-8-1-ig3": [ "7.7", "12.1", "18.3" ], "general-cobit-2019": [ "DSS06.04" ], "general-coso-2013": [ "17" ], "general-csa-cmm-4-1-0": [ "TVM-08", "TVM-10" ], "general-csa-iot-2": [ "CLS-06", "VLN-03" ], "general-iso-21434-2021": [ "RQ-08-07", "RQ-08-07(a)", "RQ-08-07(b)", "RQ-08-08" ], "general-nist-800-53-r4": [ "SC-18(1)" ], "general-nist-800-53-r5-2": [ "SC-18(01)" ], "general-nist-800-53-r5-2-privacy": [ "SC-18(01)" ], "general-nist-800-82-r3": [ "SC-18(01)" ], "general-nist-800-171-r2": [ "3.11.3" ], "general-nist-800-171-r3": [ "03.11.02.b", "03.14.01.a", "03.14.01.b" ], "general-nist-800-171a-r3": [ "A.03.11.02.b" ], "general-owasp-top-10-2025": [ "A05:2025" ], "general-pci-dss-4-0-1": [ "6.3.3", "11.3" ], "general-pci-dss-4-0-1-saq-a": [ "6.3.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "6.3.3" ], "general-pci-dss-4-0-1-saq-c": [ "6.3.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "6.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.3" ], "general-scf-dpmp-2025": [ "5.15" ], "general-swift-cscf-2025": [ "2.2", "2.7" ], "general-un-155-2021": [ "7.2.2.2(g)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(g)" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.VMANG" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.E" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-1d", "THREAT-1i", "THREAT-2d" ], "usa-federal-dow-cmmc-2-level-2": [ "RAL2.-3.11.3" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(2)" ], "usa-federal-gsa-fedramp-5-low": [ "SC-18(01)" ], "usa-federal-gsa-fedramp-5-mod": [ "SC-18(01)" ], "usa-federal-gsa-fedramp-5-high": [ "SC-18(01)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SC-18(01)" ], "usa-federal-irs-1075-2021": [ "SC-18(CE-1)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(D)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.5(b)" ], "emea-eu-nis2-2022": [ "Article 21.4" ], "emea-deu-c5-2020": [ "OPS-18", "PSS-02" ], "emea-isr-cmo-1-0": [ "22.6", "22.11" ], "emea-sau-cscc-1-2019": [ "2-9-1-3" ], "emea-sau-ecc-1-2018": [ "2-10-3-3" ], "emea-sau-otcc-1-2022": [ "2-9-1-2", "2-9-1-3" ], "apac-aus-ism-2024-june": [ "ISM-1801" ], "apac-aus-ps-cps-234-2019": [ "21" ], "apac-nzl-ism-3-9": [ "6.2.6.C.01", "23.2.19.C.01" ], "apac-sgp-mas-trm-2021": [ "13.6.1(a)", "13.6.1(b)", "13.6.1(c)" ], "amaericas-can-osfi-self-assessment": [ "2.7" ], "americas-can-osfi-b13-2022": [ "3.2.6" ], "americas-can-itsp-10-171-2025": [ "03.11.02.B", "03.14.01.A", "03.14.01.B" ] } }, { "control_id": "VPM-04.1", "title": "Stable Versions", "family": "VPM", "description": "Mechanisms exist to install the latest stable version of any software and/or security-related updates on all applicable systems.", "scf_question": "Does the organization install the latest stable version of any software and/or security-related updates on all applicable systems?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to install the latest stable version of any software and/or security-related updates on all applicable systems.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use stable/supported versions of software", "small": "∙ Policy requiring use of vendor-supported software versions", "medium": "∙ Formal software lifecycle policy\n∙ Prohibition of unsupported/EOL software", "large": "∙ Enterprise software lifecycle management\n∙ Automated detection of EOL/unsupported software", "enterprise": "∙ Enterprise software lifecycle management platform\n∙ Automated EOL detection (e.g., CSAM, Flexera)\n∙ Remediation workflows for EOL software" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-cis-csc-8-1": [ "12.1" ], "general-cis-csc-8-1-ig1": [ "12.1" ], "general-cis-csc-8-1-ig2": [ "12.1" ], "general-cis-csc-8-1-ig3": [ "12.1" ], "general-csa-iot-2": [ "CLS-06" ], "general-swift-cscf-2025": [ "2.2" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(A)" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(7)" ], "usa-state-vt-act-171-2018": [ "2447(c)(6)" ], "emea-isr-cmo-1-0": [ "12.22" ], "apac-aus-ism-2024-june": [ "ISM-1467", "ISM-1483" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP44", "HML44" ], "apac-nzl-hisf-microsmall-2023": [ "HMS08" ], "apac-sgp-mas-trm-2021": [ "7.4.1", "7.4.2" ] } }, { "control_id": "VPM-04.2", "title": "Flaw Remediation with Personal Data (PD)", "family": "VPM", "description": "Mechanisms exist to identify and correct flaws related to the collection, usage, processing or dissemination of Personal Data (PD).", "scf_question": "Does the organization identify and correct flaws related to the collection, usage, processing or dissemination of Personal Data (PD)?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify and correct flaws related to the collection, usage, processing or dissemination of Personal Data (PD).", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Patch systems containing personal data promptly", "small": "∙ Priority patching policy for systems containing personal data", "medium": "∙ Formal vulnerability remediation policy for PD systems\n∙ Accelerated SLAs for PD systems", "large": "∙ Enterprise vulnerability management with PD system prioritization", "enterprise": "∙ Enterprise vulnerability management platform with data sensitivity tagging\n∙ Automated PD system prioritization" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-3", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-scf-dpmp-2025": [ "5.15" ], "emea-zaf-popia-2013": [ "4" ] } }, { "control_id": "VPM-04.3", "title": "Deferred Patching Decisions", "family": "VPM", "description": "Mechanisms exist to facilitate the deferral of software and/or firmware patches when the disadvantages of applying the patch outweighs the benefits.", "scf_question": "Does the organization facilitate the deferral of software and/or firmware patches when the disadvantages of applying the patch outweighs the benefits?", "relative_weight": 2, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel apply software patches through an informal process.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the deferral of software and/or firmware patches when the disadvantages of applying the patch outweighs the benefits.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": {}, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-iec-62443-2-1-2024": [ "COMP 3.5" ], "general-mpa-csbp-5-3-1": [ "TS-4.2" ], "general-swift-cscf-2025": [ "2.2" ], "emea-eu-nis2-annex-2024": [ "6.6.2" ] } }, { "control_id": "VPM-05", "title": "Software & Firmware Patching", "family": "VPM", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "scf_question": "Does the organization conduct software patching for all deployed systems, applications and firmware?", "relative_weight": 10, "conformity_cadence": "Quarterly", "evidence_requests": [ "E-MNT-03", "E-VPM-10" ], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel maintain a structured process to apply software patches and other vulnerability remediation efforts.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ ManageEngine Endpoint Central (https://manageengine.com)", "small": "∙ ManageEngine Endpoint Central (https://manageengine.com)", "medium": "∙ ManageEngine Endpoint Central (https://manageengine.com)", "large": "∙ ManageEngine Endpoint Central (https://manageengine.com)", "enterprise": "∙ ManageEngine Endpoint Central (https://manageengine.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC8.1-POF14", "CC8.1-POF16" ], "general-cis-csc-8-1": [ "7.3", "7.4", "12.1", "18.3" ], "general-cis-csc-8-1-ig1": [ "7.3", "7.4", "12.1" ], "general-cis-csc-8-1-ig2": [ "7.3", "7.4", "12.1", "18.3" ], "general-cis-csc-8-1-ig3": [ "7.3", "7.4", "12.1", "18.3" ], "general-csa-iot-2": [ "CCM-07", "CLS-06", "VLN-01" ], "general-govramp": [ "SI-02", "SI-03" ], "general-govramp-core": [ "SI-02", "SI-03" ], "general-govramp-low": [ "SI-02", "SI-03" ], "general-govramp-low-plus": [ "SI-02", "SI-03" ], "general-govramp-mod": [ "SI-02", "SI-03" ], "general-govramp-high": [ "SI-02", "SI-03" ], "general-iso-27002-2022": [ "8.8" ], "general-iso-27017-2015": [ "12.6.1" ], "general-iso-27018-2025": [ "8.8" ], "general-mitre-att&ck-16-1": [ "T1003", "T1003.001", "T1027", "T1027.002", "T1027.007", "T1027.008", "T1027.009", "T1047", "T1055", "T1055.001", "T1055.002", "T1055.003", "T1055.004", "T1055.005", "T1055.008", "T1055.009", "T1055.011", "T1055.012", "T1055.013", "T1055.014", "T1059", "T1059.001", "T1059.005", "T1059.006", "T1068", "T1072", "T1106", "T1137", "T1137.003", "T1137.004", "T1137.005", "T1189", "T1190", "T1195", "T1195.001", "T1195.002", "T1195.003", "T1203", "T1204", "T1204.001", "T1204.003", "T1210", "T1211", "T1212", "T1213.003", "T1213.005", "T1221", "T1495", "T1525", "T1542", "T1542.001", "T1542.003", "T1542.004", "T1542.005", "T1546", "T1546.006", "T1546.010", "T1546.011", "T1546.016", "T1547.006", "T1548", "T1548.002", "T1548.006", "T1550.002", "T1552", "T1552.006", "T1553", "T1553.006", "T1555", "T1555.005", "T1559", "T1559.002", "T1566", "T1566.001", "T1566.003", "T1574", "T1574.002", "T1574.013", "T1601", "T1601.001", "T1601.002", "T1606", "T1606.001", "T1611" ], "general-mpa-csbp-5-3-1": [ "TS-4.2" ], "general-nist-800-53-r4": [ "SI-2", "SI-3(2)" ], "general-nist-800-53-r5-2": [ "SI-02", "SI-02(04)", "SI-03" ], "general-nist-800-53-r5-2-privacy": [ "SI-02", "SI-02(04)", "SI-03" ], "general-nist-800-53-r5-2-low": [ "SI-02", "SI-03" ], "general-nist-800-82-r3": [ "SI-02", "SI-02(04)", "SI-03" ], "general-nist-800-82-r3-low": [ "SI-02", "SI-03" ], "general-nist-800-82-r3-mod": [ "SI-02", "SI-03" ], "general-nist-800-82-r3-high": [ "SI-02", "SI-03" ], "general-nist-800-161-r1": [ "SI-2", "SI-3" ], "general-nist-800-161-r1-cscrm": [ "SI-2", "SI-3" ], "general-nist-800-161-r1-flowdown": [ "SI-2", "SI-3" ], "general-nist-800-161-r1-level-2": [ "SI-2", "SI-3" ], "general-nist-800-161-r1-level-3": [ "SI-2", "SI-3" ], "general-nist-800-171-r2": [ "3.11.3", "3.14.1" ], "general-nist-800-171-r3": [ "03.11.02.b", "03.12.02.a.02", "03.14.01.a", "03.14.01.b" ], "general-nist-800-171a-r3": [ "A.03.11.02.b", "A.03.14.01.ODP[01]", "A.03.14.01.ODP[02]", "A.03.14.01.a[01]", "A.03.14.01.a[02]", "A.03.14.01.a[03]", "A.03.14.01.b[01]", "A.03.14.01.b[02]" ], "general-nist-csf-2-0": [ "PR.PS-02" ], "general-pci-dss-4-0-1": [ "6.3.3" ], "general-pci-dss-4-0-1-saq-a": [ "6.3.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "6.3.3" ], "general-pci-dss-4-0-1-saq-c": [ "6.3.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "6.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.3" ], "general-scf-dpmp-2025": [ "5.15" ], "general-shared-assessments-sig-2025": [ "N.4" ], "general-sparta": [ "CM0010" ], "general-swift-cscf-2025": [ "2.2" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.PMANA" ], "usa-federal-fbi-cjis-6-0": [ "5.20.4.1", "SI-2", "SI-3" ], "usa-federal-dow-cmmc-2-level-1": [ "SI.L1-B.1.XII" ], "usa-federal-dow-cmmc-2-level-2": [ "RAL2.-3.11.3", "SIL2.-3.14.1" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.5" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(xii)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(2)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-02", "SI-02(04)", "SI-03" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-02", "SI-02(04)", "SI-03" ], "usa-federal-gsa-fedramp-5-high": [ "SI-02", "SI-02(04)", "SI-03" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-02", "SI-02(04)", "SI-03" ], "usa-federal-irs-1075-2021": [ "SI-2", "SI-2(CE-4)", "SI-2(IRS-Defined)", "SI-3" ], "usa-federal-cms-marse-2-0": [ "SI-2", "SI-3" ], "usa-federal-nerc-cip-2024": [ "CIP-007-6 1.3", "CIP-007-6 2.3" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.E.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(A)", "7123(c)(5)(D)" ], "usa-state-ma-201-cmr-17-2008": [ "17.04(7)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "SI-02", "SI-03" ], "usa-state-tx-txramp-2-0-level-1": [ "SI-02", "SI-03" ], "usa-state-tx-txramp-2-0-level-2": [ "SI-02", "SI-03" ], "emea-eu-dora-2023": [ "Article 9.4(f)" ], "emea-eu-nis2-annex-2024": [ "6.6.1(a)" ], "emea-deu-c5-2020": [ "PSS-03" ], "emea-isr-cmo-1-0": [ "12.21" ], "emea-sau-cscc-1-2019": [ "2-3-1-3" ], "emea-sau-cgiot-2024": [ "2-4-6", "2-9-2" ], "emea-sau-ecc-1-2018": [ "2-3-3-3", "2-10-3-4", "5-1-3-9" ], "emea-sau-otcc-1-2022": [ "2-3-1-3", "2-4-1-15" ], "emea-sau-sacs-002-2022": [ "TPC-11", "TPC-78" ], "emea-gbr-cyber-essentials-requirements-3-3": [ "5" ], "emea-gbr-def-stan-05-138-2024": [ "2402", "2405" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2402", "2405" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2402", "2405" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2402", "2405" ], "apac-aus-essential-8-2024": [ "ML1-P1", "ML1-P2", "ML2-P1", "ML2-P2", "ML3-P1", "ML3-P2" ], "apac-aus-ism-2024-june": [ "ISM-1143", "ISM-1493", "ISM-1690", "ISM-1691", "ISM-1692", "ISM-1693", "ISM-1694", "ISM-1695", "ISM-1696", "ISM-1697", "ISM-1751" ], "apac-aus-ps-cps-234-2019": [ "21" ], "apac-ind-sebi-2024": [ "PR.MA.S3" ], "apac-jpn-ismap": [ "12.6.1.10" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP19", "HML19" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP17" ], "apac-nzl-ism-3-9": [ "23.2.19.C.01" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.2(a)", "4.2(b)" ], "apac-sgp-mas-trm-2021": [ "7.4.1", "7.4.2" ], "americas-bmu-mba-coc-2020": [ "6.16" ], "amaericas-can-osfi-self-assessment": [ "4.5", "4.7", "4.9" ], "americas-can-osfi-b13-2022": [ "2.6", "2.6.1", "3.2.6" ], "americas-can-itsp-10-171-2025": [ "03.11.02.B", "03.12.02.A.02", "03.14.01.A", "03.14.01.B" ] } }, { "control_id": "VPM-05.1", "title": "Centralized Management of Flaw Remediation Processes", "family": "VPM", "description": "Mechanisms exist to centrally-manage the flaw remediation process.", "scf_question": "Does the organization centrally-manage the flaw remediation process?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to centrally-manage the flaw remediation process.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Centrally track vulnerability status across all systems", "small": "∙ Centralized vulnerability tracking spreadsheet or tool", "medium": "∙ Centralized vulnerability management platform (e.g., Tenable.io, Qualys)", "large": "∙ Enterprise centralized vulnerability management platform with integrated asset management", "enterprise": "∙ Enterprise vulnerability management platform (e.g., Tenable One, Qualys VMDR)\n∙ Full asset-vulnerability integration\n∙ Automated centralized management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-cis-csc-8-1": [ "7.4" ], "general-cis-csc-8-1-ig1": [ "7.4" ], "general-cis-csc-8-1-ig2": [ "7.4" ], "general-cis-csc-8-1-ig3": [ "7.4" ], "general-csa-cmm-4-1-0": [ "TVM-11" ], "general-csa-iot-2": [ "CCM-06", "CCM-07", "CLS-06", "VLN-01", "VLN-02" ], "general-mpa-csbp-5-3-1": [ "TS-4.2" ], "general-nist-800-53-r4": [ "SI-2(1)" ], "general-nist-800-53-r5-2": [ "PL-09", "SI-02(04)" ], "general-nist-800-53-r5-2-privacy": [ "PL-09", "SI-02(04)" ], "general-nist-800-82-r3": [ "PL-09", "SI-02(04)" ], "general-nist-800-161-r1": [ "PL-9" ], "general-nist-800-161-r1-level-1": [ "PL-9" ], "general-nist-800-161-r1-level-2": [ "PL-9" ], "general-pci-dss-4-0-1": [ "6.3", "6.3.1", "6.3.2", "6.3.3", "6.4", "6.4.1", "6.4.2", "6.4.3" ], "general-pci-dss-4-0-1-saq-a": [ "6.3.1", "6.3.3", "6.4.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.1", "6.3.2", "6.3.3", "6.4.1", "6.4.2", "6.4.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "6.3.1", "6.3.3" ], "general-pci-dss-4-0-1-saq-c": [ "6.3.1", "6.3.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "6.3.1", "6.3.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.1", "6.3.2", "6.3.3", "6.4.1", "6.4.2", "6.4.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.1", "6.3.2", "6.3.3", "6.4.1", "6.4.2", "6.4.3" ], "general-shared-assessments-sig-2025": [ "T.2" ], "general-swift-cscf-2025": [ "2.2" ], "usa-federal-fbi-cjis-6-0": [ "PL-9" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-1l", "RISK-2l" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.5" ], "usa-federal-gsa-fedramp-5-low": [ "PL-09", "SI-02(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-09", "SI-02(04)" ], "usa-federal-gsa-fedramp-5-high": [ "PL-09", "SI-02(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-09", "SI-02(04)" ], "usa-federal-irs-1075-2021": [ "SI-2(CE-4)" ], "usa-federal-cms-marse-2-0": [ "SI-2(1)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(D)" ], "emea-eu-nis2-2022": [ "Article 21.4" ], "emea-deu-c5-2020": [ "PSS-03" ], "emea-isr-cmo-1-0": [ "12.21", "22.11", "22.12" ], "emea-sau-sacs-002-2022": [ "TPC-91" ], "apac-aus-ism-2024-june": [ "ISM-0298", "ISM-0300" ], "apac-sgp-mas-trm-2021": [ "7.4.1", "7.4.2" ] } }, { "control_id": "VPM-05.2", "title": "Automated Remediation Status", "family": "VPM", "description": "Automated mechanisms exist to determine the state of system components with regard to flaw remediation.", "scf_question": "Does the organization use automated mechanisms to determine the state of system components with regard to flaw remediation?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically determine the state of system components with regard to flaw remediation.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Check remediation status of patched systems", "small": "∙ Automated remediation verification scans after patching", "medium": "∙ Formal remediation verification process\n∙ Rescan after patching", "large": "∙ Enterprise automated remediation verification scanning", "enterprise": "∙ Enterprise vulnerability management with automated remediation status tracking and verification" }, "risks": [ "R-AM-3", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-2", "R-IR-3", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-cis-csc-8-1": [ "7.4" ], "general-cis-csc-8-1-ig1": [ "7.4" ], "general-cis-csc-8-1-ig2": [ "7.4" ], "general-cis-csc-8-1-ig3": [ "7.4" ], "general-govramp": [ "SI-02(02)" ], "general-govramp-core": [ "SI-02(02)" ], "general-govramp-mod": [ "SI-02(02)" ], "general-govramp-high": [ "SI-02(02)" ], "general-iec-62443-2-1-2024": [ "COMP 3.3" ], "general-nist-800-53-r4": [ "SI-2(2)" ], "general-nist-800-53-r5-2": [ "SI-02(02)", "SI-02(04)" ], "general-nist-800-53-r5-2-privacy": [ "SI-02(04)" ], "general-nist-800-53-r5-2-mod": [ "SI-02(02)" ], "general-nist-800-82-r3": [ "SI-02(02)", "SI-02(04)" ], "general-nist-800-82-r3-mod": [ "SI-02(02)" ], "general-nist-800-82-r3-high": [ "SI-02(02)" ], "usa-federal-fbi-cjis-6-0": [ "SI-2(2)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-02(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-02(02)", "SI-02(04)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-02(02)", "SI-02(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-02(04)" ], "usa-federal-irs-1075-2021": [ "SI-2(CE-2)", "SI-2(CE-4)" ], "usa-federal-cms-marse-2-0": [ "SI-2(2)" ], "emea-isr-cmo-1-0": [ "22.11", "22.12" ] } }, { "control_id": "VPM-05.3", "title": "Time To Remediate / Benchmarks For Corrective Action", "family": "VPM", "description": "Mechanisms exist to track the effectiveness of remediation operations through metrics reporting.", "scf_question": "Does the organization track the effectiveness of remediation operations through metrics reporting?", "relative_weight": 6, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to track the effectiveness of remediation operations through metrics reporting.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Define and track time-to-remediate goals by severity", "small": "∙ Vulnerability remediation SLAs by severity level", "medium": "∙ Formal remediation SLA policy with benchmark tracking", "large": "∙ Enterprise remediation SLA management and benchmarking program", "enterprise": "∙ Enterprise vulnerability management platform with SLA tracking and reporting (e.g., Tenable.io, Qualys)" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-2", "R-IR-3", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-govramp": [ "SI-02(03)" ], "general-govramp-mod": [ "SI-02(03)" ], "general-govramp-high": [ "SI-02(03)" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.7-006" ], "general-nist-800-53-r4": [ "SI-2(3)" ], "general-nist-800-53-r5-2": [ "SI-02(03)" ], "general-nist-800-82-r3": [ "SI-02(03)" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-1i", "RISK-2l" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-02(03)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-02(03)" ], "usa-federal-irs-1075-2021": [ "SI-2(CE-3)", "SI-2(CE-3).a", "SI-2(CE-3).b" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.E.2.a" ], "emea-deu-c5-2020": [ "OPS-19" ], "emea-isr-cmo-1-0": [ "12.22" ], "emea-sau-sacs-002-2022": [ "TPC-91" ], "apac-sgp-mas-trm-2021": [ "13.6.1(b)" ] } }, { "control_id": "VPM-05.4", "title": "Automated Software & Firmware Updates", "family": "VPM", "description": "Automated mechanisms exist to install the latest stable versions of security-relevant software and firmware updates.", "scf_question": "Does the organization use automated mechanisms to install the latest stable versions of security-relevant software and firmware updates?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ IT and/or cybersecurity personnel apply software patches through an informal process.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically install the latest stable versions of security-relevant software and firmware updates.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Azure Update Manager (https://azure.microsoft.com)\n∙ ManageEngine Endpoint Central (https://manageengine.com)", "small": "∙ Azure Update Manager (https://azure.microsoft.com)\n∙ ManageEngine Endpoint Central (https://manageengine.com)", "medium": "∙ Azure Update Manager (https://azure.microsoft.com)\n∙ ManageEngine Endpoint Central (https://manageengine.com)", "large": "∙ Azure Update Manager (https://azure.microsoft.com)\n∙ ManageEngine Endpoint Central (https://manageengine.com)", "enterprise": "∙ Azure Update Manager (https://azure.microsoft.com)\n∙ ManageEngine Endpoint Central (https://manageengine.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-cis-csc-8-1": [ "7.4" ], "general-cis-csc-8-1-ig1": [ "7.4" ], "general-cis-csc-8-1-ig2": [ "7.4" ], "general-cis-csc-8-1-ig3": [ "7.4" ], "general-csa-iot-2": [ "CCM-07", "CLS-06", "VLN-03" ], "general-nist-800-53-r4": [ "SI-2(5)" ], "general-nist-800-53-r5-2": [ "SI-02(04)", "SI-02(05)" ], "general-nist-800-53-r5-2-privacy": [ "SI-02(04)" ], "general-nist-800-82-r3": [ "SI-02(04)", "SI-02(05)" ], "general-nist-800-161-r1": [ "SI-2(5)" ], "general-nist-800-161-r1-level-2": [ "SI-2(5)" ], "usa-federal-gsa-fedramp-5-low": [ "SI-02(04)" ], "usa-federal-gsa-fedramp-5-mod": [ "SI-02(04)" ], "usa-federal-gsa-fedramp-5-high": [ "SI-02(04)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "SI-02(04)" ], "usa-federal-irs-1075-2021": [ "SI-2(CE-4)", "SI-2(CE-5)" ], "emea-eu-nis2-annex-2024": [ "6.10.4" ], "emea-sau-ecc-1-2018": [ "2-10-3-5" ], "emea-sau-otcc-1-2022": [ "2-3-1-3" ], "emea-sau-sacs-002-2022": [ "TPC-78" ], "apac-aus-ism-2024-june": [ "ISM-1467" ], "apac-sgp-cyber-hygiene-practice-2019": [ "4.2(a)" ], "apac-sgp-mas-trm-2021": [ "7.4.1", "7.4.2" ] } }, { "control_id": "VPM-05.5", "title": "Removal of Previous Versions", "family": "VPM", "description": "Mechanisms exist to remove old versions of software and firmware components after updated versions have been installed.", "scf_question": "Does the organization remove old versions of software and firmware components after updated versions have been installed?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to remove old versions of software and firmware components after updated versions have been installed.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Remove old versions of software when updating", "small": "∙ Policy requiring removal of previous software versions after update", "medium": "∙ Formal previous version removal process and verification", "large": "∙ Enterprise software version management\n∙ Automated detection of old versions", "enterprise": "∙ Enterprise software lifecycle management platform\n∙ Automated previous version detection and removal" }, "risks": [ "R-AM-3", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-2", "R-IR-3", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-nist-800-53-r4": [ "SI-2(6)" ], "general-nist-800-53-r5-2": [ "SI-02(06)" ], "general-nist-800-82-r3": [ "SI-02(06)" ], "usa-federal-irs-1075-2021": [ "SI-2(CE-6)" ] } }, { "control_id": "VPM-05.6", "title": "Pre-Deployment Patch Testing", "family": "VPM", "description": "Mechanisms exist to perform due diligence on software and/or firmware update stability by conducting pre-production testing in a non-production environment.", "scf_question": "Does the organization perform due diligence on software and/or firmware update stability by conducting pre-production testing in a non-production environment?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform due diligence on software and/or firmware update stability by conducting pre-production testing in a non-production environment.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Test patches in non-production environment first", "small": "∙ Pre-deployment patch testing procedure", "medium": "∙ Formal patch testing process\n∙ Staging environment for pre-production patch validation", "large": "∙ Enterprise patch testing program\n∙ Automated testing in staging environment", "enterprise": "∙ Enterprise patch management platform (e.g., Microsoft SCCM, Tanium)\n∙ Automated pre-production testing\n∙ Pilot group deployment" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-cr-cmm-2026": [ "CR8.2.1" ], "general-iec-62443-2-1-2024": [ "COMP 3.2", "COMP 3.4" ], "emea-eu-nis2-annex-2024": [ "6.6.1(b)" ], "emea-gbr-def-stan-05-138-2024": [ "2405" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2405" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2405" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2405" ] } }, { "control_id": "VPM-05.7", "title": "Out-of-Cycle Patching", "family": "VPM", "description": "Mechanisms exist to perform out-of-cycle software and/or firmware updates to address time-sensitive remediations.", "scf_question": "Does the organization perform out-of-cycle software and/or firmware updates to address time-sensitive remediations?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform out-of-cycle software and/or firmware updates to address time-sensitive remediations.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Apply emergency patches immediately when critical vulnerability is exploited", "small": "∙ Out-of-cycle patching procedure for critical/emergency vulnerabilities", "medium": "∙ Formal emergency patching process\n∙ Expedited approval workflow", "large": "∙ Enterprise emergency patch management process with expedited approval", "enterprise": "∙ Enterprise patch management platform with emergency patching workflows (e.g., Tanium, Qualys)\n∙ Automated emergency patch deployment" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "emea-gbr-def-stan-05-138-2024": [ "2405" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2405" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2405" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2405" ] } }, { "control_id": "VPM-05.8", "title": "Software Patch Integrity", "family": "VPM", "description": "Mechanisms exist to ensure software and/or firmware patches are:\n(1) Obtained from trusted sources; and \n(2) Checked for integrity.", "scf_question": "Does the organization ensure software and/or firmware patches are:\n(1) Obtained from trusted sources; and \n(2) Checked for integrity?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure software and/or firmware patches are:\n(1) Obtained from trusted sources; and \n(2) Checked for integrity.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Verify patch integrity before installing (check hash/signature)", "small": "∙ Patch integrity verification policy\n∙ Check digital signatures before installation", "medium": "∙ Formal patch integrity verification process\n∙ Cryptographic signature verification", "large": "∙ Enterprise patch integrity verification program\n∙ Automated signature checking", "enterprise": "∙ Enterprise patch management with automated integrity verification (e.g., SCCM, Tanium)\n∙ Cryptographic signature enforcement" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-iec-62443-2-1-2024": [ "COMP 3.1" ], "general-swift-cscf-2025": [ "2.2" ], "general-ul-2900-2-2-2016": [ "11.4" ], "emea-eu-nis2-annex-2024": [ "6.6.1(c)" ] } }, { "control_id": "VPM-06", "title": "Vulnerability Scanning", "family": "VPM", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "scf_question": "Does the organization detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-VPM-05", "E-VPM-11" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Occasional vulnerability scanning is conducted on High Value Assets (HVAs).\n▪ Vulnerability scanning services may not be internal competencies and have to be outsourced.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel configure technologies to update vulnerability scanning tools.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ External vulnerability scans (unauthenticated)\n∙ Internal vulnerability scans (authenticated)\n∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)", "small": "∙ External vulnerability scans (unauthenticated)\n∙ Internal vulnerability scans (authenticated)\n∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)", "medium": "∙ External vulnerability scans (unauthenticated)\n∙ Internal vulnerability scans (authenticated)\n∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)", "large": "∙ External vulnerability scans (unauthenticated)\n∙ Internal vulnerability scans (authenticated)\n∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)", "enterprise": "∙ External vulnerability scans (unauthenticated)\n∙ Internal vulnerability scans (authenticated)\n∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.2-POF7", "CC3.4-POF6", "CC7.1", "CC7.1-POF5", "CC9.2-POF13" ], "general-cis-csc-8-1": [ "7.5", "7.6" ], "general-cis-csc-8-1-ig2": [ "7.5", "7.6" ], "general-cis-csc-8-1-ig3": [ "7.5", "7.6" ], "general-cobit-2019": [ "DSS05.07" ], "general-csa-iot-2": [ "VLN-04" ], "general-govramp": [ "RA-05" ], "general-govramp-core": [ "RA-05" ], "general-govramp-low": [ "RA-05" ], "general-govramp-low-plus": [ "RA-05" ], "general-govramp-mod": [ "RA-05" ], "general-govramp-high": [ "RA-05" ], "general-iec-62443-2-1-2024": [ "ORG 2.2(c)" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.2.3" ], "general-iso-27002-2022": [ "8.8" ], "general-iso-27018-2025": [ "8.8" ], "general-mitre-att&ck-16-1": [ "T1011.001", "T1021.001", "T1021.003", "T1021.004", "T1021.005", "T1021.006", "T1046", "T1047", "T1052", "T1052.001", "T1053", "T1053.002", "T1053.003", "T1053.005", "T1059", "T1059.001", "T1059.005", "T1059.007", "T1068", "T1078", "T1091", "T1092", "T1098.004", "T1127", "T1127.001", "T1127.002", "T1133", "T1137", "T1137.001", "T1176", "T1190", "T1195", "T1195.001", "T1195.002", "T1204.003", "T1210", "T1211", "T1212", "T1213", "T1213.001", "T1213.002", "T1213.003", "T1213.005", "T1218", "T1218.003", "T1218.004", "T1218.005", "T1218.008", "T1218.009", "T1218.012", "T1218.013", "T1218.014", "T1218.015", "T1221", "T1482", "T1484", "T1505", "T1505.001", "T1505.002", "T1505.003", "T1505.004", "T1505.005", "T1525", "T1528", "T1530", "T1542.004", "T1542.005", "T1543", "T1546.002", "T1546.014", "T1547.006", "T1547.007", "T1547.008", "T1548", "T1548.002", "T1548.003", "T1548.006", "T1552", "T1552.001", "T1552.002", "T1552.004", "T1552.006", "T1557", "T1558.004", "T1559", "T1559.002", "T1560", "T1560.001", "T1562", "T1562.010", "T1563", "T1563.001", "T1563.002", "T1566", "T1574", "T1574.001", "T1574.004", "T1574.005", "T1574.007", "T1574.008", "T1574.009", "T1574.010", "T1578", "T1578.001", "T1578.002", "T1578.003", "T1612" ], "general-mpa-csbp-5-3-1": [ "TS-4.0" ], "general-nist-600-1-gen-ai-profile": [ "MS-2.6-007" ], "general-nist-800-53-r4": [ "RA-5" ], "general-nist-800-53-r5-2": [ "RA-05" ], "general-nist-800-53-r5-2-privacy": [ "RA-05" ], "general-nist-800-53-r5-2-low": [ "RA-05" ], "general-nist-800-82-r3": [ "RA-05" ], "general-nist-800-82-r3-low": [ "RA-05" ], "general-nist-800-82-r3-mod": [ "RA-05" ], "general-nist-800-82-r3-high": [ "RA-05" ], "general-nist-800-161-r1": [ "RA-5" ], "general-nist-800-161-r1-cscrm": [ "RA-5" ], "general-nist-800-161-r1-flowdown": [ "RA-5" ], "general-nist-800-161-r1-level-2": [ "RA-5" ], "general-nist-800-161-r1-level-3": [ "RA-5" ], "general-nist-800-171-r2": [ "3.11.2" ], "general-nist-800-171-r3": [ "03.11.02.a" ], "general-nist-800-171a": [ "3.11.2[a]", "3.11.2[b]", "3.11.2[c]", "3.11.2[d]", "3.11.2[e]" ], "general-nist-800-171a-r3": [ "A.03.11.02.ODP[01]", "A.03.11.02.ODP[02]", "A.03.11.02.ODP[04]", "A.03.11.02.a[01]", "A.03.11.02.a[02]", "A.03.11.02.a[03]", "A.03.11.02.a[04]", "A.03.11.02.c[01]", "A.03.11.02.c[02]" ], "general-nist-csf-2-0": [ "ID.RA-01" ], "general-owasp-top-10-2025": [ "A05:2025" ], "general-pci-dss-4-0-1": [ "6.4.1", "11.3", "11.3.1", "11.3.1.1", "11.3.1.2", "11.3.1.3", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-a": [ "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.4.1", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "11.3.2" ], "general-pci-dss-4-0-1-saq-c": [ "11.3.1", "11.3.1.3", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.4.1", "11.3.1", "11.3.1.1", "11.3.1.2", "11.3.1.3", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.4.1", "11.3.1", "11.3.1.1", "11.3.1.2", "11.3.1.3", "11.3.2", "11.3.2.1" ], "general-sparta": [ "CM0008", "CM0011" ], "general-swift-cscf-2025": [ "2.7" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.VMANG" ], "usa-federal-fbi-cjis-6-0": [ "RA-5" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-1c", "THREAT-1f", "THREAT-1k" ], "usa-federal-dow-cmmc-2-level-2": [ "RAL2.-3.11.2" ], "usa-federal-gsa-fedramp-5-low": [ "RA-05" ], "usa-federal-gsa-fedramp-5-mod": [ "RA-05" ], "usa-federal-gsa-fedramp-5-high": [ "RA-05" ], "usa-federal-gsa-fedramp-5-li-saas": [ "RA-05" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(d)(2)", "314.4(d)(2)(ii)" ], "usa-federal-irs-1075-2021": [ "RA-5" ], "usa-federal-cms-marse-2-0": [ "RA-5", "RA-5.a", "RA-5.b", "RA-5.b.1", "RA-5.b.2", "RA-5.b.3", "RA-5.c", "RA-5.d", "RA-5.e", "RA-5-IS.1", "RA-5-IS.2", "RA-5(1)" ], "usa-federal-nerc-cip-2024": [ "CIP-010-4 3.1", "CIP-010-4 3.2.1", "CIP-010-4 3.2.2", "CIP-010-4 3.3", "CIP-010-4 3.4" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(5)(D)", "7123(c)(6)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.5(a)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "RA-05", "RA-05-SID" ], "usa-state-tx-txramp-2-0-level-1": [ "RA-05" ], "usa-state-tx-txramp-2-0-level-2": [ "RA-05" ], "emea-eu-dora-2023": [ "Article 25.1", "Article 25.2", "Article 25.3" ], "emea-eu-nis2-annex-2024": [ "6.10.2(b)" ], "emea-deu-bsrit-2017": [ "5.6" ], "emea-deu-c5-2020": [ "OPS-22", "PSS-02", "PSS-03" ], "emea-isr-cmo-1-0": [ "3.4", "9.25", "12.30", "22.3", "22.6" ], "emea-sau-cscc-1-2019": [ "2-9-1-1", "2-9-2" ], "emea-sau-cgiot-2024": [ "2-9-1" ], "emea-sau-ecc-1-2018": [ "2-10-3-1" ], "emea-sau-sacs-002-2022": [ "TPC-85" ], "emea-uae-niaf-2023": [ "3.1.3" ], "emea-gbr-def-stan-05-138-2024": [ "2402" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2402" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2402" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2402" ], "apac-aus-essential-8-2024": [ "ML1-P1", "ML1-P2", "ML2-P1", "ML2-P2", "ML3-P1", "ML3-P2" ], "apac-aus-ism-2024-june": [ "ISM-1163", "ISM-1698", "ISM-1699", "ISM-1700", "ISM-1701", "ISM-1702", "ISM-1703", "ISM-1752" ], "apac-ind-sebi-2024": [ "ID.RA.S1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP26", "HHSP59", "HML26", "HML59" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP51" ], "apac-nzl-ism-3-9": [ "6.2.5.C.01" ], "apac-sgp-mas-trm-2021": [ "13.1.1", "13.1.2" ], "americas-bmu-mba-coc-2020": [ "6.15" ], "amaericas-can-osfi-self-assessment": [ "2.5" ], "americas-can-osfi-b13-2022": [ "3.1.2", "3.1.3" ], "americas-can-itsp-10-171-2025": [ "03.11.02.A" ] } }, { "control_id": "VPM-06.1", "title": "Update Tool Capability", "family": "VPM", "description": "Mechanisms exist to update vulnerability scanning tools.", "scf_question": "Does the organization update vulnerability scanning tools?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel configure technologies to update vulnerability scanning tools.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to update vulnerability scanning tools.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Keep vulnerability scanning tools updated", "small": "∙ Vulnerability scanner update policy\n∙ Ensure scanner plugins are current", "medium": "∙ Formal vulnerability scanner maintenance program\n∙ Regular plugin/feed updates", "large": "∙ Enterprise vulnerability scanner management\n∙ Automated scanner updates and tuning", "enterprise": "∙ Enterprise vulnerability management platform with automated scanner updates (e.g., Tenable, Qualys)" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-csa-cmm-4-1-0": [ "TVM-05", "TVM-06" ], "general-govramp": [ "RA-05", "RA-05(02)" ], "general-govramp-core": [ "RA-05" ], "general-govramp-low": [ "RA-05", "RA-05(02)" ], "general-govramp-low-plus": [ "RA-05", "RA-05(02)" ], "general-govramp-mod": [ "RA-05", "RA-05(02)" ], "general-govramp-high": [ "RA-05", "RA-05(02)" ], "general-nist-800-53-r4": [ "RA-5(1)", "RA-5(2)" ], "general-nist-800-53-r5-2": [ "RA-05", "RA-05(02)" ], "general-nist-800-53-r5-2-privacy": [ "RA-05" ], "general-nist-800-53-r5-2-low": [ "RA-05", "RA-05(02)" ], "general-nist-800-82-r3": [ "RA-05", "RA-05(02)" ], "general-nist-800-82-r3-low": [ "RA-05", "RA-05(02)" ], "general-nist-800-82-r3-mod": [ "RA-05", "RA-05(02)" ], "general-nist-800-82-r3-high": [ "RA-05", "RA-05(02)" ], "general-nist-800-161-r1": [ "RA-5" ], "general-nist-800-161-r1-cscrm": [ "RA-5" ], "general-nist-800-161-r1-flowdown": [ "RA-5" ], "general-nist-800-161-r1-level-2": [ "RA-5" ], "general-nist-800-161-r1-level-3": [ "RA-5" ], "general-nist-800-171-r2": [ "NFO - RA-5(1)", "NFO - RA-5(2)" ], "general-nist-800-171-r3": [ "03.11.02.c" ], "general-nist-800-171a-r3": [ "A.03.11.02.ODP[04]", "A.03.11.02.c[01]", "A.03.11.02.c[02]" ], "general-pci-dss-4-0-1": [ "11.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "11.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "11.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "11.3.1" ], "general-swift-cscf-2025": [ "2.7" ], "usa-federal-fbi-cjis-6-0": [ "RA-5", "RA-5(2)" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-1a", "THREAT-1e" ], "usa-federal-gsa-fedramp-5-low": [ "RA-05", "RA-05(02)" ], "usa-federal-gsa-fedramp-5-mod": [ "RA-05", "RA-05(02)" ], "usa-federal-gsa-fedramp-5-high": [ "RA-05", "RA-05(02)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "RA-05", "RA-05(02)" ], "usa-federal-irs-1075-2021": [ "RA-5", "RA-5(CE-2)" ], "usa-federal-cms-marse-2-0": [ "RA-5", "RA-5(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "RA-05", "RA-05(2)" ], "usa-state-tx-txramp-2-0-level-1": [ "RA-05", "RA-05 (02)" ], "usa-state-tx-txramp-2-0-level-2": [ "RA-05", "RA-05 (02)" ], "emea-eu-nis2-annex-2024": [ "6.10.4" ], "emea-deu-c5-2020": [ "PSS-03" ], "emea-isr-cmo-1-0": [ "22.7" ], "apac-aus-essential-8-2024": [ "ML1-P1", "ML1-P2", "ML2-P1", "ML2-P2", "ML3-P1", "ML3-P2" ], "apac-aus-ism-2024-june": [ "ISM-1808" ], "americas-can-itsp-10-171-2025": [ "03.11.02.C" ] } }, { "control_id": "VPM-06.2", "title": "Breadth / Depth of Coverage", "family": "VPM", "description": "Mechanisms exist to identify the breadth and depth of coverage for vulnerability scanning that define the system components scanned and types of vulnerabilities that are checked for.", "scf_question": "Does the organization identify the breadth and depth of coverage for vulnerability scanning that define the system components scanned and types of vulnerabilities that are checked for?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel define the breadth and depth of coverage for vulnerability scanning that covers system components scanned and types of vulnerabilities that are checked for.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to identify the breadth and depth of coverage for vulnerability scanning that define the system components scanned and types of vulnerabilities that are checked for.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Scan all systems in scope for vulnerabilities", "small": "∙ Comprehensive vulnerability scan coverage policy", "medium": "∙ Formal scan coverage policy\n∙ All in-scope assets scanned regularly", "large": "∙ Enterprise vulnerability scan coverage management\n∙ Asset-driven scan scope", "enterprise": "∙ Enterprise vulnerability management with comprehensive asset discovery and scanning (e.g., Tenable One)" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-csa-iot-2": [ "VLN-04" ], "general-govramp": [ "RA-05(03)" ], "general-govramp-mod": [ "RA-05(03)" ], "general-govramp-high": [ "RA-05(03)" ], "general-nist-800-53-r4": [ "RA-5(3)" ], "general-nist-800-53-r5-2": [ "RA-05(03)" ], "general-nist-800-82-r3": [ "RA-05(03)" ], "general-nist-800-161-r1": [ "RA-5(3)" ], "general-nist-800-161-r1-level-2": [ "RA-5(3)" ], "general-nist-800-161-r1-level-3": [ "RA-5(3)" ], "general-pci-dss-4-0-1": [ "11.3.1", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-a": [ "11.3.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "11.3.2.1" ], "general-pci-dss-4-0-1-saq-c": [ "11.3.1", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "11.3.1", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "11.3.1", "11.3.2.1" ], "general-swift-cscf-2025": [ "2.7" ], "usa-federal-doe-c2m2-2-1": [ "THREAT-1e" ], "usa-federal-gsa-fedramp-5-mod": [ "RA-05(03)" ], "usa-federal-gsa-fedramp-5-high": [ "RA-05(03)" ], "usa-federal-cms-marse-2-0": [ "RA-5(3)" ], "usa-state-tx-txramp-2-0-level-2": [ "RA-05 (03)" ], "emea-isr-cmo-1-0": [ "22.6" ], "emea-sau-cscc-1-2019": [ "2-9-2-1" ], "emea-sau-ecc-1-2018": [ "2-11-3-1" ] } }, { "control_id": "VPM-06.3", "title": "Privileged Access", "family": "VPM", "description": "Mechanisms exist to implement privileged access authorization for selected vulnerability scanning activities.", "scf_question": "Does the organization implement privileged access authorization for selected vulnerability scanning activities?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement privileged access authorization for selected vulnerability scanning activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Use privileged credentials for more thorough vulnerability scans", "small": "∙ Credentialed scanning policy for comprehensive vulnerability detection", "medium": "∙ Formal credentialed scanning program\n∙ Secure credential management for scanners", "large": "∙ Enterprise credentialed scanning with PAM integration", "enterprise": "∙ Enterprise vulnerability management with PAM-integrated credentialed scanning (e.g., Tenable + CyberArk)" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-09" ], "general-govramp": [ "RA-05(05)" ], "general-govramp-core": [ "RA-05(05)" ], "general-govramp-mod": [ "RA-05(05)" ], "general-govramp-high": [ "RA-05(05)" ], "general-nist-800-53-r4": [ "RA-5(5)" ], "general-nist-800-53-r5-2": [ "RA-05(05)" ], "general-nist-800-53-r5-2-mod": [ "RA-05(05)" ], "general-nist-800-82-r3": [ "RA-05(05)" ], "general-nist-800-82-r3-mod": [ "RA-05(05)" ], "general-nist-800-82-r3-high": [ "RA-05(05)" ], "general-nist-800-160-vol-2-r1": [ "RA-05(05)" ], "general-nist-800-171-r2": [ "3.11.2" ], "general-shared-assessments-sig-2025": [ "T.2" ], "usa-federal-fbi-cjis-6-0": [ "RA-5(5)" ], "usa-federal-dow-cmmc-2-level-2": [ "RAL2.-3.11.2" ], "usa-federal-gsa-fedramp-5-mod": [ "RA-05(05)" ], "usa-federal-gsa-fedramp-5-high": [ "RA-05(05)" ], "usa-federal-irs-1075-2021": [ "RA-5(CE-5)" ], "usa-federal-cms-marse-2-0": [ "RA-5(5)" ], "usa-state-tx-txramp-2-0-level-2": [ "RA-05 (05)" ], "emea-isr-cmo-1-0": [ "22.9" ] } }, { "control_id": "VPM-06.4", "title": "Trend Analysis", "family": "VPM", "description": "Automated mechanisms exist to compare the results of vulnerability scans over time to determine trends in system vulnerabilities.", "scf_question": "Does the organization use automated mechanisms to compare the results of vulnerability scans over time to determine trends in system vulnerabilities?", "relative_weight": 9, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically compare the results of vulnerability scans over time to determine trends in system vulnerabilities.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Review vulnerability trends over time", "small": "∙ Vulnerability trend analysis and reporting", "medium": "∙ Formal vulnerability trend analysis program\n∙ Regular metrics review", "large": "∙ Enterprise vulnerability metrics and trend analysis dashboard", "enterprise": "∙ Enterprise vulnerability management platform with trend analytics (e.g., Tenable.io, Qualys VMDR)\n∙ Executive dashboards" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-govramp": [ "RA-05(06)" ], "general-govramp-mod": [ "RA-05(06)" ], "general-govramp-high": [ "RA-05(06)" ], "general-nist-800-53-r4": [ "RA-5(6)" ], "general-nist-800-53-r5-2": [ "RA-05(06)" ], "general-nist-800-82-r3": [ "RA-05(06)" ], "general-nist-800-160-vol-2-r1": [ "RA-05(06)" ], "general-nist-800-161-r1": [ "RA-5(6)" ], "general-nist-800-161-r1-level-2": [ "RA-5(6)" ], "general-nist-800-161-r1-level-3": [ "RA-5(6)" ], "general-swift-cscf-2025": [ "2.7" ], "emea-deu-c5-2020": [ "OPS-20" ], "emea-isr-cmo-1-0": [ "22.10" ] } }, { "control_id": "VPM-06.5", "title": "Review Historical Event logs", "family": "VPM", "description": "Mechanisms exist to review historical event logs to determine if identified vulnerabilities have been previously exploited.", "scf_question": "Does the organization review historical event logs to determine if identified vulnerabilities have been previously exploited?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to review historical event logs to determine if identified vulnerabilities have been previously exploited.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Review historical logs when analyzing vulnerabilities", "small": "∙ Policy to review historical logs during vulnerability analysis", "medium": "∙ Formal historical log review process for vulnerability analysis", "large": "∙ Enterprise SIEM with historical log review integrated with vulnerability management", "enterprise": "∙ Enterprise SIEM (e.g., Splunk, IBM QRadar) integrated with vulnerability management for historical correlation" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-govramp": [ "RA-05(08)" ], "general-govramp-mod": [ "RA-05(08)" ], "general-govramp-high": [ "RA-05(08)" ], "general-nist-800-53-r4": [ "RA-5(8)" ], "general-nist-800-53-r5-2": [ "RA-05(08)" ], "general-nist-800-82-r3": [ "RA-05(08)" ], "general-nist-800-160-vol-2-r1": [ "RA-05(08)" ], "usa-federal-gsa-fedramp-5-high": [ "RA-05(08)" ], "emea-deu-c5-2020": [ "OPS-20" ], "emea-isr-cmo-1-0": [ "22.10" ] } }, { "control_id": "VPM-06.6", "title": "External Vulnerability Assessment Scans", "family": "VPM", "description": "Mechanisms exist to perform quarterly external vulnerability scans (outside the organization's network looking inward) via a reputable vulnerability service provider, which include rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS).", "scf_question": "Does the organization perform quarterly external vulnerability scans (outside its network looking inward) via a reputable vulnerability service provider, which include rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS)?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-VPM-05" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Occasional vulnerability scanning is conducted on High Value Assets (HVAs).\n▪ Vulnerability scanning services may not be internal competencies and have to be outsourced.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform quarterly external vulnerability scans (outside the organization's network looking inward) via a reputable vulnerability service provider, which include rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS).", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)", "small": "∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)", "medium": "∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)", "large": "∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)", "enterprise": "∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-cis-csc-8-1": [ "7.6" ], "general-cis-csc-8-1-ig2": [ "7.6" ], "general-cis-csc-8-1-ig3": [ "7.6" ], "general-pci-dss-4-0-1": [ "6.4.1", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-a": [ "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.4.1", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "11.3.2" ], "general-pci-dss-4-0-1-saq-c": [ "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.4.1", "11.3.2", "11.3.2.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.4.1", "11.3.2", "11.3.2.1" ], "emea-deu-c5-2020": [ "PSS-02" ], "emea-isr-cmo-1-0": [ "22.3" ] } }, { "control_id": "VPM-06.7", "title": "Internal Vulnerability Assessment Scans", "family": "VPM", "description": "Mechanisms exist to perform quarterly internal vulnerability scans, which includes all segments of the organization's internal network, as well as rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS).", "scf_question": "Does the organization perform quarterly internal vulnerability scans, which includes all segments of its internal network, as well as rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS)?", "relative_weight": 9, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-VPM-05" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ Occasional vulnerability scanning is conducted on High Value Assets (HVAs).\n▪ Vulnerability scanning services may not be internal competencies and have to be outsourced.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to perform quarterly internal vulnerability scans, which includes all segments of the organization's internal network, as well as rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS).", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)", "small": "∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)", "medium": "∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)", "large": "∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)", "enterprise": "∙ Nessus (https://tenable.com)\n∙ Qualys (https://qualys.com)\n∙ Rapid7 (https://rapid7.com)" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-cis-csc-8-1": [ "7.5" ], "general-cis-csc-8-1-ig2": [ "7.5" ], "general-cis-csc-8-1-ig3": [ "7.5" ], "general-pci-dss-4-0-1": [ "11.3.1", "11.3.1.2", "11.3.1.3" ], "general-pci-dss-4-0-1-saq-c": [ "11.3.1", "11.3.1.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "11.3.1", "11.3.1.2", "11.3.1.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "11.3.1", "11.3.1.2", "11.3.1.3" ], "emea-deu-c5-2020": [ "PSS-02" ], "emea-isr-cmo-1-0": [ "22.3" ] } }, { "control_id": "VPM-06.8", "title": "Acceptable Discoverable Information", "family": "VPM", "description": "Mechanisms exist to define what information is allowed to be discoverable by adversaries and take corrective actions to remediate non-compliant Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization define what information is allowed to be discoverable by adversaries and take corrective actions to remediate non-compliant Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to define what information is allowed to be discoverable by adversaries and take corrective actions to remediate non-compliant Technology Assets, Applications and/or Services (TAAS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Limit what information is visible about Technology Assets, Applications and/or Services (TAAS) on the internet", "small": "∙ Minimize publicly discoverable information about Technology Assets, Applications and/or Services (TAAS) (banners, versions)", "medium": "∙ Formal acceptable discoverable information policy\n∙ Remove unnecessary Technology Assets, Applications and/or Services (TAAS) banners and version info", "large": "∙ Enterprise attack surface minimization program\n∙ Automated scan for exposed information", "enterprise": "∙ Enterprise attack surface management (ASM) platform (e.g., CyCognito, Mandiant ASM)\n∙ Automated discovery and reduction of exposed info" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-7", "R-GV-1", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-govramp": [ "RA-05(04)" ], "general-govramp-high": [ "RA-05(04)" ], "general-nist-800-53-r4": [ "RA-5(4)" ], "general-nist-800-53-r5-2": [ "RA-05(04)" ], "general-nist-800-53-r5-2-high": [ "RA-05(04)" ], "general-nist-800-82-r3": [ "RA-05(04)" ], "general-nist-800-82-r3-high": [ "RA-05(04)" ], "general-nist-800-160-vol-2-r1": [ "RA-05(04)" ], "general-pci-dss-4-0-1": [ "1.4.5" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.4.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.4.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.4.5" ], "usa-federal-gsa-fedramp-5-high": [ "RA-05(04)" ], "usa-federal-irs-1075-2021": [ "RA-5(CE-4)" ], "apac-nzl-ism-3-9": [ "14.1.14.C.01" ] } }, { "control_id": "VPM-06.9", "title": "Correlate Scanning Information", "family": "VPM", "description": "Automated mechanisms exist to correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.", "scf_question": "Does the organization use automated mechanisms to correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors?", "relative_weight": 5, "conformity_cadence": "Quarterly", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to automatically correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Correlate scan results across multiple tools", "small": "∙ Correlate vulnerability data from multiple scans/tools", "medium": "∙ Formal vulnerability data correlation process\n∙ Normalized view across tools", "large": "∙ Enterprise vulnerability correlation platform\n∙ Unified risk view across tools", "enterprise": "∙ Enterprise vulnerability management platform with multi-source correlation (e.g., Tenable One, Nucleus)\n∙ SIEM integration" }, "risks": [ "R-AM-3", "R-EX-6", "R-EX-7", "R-GV-1", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-govramp": [ "RA-05(10)" ], "general-govramp-high": [ "RA-05(10)" ], "general-nist-800-53-r4": [ "RA-5(10)" ], "general-nist-800-53-r5-2": [ "RA-05(10)" ], "general-nist-800-82-r3": [ "RA-05(10)" ], "general-nist-800-160-vol-2-r1": [ "RA-05(10)" ] } }, { "control_id": "VPM-07", "title": "Penetration Testing", "family": "VPM", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "scf_question": "Does the organization conduct penetration testing on Technology Assets, Applications and/or Services (TAAS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-VPM-02", "E-VPM-03" ], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel, or contracted professionals, conduct annual penetration testing on network segments hosting High Value Assets (HVAs).", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "small": "∙ Annual penetration test by qualified tester", "medium": "∙ Annual penetration test by qualified third-party tester", "large": "∙ Enterprise penetration testing program\n∙ Annual external and internal pen tests", "enterprise": "∙ Enterprise penetration testing program\n∙ Annual and event-driven pen tests\n∙ Red team exercises\n∙ Purple teaming" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-cis-csc-8-1": [ "18.0", "18.1", "18.2", "18.5" ], "general-cis-csc-8-1-ig2": [ "18.1", "18.2" ], "general-cis-csc-8-1-ig3": [ "18.1", "18.2", "18.5" ], "general-csa-cmm-4-1-0": [ "TVM-07" ], "general-csa-iot-2": [ "SET-02", "SET-04" ], "general-cr-cmm-2026": [ "CR9.1.1" ], "general-govramp": [ "CA-08" ], "general-govramp-low-plus": [ "CA-08" ], "general-govramp-mod": [ "CA-08" ], "general-govramp-high": [ "CA-08" ], "general-mpa-csbp-5-3-1": [ "TS-4.1" ], "general-nist-800-53-r4": [ "CA-8" ], "general-nist-800-53-r5-2": [ "CA-08", "SA-11(05)" ], "general-nist-800-53-r5-2-privacy": [ "SA-11(05)" ], "general-nist-800-53-r5-2-high": [ "CA-08" ], "general-nist-800-82-r3": [ "CA-08", "SA-11(05)" ], "general-nist-800-82-r3-high": [ "CA-08" ], "general-nist-800-160-vol-2-r1": [ "CA-08", "SA-11(05)" ], "general-nist-800-172": [ "3.12.1e" ], "general-pci-dss-4-0-1": [ "11.4", "11.4.1", "11.4.2", "11.4.3", "11.4.4", "11.4.5", "11.4.6", "11.4.7", "A3.2.4" ], "general-pci-dss-4-0-1-saq-a-ep": [ "11.4.1", "11.4.3", "11.4.4", "11.4.5" ], "general-pci-dss-4-0-1-saq-b-ip": [ "11.4.5" ], "general-pci-dss-4-0-1-saq-c": [ "11.4.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "11.4.1", "11.4.2", "11.4.3", "11.4.4", "11.4.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "11.4.1", "11.4.2", "11.4.3", "11.4.4", "11.4.5", "11.4.6", "11.4.7" ], "general-sparta": [ "CM0008" ], "general-swift-cscf-2025": [ "7.3A" ], "general-ul-2900-2-2-2016": [ "16.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNL.STEXE" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.F" ], "usa-federal-dow-cmmc-2-level-3": [ "CA.L3-3.12.1E" ], "usa-federal-gsa-fedramp-5-low": [ "CA-08", "SA-11(05)" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-08", "SA-11(05)" ], "usa-federal-gsa-fedramp-5-high": [ "CA-08", "SA-11(05)" ], "usa-federal-gsa-fedramp-5-li-saas": [ "CA-08", "SA-11(05)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(d)(2)", "314.4(d)(2)(i)" ], "usa-federal-irs-1075-2021": [ "CA-8", "SA-11(CE-5)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(c)(6)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.5(a)(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "CA-08", "CA-08-SID" ], "usa-state-tx-txramp-2-0-level-2": [ "CA-08" ], "emea-eu-dora-2023": [ "Article 26.1", "Article 26.2", "Article 26.3", "Article 26.4", "Article 26.5", "Article 26.6", "Article 26.7", "Article 26.8", "Article 26.8(a)", "Article 26.8(b)", "Article 26.8(c)" ], "emea-deu-bsrit-2017": [ "5.6" ], "emea-deu-c5-2020": [ "OPS-19", "PSS-02" ], "emea-isr-cmo-1-0": [ "3.4", "12.30", "17.17", "22.4", "22.5" ], "emea-sau-cscc-1-2019": [ "2-10", "2-10-1-1", "2-10-1-2", "2-10-2" ], "emea-sau-cgiot-2024": [ "2-10-1" ], "emea-sau-ecc-1-2018": [ "2-11-3-1" ], "emea-sau-otcc-1-2022": [ "2-10", "2-10-1", "2-10-1-1", "2-10-1-2", "2-10-1-3", "2-10-1-4", "2-10-2" ], "emea-sau-sacs-002-2022": [ "TPC-27", "TPC-28", "TPC-29" ], "emea-gbr-def-stan-05-138-2024": [ "2403" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2403" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2403" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2403" ], "apac-aus-ism-2024-june": [ "ISM-1163" ], "apac-sgp-mas-trm-2021": [ "13.2.1", "13.2.3", "13.2.4" ], "americas-bmu-mba-coc-2020": [ "6.15" ], "amaericas-can-osfi-self-assessment": [ "2.6" ], "americas-can-osfi-b13-2022": [ "3.1.2" ] } }, { "control_id": "VPM-07.1", "title": "Independent Penetration Agent or Team", "family": "VPM", "description": "Mechanisms exist to utilize an independent assessor or penetration team to perform penetration testing.", "scf_question": "Does the organization utilize an independent assessor or penetration team to perform penetration testing?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-VPM-04" ], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel, or contracted professionals, use red team exercises to simulate attempts by adversaries to compromise TAASD in accordance with entity-defined rules of engagement.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize an independent assessor or penetration team to perform penetration testing.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "medium": "∙ Third-party independent penetration testing", "large": "∙ Enterprise independent penetration testing program (qualified third-party testers)", "enterprise": "∙ Enterprise independent pen testing program\n∙ Qualified third-party pen test teams\n∙ Annual and ad-hoc testing\n∙ Full red team exercises" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-csa-iot-2": [ "SET-02", "SET-03", "SET-04" ], "general-govramp": [ "CA-08(01)" ], "general-govramp-low-plus": [ "CA-08(01)" ], "general-govramp-mod": [ "CA-08(01)" ], "general-govramp-high": [ "CA-08(01)" ], "general-nist-800-53-r4": [ "CA-8(1)" ], "general-nist-800-53-r5-2": [ "CA-08(01)" ], "general-nist-800-53-r5-2-high": [ "CA-08(01)" ], "general-nist-800-82-r3": [ "CA-08(01)" ], "general-nist-800-160-vol-2-r1": [ "CA-08(01)" ], "general-pci-dss-4-0-1": [ "11.4.1", "11.4.2", "11.4.3", "11.4.5", "11.4.6" ], "general-pci-dss-4-0-1-saq-a-ep": [ "11.4.1", "11.4.3", "11.4.5" ], "general-pci-dss-4-0-1-saq-b-ip": [ "11.4.5" ], "general-pci-dss-4-0-1-saq-c": [ "11.4.5" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "11.4.1", "11.4.2", "11.4.3", "11.4.5" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "11.4.1", "11.4.2", "11.4.3", "11.4.5", "11.4.6" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-08(01)" ], "usa-federal-gsa-fedramp-5-high": [ "CA-08(01)" ], "emea-eu-dora-2023": [ "Article 27.1", "Article 27.1(a)", "Article 27.1(b)", "Article 27.1(c)", "Article 27.1(d)", "Article 27.1(e)", "Article 27.2", "Article 27.2(a)", "Article 27.2(b)", "Article 27.2(c)", "Article 27.3" ], "emea-deu-c5-2020": [ "OPS-19", "PSS-02" ], "emea-isr-cmo-1-0": [ "17.16", "17.17", "22.4", "22.5" ], "emea-sau-cscc-1-2019": [ "2-10-1-2" ] } }, { "control_id": "VPM-08", "title": "Technical Surveillance Countermeasures Security", "family": "VPM", "description": "Mechanisms exist to utilize a technical surveillance countermeasures survey.", "scf_question": "Does the organization utilize a technical surveillance countermeasures survey?", "relative_weight": 1, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize a technical surveillance countermeasures survey.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Free vulnerability scanner (e.g., OpenVAS)\n∙ Apply patches monthly", "small": "∙ Vulnerability scanner (e.g., Tenable Nessus Essentials)\n∙ Patch management policy", "medium": "∙ Facility sweeping for \"bugs\" or other unauthorized surveillance technologies.", "large": "∙ Facility sweeping for \"bugs\" or other unauthorized surveillance technologies.", "enterprise": "∙ Facility sweeping for \"bugs\" or other unauthorized surveillance technologies." }, "risks": [ "R-EX-6", "R-EX-7", "R-GV-1", "R-SA-1" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-csa-iot-2": [ "SWS-06" ], "general-nist-800-53-r4": [ "RA-6" ], "general-nist-800-53-r5-2": [ "RA-06" ], "general-nist-800-82-r3": [ "RA-06" ], "apac-nzl-ism-3-9": [ "8.1.13.C.01", "8.1.13.C.02" ] } }, { "control_id": "VPM-09", "title": "Reviewing Vulnerability Scanner Usage", "family": "VPM", "description": "Mechanisms exist to monitor logs associated with scanning activities and associated administrator accounts to ensure that those activities are limited to the timeframes of legitimate scans.", "scf_question": "Does the organization monitor logs associated with scanning activities and associated administrator accounts to ensure that those activities are limited to the timeframes of legitimate scans?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nVulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to monitor logs associated with scanning activities and associated administrator accounts to ensure that those activities are limited to the timeframes of legitimate scans.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Periodic review of vulnerability scanner effectiveness", "small": "∙ Periodic review of vulnerability scanner effectiveness", "medium": "∙ Formal vulnerability scanner effectiveness review process", "large": "∙ Enterprise vulnerability scanner management and effectiveness review program", "enterprise": "∙ Enterprise vulnerability management program maturity review\n∙ Scanner effectiveness metrics\n∙ Regular tuning and optimization" }, "risks": [ "R-AM-3", "R-BC-1", "R-BC-2", "R-GV-1", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": {} }, { "control_id": "VPM-10", "title": "Red Team Exercises", "family": "VPM", "description": "Mechanisms exist to utilize \"red team\" exercises to simulate attempts by adversaries to compromise Technology Assets, Applications and/or Services (TAAS) in accordance with organization-defined rules of engagement.", "scf_question": "Does the organization utilize \"red team\" exercises to simulate attempts by adversaries to compromise Technology Assets, Applications and/or Services (TAAS) in accordance with organization-defined rules of engagement?", "relative_weight": 3, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Vulnerability & Patch Management (VPM) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with VPM domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Attack Surface Management (ASM)-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Vulnerability & Patch Management (VPM) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Vulnerability management-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Vulnerability management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel, or contracted professionals, use red team exercises to simulate attempts by adversaries to compromise TAASD in accordance with entity-defined rules of engagement.", "3": "Vulnerability & Patch Management (VPM) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with VPM domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with VPM domain capabilities are well-documented and kept current by process owners.\n▪ A vulnerability management team, or similar function, is appropriately staffed and supported to implement and maintain VPM domain capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of vulnerability management operations (e.g., patch management solution, vulnerability scanning solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with VPM domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize \"red team\" exercises to simulate attempts by adversaries to compromise Technology Assets, Applications and/or Services (TAAS) in accordance with organization-defined rules of engagement.", "4": "Vulnerability & Patch Management (VPM) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Free vulnerability scanner (e.g., OpenVAS)\n∙ Apply patches monthly", "small": "∙ Vulnerability scanner (e.g., Tenable Nessus Essentials)\n∙ Patch management policy", "medium": "∙ Vulnerability management program\n∙ Scheduled scanning\n∙ Risk-based patching", "large": "∙ \"red team\" exercises", "enterprise": "∙ \"red team\" exercises" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Vulnerability & Patch Management", "crosswalks": { "general-csa-iot-2": [ "SET-03" ], "general-cr-cmm-2026": [ "CR6.2.6", "CR9.3.2" ], "general-nist-600-1-gen-ai-profile": [ "MP-5.1-005", "MS-1.1-008", "MS-1.3-002", "MS-2.7-007", "MS-2.10-001" ], "general-nist-800-53-r4": [ "CA-8(2)" ], "general-nist-800-53-r5-2": [ "CA-08(02)" ], "general-nist-800-82-r3": [ "CA-08(02)" ], "general-nist-800-160-vol-2-r1": [ "CA-08(02)" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNL.STEXE" ], "usa-federal-gsa-fedramp-5-mod": [ "CA-08(02)" ], "usa-federal-gsa-fedramp-5-high": [ "CA-08(02)" ], "emea-deu-bsrit-2017": [ "5.6" ], "emea-sau-cgiot-2024": [ "2-10-2" ], "emea-sau-otcc-1-2022": [ "2-13-1-9" ], "apac-ind-sebi-2024": [ "DE.DP.S4" ], "apac-sgp-mas-trm-2021": [ "13.3.1", "13.3.2", "13.4.1", "13.4.2" ] } }, { "control_id": "WEB-01", "title": "Web Security", "family": "WEB", "description": "Mechanisms exist to facilitate the implementation of an enterprise-wide web management policy, as well as associated standards, controls and procedures.", "scf_question": "Does the organization facilitate the implementation of an enterprise-wide web management policy, as well as associated standards, controls and procedures?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Web Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Web Security (WEB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Web security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Web security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to facilitate the implementation of an enterprise-wide web management policy, as well as associated standards, controls and procedures.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Keep website CMS and plugins updated", "small": "∙ Web security policy\n∙ HTTPS enforcement\n∙ Regular updates for web software", "medium": "∙ Formal web security program\n∙ WAF\n∙ HTTPS enforcement\n∙ Regular security testing", "large": "∙ Enterprise web security program\n∙ WAF\n∙ DAST\n∙ Content security policy\n∙ Bot management", "enterprise": "∙ Enterprise web security platform (e.g., Imperva, Cloudflare)\n∙ WAF\n∙ DDoS protection\n∙ DAST integration\n∙ Bot management" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": { "general-mpa-csbp-5-3-1": [ "TS-1.10", "TS-2.0" ], "general-nist-800-171-r2": [ "3.1.22" ], "general-nist-800-171-r3": [ "03.01.22.a" ], "general-pci-dss-4-0-1": [ "6.4", "6.4.1", "6.4.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.4.1", "6.4.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.4.1", "6.4.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.4.1", "6.4.2" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.IV" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.22" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iv)" ], "usa-federal-irs-1075-2021": [ "3.3.8", "3.3.8.c" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-sau-cscc-1-2019": [ "2-12", "2-12-1-1", "2-12-1-2" ], "emea-sau-ecc-1-2018": [ "2-15-1", "2-15-2", "2-15-3", "2-15-4" ], "emea-esp-ccn-stic-825-2023": [ "8.8.2 [MP.S.2]" ], "apac-nzl-ism-3-9": [ "14.5.6.C.01", "14.5.7.C.01", "14.5.8.C.01" ], "americas-can-itsp-10-171-2025": [ "03.01.22.A" ] } }, { "control_id": "WEB-01.1", "title": "Unauthorized Code", "family": "WEB", "description": "Mechanisms exist to prevent unauthorized code from being present in a secure page as it is rendered in a client’s browser.", "scf_question": "Does the organization prevent unauthorized code from being present in a secure page as it is rendered in a client’s browser?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nWeb Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Web Security (WEB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Web security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Web security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to prevent unauthorized code from being present in a secure page as it is rendered in a client’s browser.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Review website for unauthorized scripts or content regularly", "small": "∙ Policy to prevent and detect unauthorized code on web properties", "medium": "∙ Formal unauthorized code detection program\n∙ Web integrity monitoring", "large": "∙ Enterprise web integrity monitoring (e.g., RiskIQ, Reflectiz)\n∙ Automated unauthorized code detection", "enterprise": "∙ Enterprise web security platform with unauthorized code detection (e.g., Featurespace, Reflectiz, c/side)\n∙ Real-time monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": { "general-pci-dss-4-0-1": [ "6.4.3" ], "general-pci-dss-4-0-1-saq-a": [ "6.4.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.4.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.4.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.4.3" ] } }, { "control_id": "WEB-02", "title": "Use of Demilitarized Zones (DMZ)", "family": "WEB", "description": "Mechanisms exist to utilize a Demilitarized Zone (DMZ) to restrict inbound traffic to authorized Technology Assets, Applications and/or Services (TAAS) on certain services, protocols and ports.", "scf_question": "Does the organization utilize a Demilitarized Zone (DMZ) to restrict inbound traffic to authorized Technology Assets, Applications and/or Services (TAAS) on certain services, protocols and ports?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nWeb Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Web Security (WEB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Web security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Web security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to utilize a Demilitarized Zone (DMZ) to restrict inbound traffic to authorized Technology Assets, Applications and/or Services (TAAS) on certain services, protocols and ports.", "4": "Web Security (WEB) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Host internet-facing services in isolated network from internal systems", "small": "∙ DMZ for internet-facing web services", "medium": "∙ Formal DMZ architecture for web services\n∙ Separation from internal network", "large": "∙ Enterprise DMZ design with WAF and IDS/IPS for web services", "enterprise": "∙ Enterprise web architecture with DMZ\n∙ WAF\n∙ Reverse proxy\n∙ Network segmentation\n∙ DDoS protection" }, "risks": [ "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": { "general-iso-27002-2022": [ "8.22" ], "general-iso-27017-2015": [ "13.1.3" ], "general-iso-27018-2025": [ "8.22" ], "general-mpa-csbp-5-3-1": [ "TS-1.10", "TS-2.0" ], "general-nist-800-171-r2": [ "3.1.22" ], "general-nist-800-171a": [ "3.1.22[a]", "3.1.22[b]", "3.1.22[c]", "3.1.22[d]", "3.1.22[e]" ], "general-shared-assessments-sig-2025": [ "N.8" ], "general-swift-cscf-2025": [ "1.1", "1.5" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.IV" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.22" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iv)" ], "usa-federal-irs-1075-2021": [ "3.3.8.a" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-sau-otcc-1-2022": [ "2-4-1-10", "2-4-1-13" ], "emea-sau-sacs-002-2022": [ "TPC-41" ] } }, { "control_id": "WEB-03", "title": "Web Application Firewall (WAF)", "family": "WEB", "description": "Mechanisms exist to deploy Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats.", "scf_question": "Does the organization deploy Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nWeb Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Web Security (WEB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Web security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Web security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to deploy Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats.", "4": "Web Security (WEB) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Keep website CMS and plugins updated\n∙ Use HTTPS", "small": "∙ Web Application Firewall (WAF)", "medium": "∙ Web Application Firewall (WAF)", "large": "∙ Web Application Firewall (WAF)", "enterprise": "∙ Web Application Firewall (WAF)" }, "risks": [ "R-AM-1", "R-AM-3", "R-BC-1", "R-BC-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": { "general-cis-csc-8-1": [ "4.4", "13.1" ], "general-cis-csc-8-1-ig1": [ "4.4" ], "general-cis-csc-8-1-ig2": [ "4.4" ], "general-cis-csc-8-1-ig3": [ "4.4", "13.1" ], "general-nist-800-53-r4": [ "SC-7(17)" ], "general-nist-800-53-r5-2": [ "SC-07(17)" ], "general-nist-800-82-r3": [ "SC-07(17)" ], "general-pci-dss-4-0-1": [ "6.4", "6.4.1", "6.4.2" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.4.1", "6.4.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.4.1", "6.4.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.4.1", "6.4.2" ], "usa-federal-irs-1075-2021": [ "SC-7(CE-17)" ], "emea-sau-ecc-1-2018": [ "2-15-3-1" ], "emea-sau-sacs-002-2022": [ "TPC-79" ], "amaericas-can-osfi-self-assessment": [ "4.3", "4.4" ] } }, { "control_id": "WEB-04", "title": "Client-Facing Web Services", "family": "WEB", "description": "Mechanisms exist to deploy reasonably-expected security, compliance and resilience controls to protect the confidentiality and availability of client data that is stored, transmitted or processed by the Internet-based service.", "scf_question": "Does the organization deploy reasonably-expected security, compliance and resilience controls to protect the confidentiality and availability of client data that is stored, transmitted or processed by the Internet-based service?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nWeb Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Web Security (WEB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Web security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Web security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to deploy reasonably-expected security, compliance and resilience controls to protect the confidentiality and availability of client data that is stored, transmitted or processed by the Internet-based service.", "4": "Web Security (WEB) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Only expose necessary web service APIs/endpoints to clients", "small": "∙ Client-facing web service security policy\n∙ Minimize exposed endpoints", "medium": "∙ Formal client-facing web service security standards\n∙ API security controls", "large": "∙ Enterprise client-facing web security program\n∙ API gateway\n∙ WAF\n∙ Rate limiting", "enterprise": "∙ Enterprise web services security platform (e.g., Apigee, AWS API Gateway + WAF)\n∙ Full API security lifecycle" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Web Security", "crosswalks": { "general-nist-800-171-r2": [ "3.1.22" ], "general-nist-800-171a": [ "3.1.22[a]", "3.1.22[b]", "3.1.22[c]", "3.1.22[d]", "3.1.22[e]" ], "usa-federal-dow-cmmc-2-level-1": [ "AC.L1-B.1.IV" ], "usa-federal-dow-cmmc-2-level-2": [ "ACL2.-3.1.22" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)(iv)" ], "emea-sau-cscc-1-2019": [ "2-12", "2-12-1-1", "2-12-1-2" ], "emea-zaf-popia-2013": [ "19" ] } }, { "control_id": "WEB-05", "title": "Cookie Management", "family": "WEB", "description": "Mechanisms exist to provide individuals with clear and precise information about cookies, in accordance with applicable legal requirements for cookie management.", "scf_question": "Does the organization provide individuals with clear and precise information about cookies, in accordance with applicable legal requirements for cookie management?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nWeb Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Web Security (WEB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Web security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Web security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to provide individuals with clear and precise information about cookies, in accordance with applicable legal requirements for cookie management.", "4": "Web Security (WEB) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Set secure cookie attributes on all cookies (HttpOnly, Secure, SameSite)", "small": "∙ Cookie security policy\n∙ Enforce secure cookie attributes", "medium": "∙ Formal cookie management standards\n∙ Secure cookie attributes\n∙ Cookie consent for PD", "large": "∙ Enterprise cookie management program\n∙ Automated cookie attribute enforcement\n∙ Consent management", "enterprise": "∙ Enterprise cookie management platform (e.g., OneTrust, Cookiebot)\n∙ Automated enforcement of secure cookie attributes\n∙ GDPR/CCPA compliance" }, "risks": [ "R-AM-3", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-GV-1", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": {} }, { "control_id": "WEB-06", "title": "Strong Customer Authentication (SCA)", "family": "WEB", "description": "Mechanisms exist to implement Strong Customer Authentication (SCA) for consumers to reasonably prove their identity.", "scf_question": "Does the organization implement Strong Customer Authentication (SCA) for consumers to reasonably prove their identity?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nWeb Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "Web Security (WEB) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Web security-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ Web security management may be a defined function (e.g., team or department) or assigned as an additional duty to existing IT and/or cybersecurity personnel.", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to implement Strong Customer Authentication (SCA) for consumers to reasonably prove their identity.", "4": "Web Security (WEB) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Web Security (WEB) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Use MFA for customer-facing authentication", "small": "∙ Strong customer authentication (SCA) policy\n∙ MFA for customer accounts", "medium": "∙ Formal SCA implementation for applicable customer services", "large": "∙ Enterprise SCA program for customer-facing services\n∙ PSD2 compliance where applicable", "enterprise": "∙ Enterprise customer authentication platform (e.g., Auth0, Okta Customer Identity)\n∙ SCA enforcement\n∙ PSD2/FIDO2 compliance" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": { "general-csa-cmm-4-1-0": [ "IAM-01", "IAM-13", "IAM-14" ], "general-pci-dss-4-0-1": [ "8.3.10" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "8.3.10" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.SAUTH" ], "usa-state-ca-ccpa-cpra-2026": [ "7024(g)", "7027(e)" ], "usa-state-tx-cdpa-2025": [ "541.055(a)(3)" ], "emea-us-psd2-2015": [ "4" ], "emea-deu-c5-2020": [ "PSS-05" ], "emea-sau-cscc-1-2019": [ "2-12-1-1" ] } }, { "control_id": "WEB-07", "title": "Web Security Standard", "family": "WEB", "description": "Mechanisms exist to ensure the Open Web Application Security Project (OWASP) Application Security Verification Standard is incorporated into the organization's Secure Systems Development Lifecycle (SSDLC) process.", "scf_question": "Does the organization ensure the Open Web Application Security Project (OWASP) Application Security Verification Standard is incorporated into its Secure Systems Development Lifecycle (SSDLC) process?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nWeb Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure the Open Web Application Security Project (OWASP) Application Security Verification Standard is incorporated into the organization's Secure Systems Development Lifecycle (SSDLC) process.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Follow OWASP Top 10 guidance for web security", "small": "∙ OWASP Top 10 as web security standard baseline", "medium": "∙ Formal web security standard (e.g., OWASP ASVS)\n∙ Developer training on web security", "large": "∙ Enterprise web security standard program (OWASP ASVS)\n∙ WAF enforcement\n∙ Security code reviews", "enterprise": "∙ Enterprise web security program based on OWASP ASVS\n∙ Automated security testing\n∙ WAF enforcement\n∙ Developer training" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": { "general-cis-csc-8-1": [ "16.0", "16.1", "16.7" ], "general-cis-csc-8-1-ig2": [ "16.1", "16.7" ], "general-cis-csc-8-1-ig3": [ "16.1", "16.7" ], "emea-sau-cscc-1-2019": [ "2-12-1-2" ], "apac-aus-ism-2024-june": [ "ISM-0971", "ISM-1239" ], "apac-nzl-ism-3-9": [ "14.5.7.C.01", "14.5.8.C.01" ] } }, { "control_id": "WEB-08", "title": "Web Application Framework", "family": "WEB", "description": "Mechanisms exist to ensure a robust Web Application Framework is used to aid in the development of secure web applications, including web services, web resources and web APIs.", "scf_question": "Does the organization ensure a robust Web Application Framework is used to aid in the development of secure web applications, including web services, web resources and web APIs?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nWeb Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure a robust Web Application Framework is used to aid in the development of secure web applications, including web services, web resources and web APIs.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Use a security-tested web framework", "small": "∙ Approved secure web framework policy\n∙ Use maintained frameworks only", "medium": "∙ Formal web application framework security requirements\n∙ Approved framework list", "large": "∙ Enterprise web framework governance program\n∙ Security-approved frameworks\n∙ Framework lifecycle management", "enterprise": "∙ Enterprise web framework governance\n∙ Security-approved framework library\n∙ Automated framework vulnerability monitoring" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": { "general-cis-csc-8-1": [ "16.0", "16.1" ], "general-cis-csc-8-1-ig2": [ "16.1" ], "general-cis-csc-8-1-ig3": [ "16.1" ], "emea-sau-cscc-1-2019": [ "2-12-1-1" ], "apac-aus-ism-2024-june": [ "ISM-1239" ], "apac-nzl-ism-3-9": [ "14.5.7.C.01", "14.5.8.C.01" ] } }, { "control_id": "WEB-09", "title": "Validation & Sanitization", "family": "WEB", "description": "Mechanisms exist to ensure all input handled by a web application is validated and/or sanitized.", "scf_question": "Does the organization ensure all input handled by a web application is validated and/or sanitized?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nWeb Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure all input handled by a web application is validated and/or sanitized.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Validate and sanitize all user inputs in web applications", "small": "∙ Input validation and output encoding policy for web applications", "medium": "∙ Formal input validation and sanitization standards\n∙ OWASP input validation guide", "large": "∙ Enterprise input validation program\n∙ SAST/DAST for input validation testing", "enterprise": "∙ Enterprise input validation and sanitization framework\n∙ Automated SAST/DAST scanning\n∙ WAF input filtering" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": { "apac-aus-ism-2024-june": [ "ISM-1240" ] } }, { "control_id": "WEB-10", "title": "Secure Web Traffic", "family": "WEB", "description": "Mechanisms exist to ensure all web application content is delivered using cryptographic mechanisms (e.g., TLS).", "scf_question": "Does the organization ensure all web application content is delivered using cryptographic mechanisms (e.g., TLS)?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nWeb Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure all web application content is delivered using cryptographic mechanisms (e.g., TLS).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS" ], "possible_solutions": { "micro_small": "∙ Use HTTPS for all web traffic", "small": "∙ HTTPS-only policy for all web services\n∙ TLS 1.2+ enforcement", "medium": "∙ Formal secure web traffic standard\n∙ TLS 1.2+\n∙ HSTS enforcement\n∙ Certificate management", "large": "∙ Enterprise web traffic security program\n∙ TLS 1.3\n∙ HSTS\n∙ Certificate lifecycle management", "enterprise": "∙ Enterprise secure web traffic program\n∙ TLS 1.3 enforcement\n∙ HSTS\n∙ Automated certificate management (e.g., Let's Encrypt, Venafi)" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": { "general-pci-dss-4-0-1": [ "A2.1", "A2.1.1", "A2.1.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "A2.1.1" ], "general-pci-dss-4-0-1-saq-c": [ "A2.1.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "A2.1.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "A2.1.1", "A2.1.2" ], "emea-sau-cscc-1-2019": [ "2-12-1-1" ], "apac-aus-ism-2024-june": [ "ISM-1552" ] } }, { "control_id": "WEB-11", "title": "Output Encoding", "family": "WEB", "description": "Mechanisms exist to ensure output encoding is performed on all content produced by a web application to reduce the likelihood of cross-site scripting and other injection attacks.", "scf_question": "Does the organization ensure output encoding is performed on all content produced by a web application to reduce the likelihood of cross-site scripting and other injection attacks?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nWeb Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure output encoding is performed on all content produced by a web application to reduce the likelihood of cross-site scripting and other injection attacks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Use output encoding to prevent XSS", "small": "∙ Output encoding policy for web applications\n∙ Prevent XSS", "medium": "∙ Formal output encoding standards\n∙ Prevent XSS via content security policy and encoding", "large": "∙ Enterprise output encoding program\n∙ CSP enforcement\n∙ SAST for XSS detection", "enterprise": "∙ Enterprise web security program with output encoding standards\n∙ Automated XSS detection (DAST/SAST)\n∙ CSP enforcement" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": { "apac-aus-ism-2024-june": [ "ISM-1241" ] } }, { "control_id": "WEB-12", "title": "Web Browser Security", "family": "WEB", "description": "Mechanisms exist to ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users.", "scf_question": "Does the organization ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Protect", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nWeb Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Keep web browsers updated and configured securely", "small": "∙ Web browser security policy\n∙ Approved browsers\n∙ Security settings enforcement", "medium": "∙ Formal web browser security standard\n∙ Browser configuration baseline\n∙ Extension policy", "large": "∙ Enterprise browser management (e.g., Google Chrome enterprise policy)\n∙ Approved extension list\n∙ Automated updates", "enterprise": "∙ Enterprise browser security management (e.g., Chrome Enterprise, Microsoft Edge policies)\n∙ Remote browser isolation (RBI) option\n∙ Extension control" }, "risks": [ "R-AC-4", "R-AM-2", "R-AM-3", "R-BC-2", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": { "emea-sau-cscc-1-2019": [ "2-12-1-1" ], "apac-aus-ism-2024-june": [ "ISM-1424" ] } }, { "control_id": "WEB-13", "title": "Website Change Detection", "family": "WEB", "description": "Mechanisms exist to detect and respond to Indicators of Compromise (IoC) for unauthorized alterations, additions, deletions or changes on websites that store, process and/or transmit sensitive/regulated data.", "scf_question": "Does the organization detect and respond to Indicators of Compromise (IoC) for unauthorized alterations, additions, deletions or changes on websites that store, process and/or transmit sensitive/regulated data?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [], "pptdf": "Technology", "nist_csf_function": "Detect", "scrm_focus": { "strategic": false, "operational": false, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality. \nWeb Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to detect and respond to Indicators of Compromise (IoC) for unauthorized alterations, additions, deletions or changes on websites that store, process and/or transmit sensitive/regulated data.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Periodically verify website content has not been modified unexpectedly", "small": "∙ Website integrity monitoring policy\n∙ Periodic manual checks for defacement", "medium": "∙ Formal website change detection program\n∙ Automated monitoring for unauthorized changes", "large": "∙ Enterprise website change detection tool (e.g., Sitelock, RiskIQ)\n∙ Automated alerting for changes", "enterprise": "∙ Enterprise web integrity monitoring platform (e.g., Reflectiz, RiskIQ, c/side)\n∙ Real-time change detection and alerting" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": { "general-pci-dss-4-0-1": [ "11.6", "11.6.1" ], "general-pci-dss-4-0-1-saq-a": [ "11.6.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "11.6.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "11.6.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "11.6.1" ] } }, { "control_id": "WEB-14", "title": "Publicly Accessible Content Reviews", "family": "WEB", "description": "Mechanisms exist to routinely review the content on publicly accessible systems for sensitive/regulated data and remove such information, if discovered.", "scf_question": "Does the organization routinely review the content on publicly accessible systems for sensitive/regulated data and remove such information, if discovered?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-DCH-12" ], "pptdf": "Process", "nist_csf_function": "Identify", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Web Security (WEB) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with WEB domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Web management-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Web Security (WEB) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with WEB domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with WEB domain capabilities are well-documented and kept current by process owners.\n▪ A web management team, or simiE210:E1635main capabilities.\n▪ Technology is leveraged to enhance the efficiency and accuracy of web management operations (e.g., secure web gateway, Content Management System (CMS) solution, etc.).\n▪ The entity's Governance, Risk & Compliance (GRC) team, or similar function, works with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with WEB domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ An implemented and operational capability exists to routinely review the content on publicly accessible systems for sensitive/regulated data and remove such information, if discovered.", "4": "Web Security (WEB) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Review public website content for accuracy and appropriateness regularly", "small": "∙ Publicly accessible content review policy and schedule", "medium": "∙ Formal content review program for public-facing web content", "large": "∙ Enterprise content governance program\n∙ Regular content audits\n∙ Content accuracy review", "enterprise": "∙ Enterprise web content governance platform\n∙ Automated content monitoring\n∙ Regular content audits by stakeholders" }, "risks": [ "R-AC-4", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-4", "R-GV-6", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Web Security", "crosswalks": { "general-nist-800-171-r3": [ "03.01.22.b" ], "emea-gbr-def-stan-05-138-2024": [ "2321" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2321" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2321" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2321" ], "americas-can-itsp-10-171-2025": [ "03.01.22.B" ] } } ] }